When is a virus not a virus? When it's not a virus.
Macintouch warns about Opener, a nasty piece of OS X malware that steals passwords, records keystrokes, spies through your webcam and opens back doors, and other scary things.
It is suggested that Opener is a nasty new OS X virus, but as the thread makes clear, it's not.
There's no means for Opener to spread, and no way for it to infect a machine remotely.
Opener is a shell script that must be installed manually by someone with administrator or root access.
In other words, a cracker needs physical access, and typically, the right passwords to dinker with its workings – a rare scenario.
Although one Macintouch reader claims to have been infected (probably by their delinquent teenager), Opener is a proof-of-concept, an experiment in seeing how many bad things a script can do.
Started in March at the Macintosh Underground forums, Opener seems to be a whacky pile-on, an exercise in maximum evil.
According to Macintouch, not only does it grab passwords and logins, it opens backdoors; kills monitoring programs like LittleSnitch; harvests serial numbers; decrypts keychains; copies application logs, preferences and histories; changes LimeWire settings to maximum upload; and installs John The Ripper, a Unix password cracker.
Phew!
Thanks Dave Schroeder.
Update: Sophos, a U.K. anti-virus/anti-spam firm, has issued a warning about Opener, which it calls SH/Renepo and has erroneously labeled a worm. Subsequently, some news outfits – the kind that blindly rewrite press releases – are reporting Opener as a new virus. And anti-virus firms have a bad reputation as alarmist?
Another update: Ian Betteridge, former editor of MacUser UK, writes: "Strictly speaking, I don't think you're right when you say that Opener has no way to spread. If the original Macintouch report is correct (and I'm not testing it myself to find out!), then it will turn on File Sharing and copy itself into the Public folder of every user on the machine. Any user on another machine then browsing that folder who opens up Opener will then be infected themselves, assuming they typed in their admin password. In that sense, it's similar in strategy to some older Windows worms, as it requires users to open it to work. That is uses file sharing to transmit itself rather that email doesn't mean it doesn't replicate, it simply means it uses a much less efficient transport mechanism.
As for whether Sophos are wrong to call it a worm... Well I'm not sure. It opens up ports on your firewall and downloads VNC and (according to one report) Timbuktu as well. That and the password farming (or should that be "pharming" :) ) are classic worm behaviour. Perhaps a Trojan would be a better description. Certainly, I wouldn't want it anywhere near my Mac."
