1. What is the "Opener" malware?



Opener is mostly a root kit. This means that it is used by intruders (hackers) who had control of your computer (administrator access). They use "Opener" to establish backdoors and collect system information (e.g. legitimate user passwords). Contrary to other root kits, "Opener" is a well commented shell script. This means that everybody can read, edit and "improve" the script. It's a kind of "basis for discussion" among hackers.

However, "Opener" is more than a root kit. It installs backdoors not only on your own hard disk, but on every bootable media which may be attached to your computer (e.g. FireWire drives, notebooks in Target Disk Mode and so on). The author also encourages use of the script in trojans (legitimate-looking programs with bad side-effects).

Due to the worm-like behavior of this script (distribution through "script kiddies" = want-to-be-hackers, possibly trojans and boot disk infection), the original author would have no knowledge which computers have been infected ("opened"). He or she has therefore added a global logging. The "Opener" script accesses a web page with world readable logs. The original author can check this log to see the IP addresses of "opened" computers.


2. Does Little Snitch protect me against "Opener"?

We receive many questions about "Opener" because it explicitly refers to Little Snitch. It sends Little Snitch a kill signal to try to get around its protection. We can put you at rest with this issue: Little Snitch protects itself against being killed, even if the kill is from the super-user. It does not "restart itself" as the script suggests, it rather ignores the kill. If Little Snitch is running, it will detect the downloads initiated by "Opener" (unless you have added a rule to allow "curl" access to the internet).

However, this does not mean you can feel safe just because you have Little Snitch! Little Snitch will only run if somebody is logged in. Since the script runs at system startup, it is likely that you are not yet logged in and "Opener" can circumvent Little Snitch's protection.


3. How can I remove "Opener" safely?

We are not an antivirus company and have therefore not done in-depth analysis of the code. Please see the next section for more detailed information. In short:

(1) Delete the startup items /Library/StartupItems/Opener and
/System/Library/StartupItems/Opener
(2) Review the "Sharing" Preferences pane. "Opener" has enabled all sharing.
(3) Delete the user "LDAP-daemon" in Netinfo Manager.
(4) Delete all ".info" directories (these are hidden in Finder!)
(5) Restore the permissions of all files and directories on disk



4. Where can I find more information?

For a good and short overview see:
http://www.macworld.com/news/2004/10/25/opener/index.php

For in-depth coverage see the initial publication on macintouch:
http://macintouch.com/opener.html

And finally for a statement from an antivirus-company see:
http://www.sophos.com/virusinfo/analyses/shrenepoa.html

Regards,
Karl Schwarzott
--
Objective Development Software GmbH
http://www.obdev.at/

_______________________________________________
Littlesnitch-talk mailing list
[EMAIL PROTECTED]
http://at.obdev.at/mailman/listinfo/littlesnitch-talk

Reply via email to