Security

Mac users face rare virus

The malware disables Mac OS X's built-in firewall, steals personal information and can destroy data.

Stay on top of the latest tech news with our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

By Munir Kotadia
Special to CNET News.com

A script-based virus that spies on Mac users was discovered late last week.

The malware, which has been dubbed Opener by Mac user groups, disables Mac OS X's built-in firewall, steals personal information and can destroy data.

Security experts say these traits are common among the thousands of viruses targeting Microsoft's ubiquitous Windows operating system but are virtually unheard of on Apple Computer's Mac OS.

Paul Ducklin, Sophos' head of technology in the Asia-Pacific region, said that the virus, which Sophos calls Renepo, is designed to infect any Mac OS X drives connected to an infected system and that it leaves affected computers vulnerable to further hacker attack.

Ducklin said Opener disables Mac OS X's built-in firewall, creates a back door so the malware author can control the computer remotely, locates any passwords stored on the hard drive, and downloads a password cracker called JohnTheRipper.

According to Ducklin, Opener tries to spread by copying itself to any drive that is mounted to the infected computer. This could be a local drive, part of a local network or a remote computer.

Most worryingly, Ducklin said, this could be the start of a spate of viruses that uses Mac OS X's scripting features against its users.

"The existence of Unix shells—such as Bash, for which this virus is written—and the presence of powerful networking commands opens up the game a little bit for Mac users. It is no longer necessary to know about Mac file formats or executables. You can write your malware in script. And if you really wanted to, you could probably write a portable virus that would run on many flavors of Unix" and Mac, said Ducklin.

Chris Waldrip, president of the U.S.-based Atlanta Macintosh Users Group, posted a detailed description of Opener on the MacInTouch Web site.

Waldrip, who acknowledges that the virus has him "a bit spooked," said Opener seems to have started out with a "legitimate purpose" but has now been developed into a replicating piece of malware.

"I'm not sure how this could be guarded against," he said.

Mikko Hypponen, director of antivirus research at F-Secure, said that viruses targeting the Macintosh system virtually disappeared in the late 1980s.

"Things have been really quiet on Macintosh front, virus-wise. Back in the late 1980s, viruses used to be a much bigger problem on Macs than on PCs. We here at F-Secure used to have an antivirus product for Mac but discontinued it after the macro viruses died out," said Hypponen.

Symantec said users of Norton AntiVirus for Mac OS X were protected as long as they had updated their signatures over the weekend. A representative for the company said the relevant signature files had been available since Friday evening.

Munir Kotadia of ZDNet Australia reported from Sydney.

Editor's Picks

Free Newsletters, In your Inbox