[TETENAL]

Originally posted by Person Man:
Piracy just said that the mach_inject thing can't be fixed because it is an inherent feature of the Mach kernel. I get the feeling (from his explanation) that to "fix" it would be to totally and fundamentally change the Mach kernel to the point that it would break (or could possibly) break everything else.

That's how I understood him as well. But if what piracy says would be possible it would be a huge security problem. Why did we have a dozen or so security updates that fix privilege escalation bugs, if any process could just become root by injecting malicious code into a root process. You wouldn't even have to be admin to execute code as root. Any underprivileged user could do it and get sample code from Unsanity to do it.

I wouldn't care how hard it would be to fix this, but this would be something that must be fixed.

Of course that doesn't release the user from his responsibilities. I never wanted to imply that.

[piracy]

Originally posted by TETENAL:
That's how I understood him as well. But if what piracy says would be possible it would be a huge security problem. Why did we have a dozen or so security updates that fix privilege escalation bugs, if any process could just become root by injecting malicious code into a root process. You wouldn't even have to be admin to execute code as root. Any underprivileged user could do it and get sample code from Unsanity to do it.

I wouldn't care how hard it would be to fix this, but this would be something that must be fixed.

Of course that doesn't release the user from his responsibilities. I never wanted to imply that.

Well, again, I think we're getting a little off the beaten path here. I don't want to get too in-depth here, but this particular case of mach_inject and mach_override would essentially require a malicious process to wait for another legitimate privileged process to be spawned - say, AuthServices prompting for authentication for a Software Update - and then it could become root. So it's a little more involved than just a process randomly becoming root on demand, but it's definitely possible, and fairly trivially.

But it still comes back to the whole security practices issue.

Look, is it easier to write a simple script, stick it in a trojan, have it become a StartupItem and then become root, than doing something with mach_inject? Absolutely! Should we try to make it as hard as possible for persons with malicious intent to do harm to your computer? Absolutely! But there comes a point when making it "hard" for things that are malicious makes it unduly hard for you to even use your computer. As I said, keeping your computer turned off and off the network makes it 100% secure, guaranteed, doesn't it? That's an absurd example, obviously, but you get my point.

Hell, Windows NT was C2 security - if it wasn't attached to the network.

So should things like /Library/StartupItems default permissions and state be fixed? Absolutely! Should Apple be continually looking for ways to help the user remain secure, while still keeping things "easy"? Absolutely! These things can and will happen, and have been happening for quite some time. There will be malware. There will be exploits. But as long as people are responsible with their computers, the impact of social exploits can be kept infinitesimally small.

[Person Man]

Originally posted by TETENAL:
I wouldn't care how hard it would be to fix this, but this would be something that must be fixed.

Piracy just responded to my post with more information. He just said it CAN'T BE FIXED. His response also leads me to believe that it was a fundamental design principle that was set with the designers FULLY AWARE of the security implications.

He also said

Originally posted by piracy:
it's just the nature of running code as a user with a certain level of privileges on a machine. One way around this would be to simply run as an unprivileged user all the time (in the context of Mac OS X, a non-admin user).

The key is "one way around this..." He is saying that it really is a non-issue if we follow good, strong security practices. The designers intended it that way.

I see your argument, but it amounts to protecting the user against their own stupidity, but we all know that's not possible.

So, yes, there IS a "FIX!" USE GOOD STRONG SECURITY PRINCIPLES. And again, it all comes down to trust.

[piracy]

This would seem an appropriate time to bring up the new NSA Systems and Network Attack Center (SNAC) publication on securing Mac OS X:

http://www.nsa.gov/snac/os/applemac/..._final_v.1.pdf

While the NSA is a little more stringent that many installations require, the content of this document is more relevant than ever.

I'd also like to remind everyone of Corsaire Ltd's excellent Mac OS X security white paper:

http://www.corsaire.com/white-papers...g-mac-os-x.pdf

[Tyre MacAdmin]

[QUOTE]Originally posted by piracy:
[B]This would seem an appropriate time to bring up the new NSA Systems and Network Attack Center (SNAC) publication on securing Mac OS X:

http://www.nsa.gov/snac/os/applemac/..._final_v.1.pdf

Nice! that's a keeper thanks piracy!

[Simon]

I don't know.

The NSA didn't mention one single thing I didn't know before. Actually, they didn't publish any more than what could be read on any forum like this one. Of course you might not want to trust just any forum, but well, trust the NSA...?

[Tyre MacAdmin]

Originally posted by Simon:
I don't know.

The NSA didn't mention one single thing I didn't know before. Actually, they didn't publish any more than what could be read on any forum like this one. Of course you might not want to trust just any forum, but well, trust the NSA...?

I just like it for the nice UNCLASSIFIED

Always nice to have around if you've got a quick presntation that has to look important

[Person Man]

Originally posted by Simon:
The NSA didn't mention one single thing I didn't know before. Actually, they didn't publish any more than what could be read on any forum like this one.

Yes, but it is still useful to have all of that information collected in one spot, AND have it be up to date.

Not to mention that doing searches on topics like this for Mac OS X have led to places that show either incomplete info on how to do something, or something REALLY out of date...

[Person Man]

Originally posted by Tyler McAdams:
I just like it for the nice UNCLASSIFIED

[Scallywag]

http://www.macintouch.com/opener02.html#oct31

Macintouch has posted a script that'll remove the Opener malware from an infected system. But how do you save this script and how do you run it? It's just text.

#!/bin/bash

################################################## ##############################################
# closer - this is the door closer
#
# This will turn most system services (ie SMB, SSH, Apache) off
# even if they were on before opener and will match kill a
# bunch of processes
#
# "What is wrong with us? Nothing.
#
# Just don't take your security for granted. Open a door, and we'll walk it.
# All you have to do is keep your doors closed,
# or watch who's walking around outside."
# Hackenslacker
################################################## ##############################################
# Originally written by hmartin

# This script runs in bash (as is noted by the very first line of this script)

# To run this script you need admin access

# Get the name of the evil script to remove
if [ -z "$1" ]
then
echo "Usage: `basename $0` malware name"
echo "If you are unsure what to use then run these commands or just use 'opener'"
echo "ls -1 /System/Library/StartupItems/ > StartupItems"
echo "diff CleanStartupItems StartupItems"
exit 1
fi

rm -rf /System/Library/StartupItems/"${1}"

# Remove from any mounted startup volume.
ls /Volumes | while read vol; do
if test -d /Volumes/"${vol}"/System/Library ; then
rm -rf /Volumes/"${vol}"/System/Library/StartupItems/"${1}"
fi
done

# If this script is run by anyone other than root it warns the user, but tries to disinfect anway
# Most of the commands in the script will just generate errors if it isn't run as root
if [ `id -u` != "0" ]; then
echo "This script is not running as root, probably won't work"
exit
fi

# Enable system accounting
# How to test whether it's currently on or off?

# Clear out ohphoneX
rm -rf /private/.phone/
killall -9 -m ohphoneX

# Enable OS X built-in firewall
defaults write /Library/Preferences/com.apple.sharing.firewall state yes &

# Restore LittleSnitch Prefs
if test -d /Library/StartupItems/LittleSnitch ; then
echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" > /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo "<!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo "<plist version=\"1.0\">" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo "<dict>" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo " <key>Description</key>" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo " <string>Loading Little Snitch</string>" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo " <key>OrderPreference</key>" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo " <string>First</string>" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo " <key>Provides</key>" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo " <array>" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo " <string>LittleSnitch</string>" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo " </array>" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo "</dict>" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
echo "</plist>" >> /Library/StartupItems/LittleSnitch/StartupParameters.plist
fi

# Kill KRec
killall -9 -m KRec
rm -rf /Library/Preferences/KRec*

# Turn ssh off
echo "service ssh" > /private/etc/xinetd.d/ssh
echo "{" >> /private/etc/xinetd.d/ssh
echo "disable = yes" >> /private/etc/xinetd.d/ssh
echo "socket_type = stream" >> /private/etc/xinetd.d/ssh
echo "wait = no" >> /private/etc/xinetd.d/ssh
echo "user = root" >> /private/etc/xinetd.d/ssh
echo "server = /usr/libexec/sshd-keygen-wrapper" >> /private/etc/xinetd.d/ssh
echo "server_args = -i" >> /private/etc/xinetd.d/ssh
echo "groups = yes" >> /private/etc/xinetd.d/ssh
echo "flags = REUSE IPv6" >> /private/etc/xinetd.d/ssh
echo "session_create = yes" >> /private/etc/xinetd.d/ssh
echo "}" >> /private/etc/xinetd.d/ssh &
echo "SSHSERVER=-NO-" >> /etc/hostconfig

# Turn FileSharing and webserving off
echo "AFPSERVER=-NO-" >> /etc/hostconfig
killall AppleFileServer
echo "SMBSERVER=-NO-" >> /etc/hostconfig
echo "WEBSERVER=-NO-" >> /etc/hostconfig

# Lock system files back up
chmod 644 /etc/hostconfig
chmod 444 /etc/xinetd.d/ssh
chmod -R 755 /etc/periodic/daily /etc/periodic/weekly /etc/periodic/monthly
chflags uchg /etc/hostconfig /etc/xinetd.d/ssh /etc/daily /etc/weekly /etc/monthly

# Delete all that hard earned info
rm -r /.info
find . -maxdepth 2 -name "Public" -type d -exec rm -rf '{}/.info' \;
rm -rf /Library/Preferences/.indexed/v_m.txt

# No idea what the default LW settings are supposed to be...

# Can anyone confirm if this works?
# I'd rather not trash the NI db
# nidump -destroy . /users/LDAP-daemon

# How to cut the last line of the cron log deletion jobs?

# Bye john
rm -rf /Library/Preferences/jtr
killall -9 -m john

# Misc
chmod 775 /Library

# Remove dsniff
rm -rf /Library/Preferences/dsstart
killall -9 -m dsniff
killall -9 -m dsstart
# This will definately need a lot more work
# Probably uploading known good version and reinstalling them
# Anyone want to host

# Should forwarding be turned off?
# sysctl -w net.inet.ip.forwarding=0

[Kristoff]

If you don't know, then you probably don't know what the script does, and therefore have no business running it. That's how people end up with problems in the first place!!!

[utidjian]

Originally posted by Scallywag:
http://www.macintouch.com/opener02.html#oct31

Macintouch has posted a script that'll remove the Opener malware from an infected system. But how do you save this script and how do you run it? It's just text.

What did you think it would be, a pinch of magical pixie dust?

I would be very careful using that script. There are at least nine 'rm -rf' lines in there... if you make one little mistake with the transfer to a file and somehow get an extra space in the wrong place it can really trash your system. It won't ask you if you really want to do it and the trashed files will not be in the trash. Other than that it looks OK.

[piracy]

1. There is NO REASON to run that remove opener script if opener is not on your machine. You can tell if opener is on your machine by looking for an item called 'opener' in /Library/StartupItems or /System/Library/StartupItems. (For the inevitable "Well, what if opener has been modified so it doesn't appear in in those locations": if it has been modified that much, then this script is useless.)

2. Extremely, extremely minor changes to opener render that script 100% useless.

3. That script isn't even correct for the variants of opener at least one person claimed to have encountered on MacInTouch.

4. If I EVER encountered a machine I believed to have been compromised, the LAST thing I would do is run a removal script. YOU DO NOT KNOW WHAT HAS BEEN COMPROMISED OR TAMPERED WITH ONCE A MACHINE HAS BEEN OWNED. Not understanding this represents a fundamental misunderstanding of the situation.

5. Aside from all of these issues, once again, this COMPLETELY misses the f*cking point.

[TimmyDee51]

Apple's official response was just posted and it just kills me that the AV companies insist Opener is a virus. I realize that they want to sell us their software for the Mac (which can be a bit like selling refrigerators to Eskimos), but let's be real here. In no way does this thing constitute a virus. Were this on the PC side, they'd call it spyware. It's too bad that so many security outfits are linked with AV companies, but I guess it's just one of those things that follows the money.

[TETENAL]

Originally posted by TimmyDee51:
Apple's official response was just posted and it just kills me that the AV companies insist Opener is a virus. I realize that they want to sell us their software for the Mac (which can be a bit like selling refrigerators to Eskimos), but let's be real here. In no way does this thing constitute a virus.

Opener copies itself to other boot volumes which is self propagation. Therefore it is a virus by definition. It might be an inefficient virus, but it still is one.

[Millennium]

Originally posted by TETENAL:


Opener copies itself to other boot volumes which is self propagation. Therefore it is a virus by definition. It might be an inefficient virus, but it still is one.

Technically it's a worm, because it doesn't hide inside other files. The Internet is the most efficient way for worms to spread, but it is not the only way.

When did it pick up the ability to copy itself to other boot volumes, anyway? I admit that I haven't been following this thread too closely for the past few days, but last I checked it had no ability to propagate.

[piracy]

Originally posted by TETENAL:
Opener copies itself to other boot volumes which is self propagation. Therefore it is a virus by definition. It might be an inefficient virus, but it still is one.

TETENAL,

This has NOTHING to do with putting your head in the sand.

Not matter WHAT you call it - a worm, a virus, a rootkit, a script, malware, or a f*cking purple donkey - Apple's statement is otherwise 100% accurate.

There is nothing to panic about, and the things that you should do to protect yourself are simple security best practices, already discussed at length here. There is no "flaw" or "bug" in Mac OS X that needs to be "fixed".

The semantics of whether or not it is a "worm" is irrelevant. Frankly, calling this a "worm" categorizes it with the likes of Nachi, Sasser, and Blaster - which spread with absolutely no user interaction whatsoever through Windows exploits - and opener is most certainly not in that category, nor can it ever be, even if only for the fact that most OS X machines will never have any ports open during their entire lives.

You can argue that opener has properties that might define it as a "virus", a "worm", a "malicious script", etc.; most accurately, it can probably be called a "rootkit". But NO MATTER WHAT YOU CALL IT, the point is that this is not as dangerous as the vast majority of Windows exploits - not because of what it does, but because of how it needs to be installed.

Trojans and social engineering will always affect all platforms and all operating systems essentially equally. But it's not fun to talk about that; it's more sensational to claim that there are serious problems with Mac OS X or that Mac OS X is just as insecure as Windows, when in fact quite the opposite is true.

Even in the category of social engineering, the most common mechanism of spread in the Windows world aside from the completely automated self-propagating exploits is email attachments. On Mac OS X, there are more layers of abstraction between the presentation of an attachment and a possible exploit (and Microsoft has learned this concept in recent times). But even so, architectural and fundamental design differences still make Mac OS X more secure, period. I've already gone over the reasons numerous times, and these are indisputable.

And it's not just because of marketshare; if that were so, apache would be the most exploited web server. But it's not. Ridiculously so. What is the most exploited web server? Microsoft IIS, with less than 20% of the market.

And I haven't been advocating ignorance; on the contrary, I've been encouraging vigilance and responsibility on the part of the user! Your problem is that you think Apple or someone else needs to respond to this in a technical fashion, with a patch to apply, a permission to fix, or a file to change[1]. There is NO SUCH SOLUTION. Even if you have current AV software[2], you are LESS PROTECTED than if you simply follow normal security best practices that we've talked about ad nauseum. If you keep denying that is the correct solution, you're the one with your head in the sand.

[1] As I have said, yes, the /Library/StartupItems discrepancy should be addressed. But even if/when it is that will NOT "solve" the larger issue of things like opener existing.

[2] I encourage all users to run current AV software; it is, of course, prudent to do so. But ALONG WITH other good security practices.

[TETENAL]

Originally posted by piracy:
This has NOTHING to do with putting your head in the sand.

Not matter WHAT you call it - a worm, a virus, a rootkit, a script, malware, or a f*cking purple donkey - Apple's statement is otherwise 100% accurate.

The head in the sand image was only directed at Apple's and TimmyDee51's statement "In no way does this thing constitute a virus."

Otherwise I agree with you and already said it might be an inefficient virus (not on par with Sasser et. al.), but by common definition it is a virus.

[DevNine]

Are Library/StartupItems or /System/Library/StartupItems the only two startup folders for applications ? I installed a hp printer driver and a stupid printer application starts up upon every login.

[TETENAL]

Have a look into System Preferences->Accounts->Startup Items.

[Tyre MacAdmin]

Originally posted by Scallywag:
http://www.macintouch.com/opener02.html#oct31

Macintouch has posted a script that'll remove the Opener malware from an infected system. But how do you save this script and how do you run it? It's just text.

#!/bin/bash .etc

That's a shell script if you save it as a target file it will more than likely be saved to your desktop as an .sh flle. Open the terminal and cd to the directory you saved it in and now run the shell script.. the command will be something like: sh closer.sh

[theolein]

Originally posted by DevNine:
Are Library/StartupItems or /System/Library/StartupItems the only two startup folders for applications ? I installed a hp printer driver and a stupid printer application starts up upon every login.

Take a look in System preferences application->Accounts->(Admin User account)->Startup Items. There might be an HP thing there. You can remove it by selecting and clicking the minus butotn at the bottom of the panel.

[Anubis IV]

Gotta love it...

Just got an e-mail from my father warning me about a new Mac worm that was out in the wild. Guess what "worm" it's referring to.

Anyway, don't know if this article has been linked to or not yet, but here it is.

http://www.computerweekly.com/articl...=134580&liArti

[SMacTech]

Originally posted by Anubis IV:
Gotta love it...

Just got an e-mail from my father warning me about a new Mac worm that was out in the wild. Guess what "worm" it's referring to.

Anyway, don't know if this article has been linked to or not yet, but here it is.

http://www.computerweekly.com/articl...=134580&liArti

ZDNet, Computer Weekly, etc.. is turning into [or rather always have been] a bunch morons and are just spreading FUD via M$ payola. If you get the chance, stop by and tell them what you think of their technical knowledge and accurate reporting. I did.

[Keiretsu]

Apparently Opener will no longer work in Tiger! According to a note here http://www.ragingmenace.com/ Tiger will check for correct permissions for startup items! This will mean there is no way to install Opener without being prompted by a password window or if it changes permissions there will be a warning window that tells you about it!
Way cool!

[mayamoring]

That's really horrible.
I don't know how to protect my Mac from being attacked....