Sophos, a world leader in protecting businesses against viruses
and spam, is advising system administrators of a new Mac OS X worm
which attempts to turn off firewall and other security
software.
The SH/Renepo
worm (also known as Opener) can turn off the Mac OS X firewall and
other security software; will download and install hacker tools for
password-sniffing and cracking; will make key system directories
world-writeable; and will create an admin-level user for later
system abuse. Renepo also turns off accounting and logging to help
hide its presence.
"You do not want the Renepo worm anywhere near your Mac OS X
network," said Graham Cluley, senior technology consultant for
Sophos. "Renepo makes so many security-related changes to your
systems that all bets are off once you have been compromised.
Because the worm attempts to harvest user, configuration and
password data for a wide range of applications, it represents a
huge security headache for all administrators, creating a backdoor
to leave infected computers vulnerable to further attack."
Sophos notes that the Renepo virus has not been seen in the wild
to date, but can be considered a warning to Macintosh users not to
be complacent about the malware threat.
"This is a shot across the bows rather than a pressing immediate
danger to Mac environments," continued Cluley. "The Renepo worm
reminds Mac users who may have felt smug that most viruses target
the Microsoft Windows market that they should be careful not to
turn a blind eye to security."
The shell script used by the Renepo worm contains a number of
comments from its authors, including:
###################################################
# opener 2.4 - a startup script to turn on services and gather
user info & hashes for Mac OS X
###################################################
# Originally written by DimBulb
# Additional code: hard-mac, JawnDoh!, Dr_Springfield,
g@pple
# Additional ideas and advice: Zo, BSDOSX
Sophos Anti-Virus for Mac OS X has been fully updated to protect
against the threat posed by the SH/Renepo worm. Sophos continues to
recommend computer users practise safe computing as well as running
up-to-date anti-virus software.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.