|Place of Origin|
|Source Language||Unix Shell Script|
|Infection Length||46,007 bytes|
Opener, also called Renepo is a Unix shell script worm that specifically targets Macintosh OSX computers. It was the first self-replicating security threat for Macintosh OSX and one of the first high-profile threats in a long time for the Macintosh.
When Opener is executed, it copies itself to the system startup items folder, ensuring it is started when the system is. It then copies itself to all mounted drives as well as all systems, shared folders and drives on the network.
Opener lowers security levels by changing system settings and installing programs among other things. It turns off system accounting and logging, the OS X firewall, software auto-updates and LittleSnitch (a program that informs the user when a program is accessing the Internet). It turns on file sharing and ssh. The worm sets the file permissions of several system files and directories, including /etc/hostconfig, /etc/xinetd.d/ssh, the system startup folder and several files used by cron to 777 (readable and writeable for all users and programs. It installs ohphoneX (a voice and video sharing program), dsniff (a password sniffer), and John the Ripper (a password cracker). It also creates a root level user LDAP daemon.
The worm also collects information on infected systems. It logs the IP addresses to a remote server. Opener creates a hidden directory to save the data it finds, named /.info. It collects user, system and application data, password hashes from Samba and VNC passwprd information. The worm also looks for passwords in the swap file.
In the 1980's, malware was a significant problem for Macintosh users, but virus writers turned their attention to Microsoft products as they became popular. Any kind of malware for the Macintosh became very rare and Macintosh users could go years without seeing a malware warning (if they bother to pay attention).
There is one known isolated incident of the worm on a user's computer. It got some attention from Mac users after that, but ultimately did not have much of an impact. It was hindered by the fact that it did not try to get root-level privileges (it counted on the user executing it to already have them) and that Macs are so few and far between.
Apple rarely mentioned Opener once on its site or in any other media. Apple released one statement denying it was "a virus, Trojan horse, or worm" and denying that it spreads over networks (which it clearly does). They do though correctly identify the fact that it requires root access to perform most of its actions. They would have a similar response to the Oompa worm.
Apple fixed one of the vulnerabilities that made Opener possible in its Tiger (10.4) release which came out in April of 2005. Apple had no comment on security fixes for versions before 10.4. It was two years before some of the vulnerabilities were patched.
Name and Origin
Opener's history begins seven months before it was actually found on a user's computer. The person going by the name DimBulb joined the Macintosh Underground forum in early March of 2004, and after a little over a week, posted a "Startup Scripts" topic, in which over the next few months, he posts pieces of the code that will eventually become Opener. He takes code, questions and comments form other forum posters.
Eventually, another forum member by the name JawnDoh take over the development of the worm. He released the final version, which was later found in the wild. None of these people have been identified.
Sophos Antivirus, SH/Renepo-A. 2004.10.25
McAfee Antivirus, Unix/Opener.worm. 2004.10.27
Gust Mees. Internet Monitor (Luxembourg/Europe), Virus greift MAC OS X an. 2004.10.28
Macintouch Reader Reports, "Opener" Malware.
Munir Kotadia. CNet News, Mac users face rare threat. 2004.10.24
Matther Broersma. Techworld.com, ARNNet, Mac worm sparks security concerns. 2004.10.27
John Leyden. The Register, Mac OS X rootkit surfaces. 2004.10.25