Some of you use Macinstosh systems on your Windows networks, so be aware that a group of people have been developing a "rootkit" for Mac OS X. A recent post on the Macintouch.com Web site offers insight into what the kit does after it becomes installed on a user's computer.
According to the article the kit, dubbed "Opener," takes the form of a bash shell script (originally discovered at Freak's Macinstosh Archive) that will perform the following actions, as outlined below by a contributor to the article, Chris Waldrip:
- Opener tries to install ohphoneX, a teleconferencing program - for spying on you through your webcam I'm sure.
- It kills LittleSnitch before every Internet connection it makes
- It installs a keystroke recorder
- Allows backdoor access in case someone deletes the hidden account
- Grabs the open-firmware password
- Installs OSXvnc
- Grabs your office 2004 PID (serial number), as well as serial numbers for Mac OS XServer, adobe registrations, VirtualPC 6, Final Cut Pro, LittleSnitch, Apple Pro Apps, your DynDNS account, Timbuk2, and webserver users to name a few.
- It tries to decrypts all the MD5 encrypted user passwords
- Decrypts all users keychains.
- Grabs your AIM logs, and tons of other settings and preferences with info you probably don't want folks to have... even your bash (terminal) history
- Grabs stuff from your Classic preferences
- Changes your Limewire settings to max out your upload and files.
- The hidden user account is called LDAP-daemon instead of the name hacker used in earlier versions. Looks more innocent than hacker.
- Even has your daily cron task try to get your password from the virtual memory swapfile
- It installs an app called John The Ripper - a password cracker that uses a dictionary method to crack passwords
- installs dsniff to sniff for passwords...
Another contributor to the article, Dave Taylor, points out a command (below) that can help determine if the kit has become installed on a given computer:
$ sudo ls -l /Users/*/Public/.info
Typical command output should be:
ls: /Users/*/Public/.info: No such file or directory
Taylor said that "if you get anything else, it's time to pop into /Library/StartupItems and see what's in there. "
If you use Macintosh systems then you should consider reading then entire article regarding "Opener."