Aaron Adams’s Blowhard Blog

By now, most Mac users have probably become aware of something called “Opener”, and the usual computer news outlets, with their never-ending combination of ignorance and anti-Mac zeal, can’t even bother to get the facts straight in their headlines. For instance:

Destructive Mac virus spies on Apple users

The problem is, it’s not a virus.

ZDNet’s American counterparts are more accurate in their assessment, and they seem to get most of it right:

Mac users face rare threat

..although it looks like they may have changed their tune at some point, because the URL contains “Mac+users+face+rare+virus”, indicating that was probably the original title of the article. In their rush to point out that, ha ha ha!, Mac users have it just as bad as Windows users, they conveniently forgot to collect actual facts about the story.

There’s a very good thread at MacInTouch discussing the specifics of Opener, how it works, and what it is. The short version is, Opener is not a virus. It has no way to spread on its own. A user must manually run a shell script and enter an administrator password, which requires physical access. Opener is what’s called a rootkit, a set of tools a miscreant uses to defile a machine after already gaining root access either via social engineering or brute force. Opener even uses a known password cracker, John The Ripper, to attempt to steal user passwords.

To date, there has been only one reported instance of Opener in the wild, and that victim most likely had major security weaknesses to begin with, such as a weak admin password, unnecessary services turned on, no hardware firewall, unguarded physical access to important computers, etc. When security measures such as these are followed, combined with what should be common sense, Opener is entirely preventable.

I look forward to seeing how this gets blown out of proportion in the coming days. I also encourage you to read the above-linked thread at MacInTouch for what seems, at the moment, to be intellignet, informed discussion about the issue.

[UPDATE]Talk show host extraordinaire Shawn King asked that I clarify some of the common sense steps that can prevent Opener.

• Use a strong password. Make it as many characters in length as is reasonable and be sure to include mixed-case letters, numbers, and non-alphanumeric characters. Use something that does not resemble an actual word from the dictionary. If an attacker can guess your password, or an automated password cracker, like John The Ripper, can brute force a guess, you’ve already lost.
• Turn off all unnecessary services. Do not leave SSH, AFP, SMB, Apache, or any other service running unless it is currently, actively serving a purpose. Malware such as Opener can be installed via brute force attacks against these services. If you have a weak password, and SSH unnecessarily turned on, it becomes tremendously easier for an attacker to break into your machine.
• Get a hardware firewall. I’m torn on this issue personally because most users who have a firewall aren’t knowledgeable enough to manage it correctly, and a misconfigured firewall can be as bad as no firewall at all. However, in this instance, I’ll set aside those reservations and recommend one. Preventing attackers from reaching your machine in any way from the very beginning is a good idea. Installing a hardware firewall in front of your home or office network causes that machine to bear the brunt of an attack instead of your Mac. Best practice, I believe, is to disallow all incoming ports unless absolutely necessary. If you have the need to access machines and services behind the firewall from a remote location, it’s time to get familiar with VPN.
• Lock your computer when you’re not at your desk. I don’t know who your coworkers are, but pretty frankly, I don’t want anyone touching my Mac when I’m not around. Turn on fast user switching in the Accounts pane of System Preferences and select the Login Window… item from the drop-down whenever you leave your Mac by itself. If you have workstations or servers with important data on them, put them behind a locked door and control entrance to the room. Physical access to a computer makes it easy for anyone, either through maliciousness or stupidity, so install software like Opener, or simply run destructive commands in the Terminal.
• Backup your data and install the latest security and OS updates. Excellent, free backup software such as RsyncX , Carbon Copy Cloner, and even Apple’s Disk Utility is available, so there is no reason to use the slight chance of system corruption as a lame excuse not to install the latest security and OS updates. Updates aren’t a sign of weakness, they’re a sign of improvement. They’re distributed because a weakness has been found and corrected. Being exploited by a flaw with an existing patch will get you no sympathy.
• Never NEVER open any file unless you know what it is. There is nothing that you will ever get in an e-mail or that a “friend” will give you that is so cool that it becomes an exception to this rule. Don’t download pirated software from P2P services, especially a file named “0ffice 2004 1nstaller d00dz!” that is 4k. Social engineering attacks rely on impulsive and stupid users to do the wrong thing.