This is not a virus, it has to be execute by the victum. This is a rootkit
as you said.
However, reading through this description I see that it is not a good
rootkit
"Runs as root, as no "sudo" commands are needed."
Root is not enabled by default. People like myself go in and of course
enable the root account, but you need to be an admin to do so.
http://developer.apple.com/documentation/Porting/Conceptual/PortingUnix/additionalfeatures/chapter_10_section_13.html
Therefore it can not run as root without first getting an administrator
password and then enabling root.
"Launches a keystroke-mapping application (if installed) called Krec, to
record the keyboard entry of passwords."
Uh, I will check my iBook when I get home because I was not away a keystroke
logger was installed
by default :-)
Then there is this:
"There appears to be no attempt by the script to send the passwords to an
email address or FTP site. However, the computer's state is compromised to
the extent that anyone with knowledge of the script could login and access
the log files containing serial numbers and passwords."
So aside from hoping to getting an administrator password, there is no
network traffic and no backdoor processes or communication. Even if an
account is compromised, the information is not sent to a remote location
(kinda defeats the purpose of using a keylogger). If anything, its an
annoying rootkit. I would compare this activity to some administrator
screwing up his XServe. Maybe this is a good joke for a couple of your
friends using Mac OS X.
One thing does deserve analysis:
"Modifies the LimeWire settings, deletes log files, and creates an admin
level user named:
"LDAP-daemon"
so the machine can then be accessed in the future by a hacker who knows
about this script. This user name will appear in the NetInfo Manager. "
Mac OS X defines file system domains:
http://developer.apple.com/documentation/MacOSX/Conceptual/BPFileSystem/Concepts/Domains.html
I would have to test this, or hopefully someone can setup a lab and see what
information you could possibly pilfer. People have been dying to have a
MacOSX virus to throw at Apple, but in this case its just a shell script.
My 2 cents.
Shirkdog
-----Original Message-----
From: keydet89@yahoo.com [mailto:keydet89@yahoo.com]
Sent: Tuesday, October 26, 2004 12:09 PM
To: focus-virus@securityfocus.com
Subject: MacOSX worm
Importance: Low
SF has a Register article about Opener/Renepo-A. The article describes this
as a "rootkit" (the term is, in fact, used in the title of the article), yet
Sophos (linked in the article) classifies it as a worm. Neither the
Register article nor the Sophos write up describe any rootkit-like
capabilities.
Here's the Symantec writeup:
http://www.sarc.com/avcenter/venc/data/macos.renepo.b.html
The Register article calls the "rootkit" "destructive", yet doesn't describe
any destructive capabilities. However, the Symantec writeup does.
So...what's the real deal? Is the media spreading FUD, or is the A/V
community downplaying the effectiveness of this bit of malware?
Thanks,
Harlan Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
_________________________________________________________________
Get ready for school! Find articles, homework help and more in the Back to
School Guide! http://special.msn.com/network/04backtoschool.armx
