Venting at bozos: A journalist hits back

Posted on October 26, 2004 by Ian Betteridge

Yesterday I spent a happy morning piecing together a story for eWeek, on a malicious script which has been found lurking around the Internet. The script itself is, as my story made clear, not a true virus and it poses little threat. In order to progagate, you need to tell it your Admin password – although to run it, you don’t.

As is usual, I checked the story this morning for comments, and I find this one, from a certain “martincase”:

I went and looked at that script and it really does pose a threat to anyone STUPID ENOUGH to ignore the 100 or so lines of comments that tell the user EXACTLY WHAT THE SCRIPT DOES and to then go ahead and download it, run it and give it your ADMIN PASSWORD. It’s a good thing we have irresponsible journalists like you to alert us all to the danger of running this script on our computers! What’s your next big story? APPLE’S MAC OS X INCLUDES TRASH CAN – USERS “AFRAID FOR THEIR DATA” Any reporters interested in actually looking at the script before writing about it could follow the link from the original macintouch.com post like I did.

Well, excuse me for breathing. I replied with something accurate and measured, when to be honest what I wanted to do was write “Hey, Martin, how about you read the story before you vent? And how about you meet some users in the real world, who will happily click on anything labelled ‘Britney Spears – NUDE!’? And while you’re at it, how about you learn a bit about security? And talk to your doctor about Prozac, because my friend you REALLY need to CALM DOWN AND STOP USING CAPS!!”

There’s a certain kind of arrogant, dumb computer user who thinks that everyone in the world can read a shell script and understand what it’s doing. Combine this with the kind of stupidity that makes you think that because it’s running Unix it’s automatically secure, and you have a problem. Add in a measure of Apple fanaticism, and you have a recipe for complacency and, sooner or later, disaster. Macs ARE more secure than Windows out of the box. But that doesn’t mean they can’t have malware written for them, and sooner or later someone is going to package up something nasty. And because people like “martincase” are mouthing off telling their friends that Macs are immune to malware, Mac users who listen to the fanboys are going to get hit, badly.

Ain’t blogging great? Not only can bozo’s like “martincase” have their say, we journalists can have our say back!

This entry was posted in Macs, Web/Tech. Bookmark the permalink.
  • Anonymous

    Ian,

    I’ll refrain from ranting but in this case I have to agree with the commenter. You may wish to try this as an experiment, download the script (actually you have to copy and paste it into a text file – instructions are posted in the thread about how to do it.) Next you need to make the script executable. To do so, you would have to open the terminal and type chmod +x and then drag the text file into the terminal window, and finally, click back into the terminal window and press return.

    Now the script is on your hard drive and is executable. Try double-clicking it. On my system it launches textedit and shows me the script but it absolutely will not run. To run it, a user would have to execute it as a script – that is to say that they would have to go into terminal and type bash (and then drag the script to the terminal window, click back in the terminal window and press return.)

    I actually ran it on my computer and it did nothing. There is a routine at the beginning of the script that checks to see if it is being run by root. If it isn’t then it tries to copy itself into /Library/StartupItems (and failed on my computer) and then just quits.

    Unless someone has changed the permissions on their StartupItems folder or actually runs the script as root (either by logging in as root or by executing the script as super user – sudo bash (drag script, click, return) it is completely and utterly incapable of doing anything at all…

    I think this is actually an excellent example of just how much more secure the Mac is than any of it’s Windows counter-parts. On a Windows system, if a user has logged in and has admin capability then such a script would be able to run, infest and do anything else that it wanted.

  • rjz

    Well, I am afraid I am going to have to agree with Ian. The fact that this script isn’t *yet* a virus, or even an effective trojan horse means that we can still say our macs are safe. The fact that some hacker hasn’t had the time to package the thing as nicely hidden away trojan horse attached to some useful software means that we’re still safe. But don’t you think it’s important to note that those are relatively small steps and we should be prepared to protect our computers and Apple should be thinking about how it can circumvent even this attack?

    So long as journalists are not characterizing this as a virus (and some are) they are right in raising the issue.

  • http://technovia.typepad.com Ian Betteridge

    Anon – I don’t disagree with anything that you’ve said about the script’s capabilities. But all of this is actually in my story – including some comments about how the Mac doesn’t face the same problems as Windows! I went to the trouble of talking to the people at Sophos (who had issued a press release about it) and including the following quote: “We believe the circumstances under which it will be able to spread are quite small. We don’t believe it is spreading in the wild, and we think it is unlikely to.”

    I was very careful with this story to err on the side of caution, and to ensure that it was clear that, as I put it, “the Mac has yet to see anything other than a fraction of the security issues that have bedeviled Windows”. And yet still it appears that if you report anything that could possibly be bad about the Mac, bozo’s will happily jump on your head for it.

  • http://technovia.typepad.com Ian Betteridge

    rjz – it wouldn’t be hard to package this one up, but you’d still have to somehow fool the user running it into giving you the Admin password. However, doing that wouldn’t be all that hard. Stick an installer round this, bulk up the size of the application, and put it on Limewire and claim it’s a crack for Photoshop, and an awful lot of people would run it and give it an admin password.

  • Steve

    Ian, to your credit I think you handled the issue better than other journalists. For starters, your article has the words “malicous Mac OS X script” in the title. Further, your point to remind Mac users not to be complacent is understandable.

    That said, there are too many “journalists” that are using terms like “virus” and “worm” which they clearly don’t understand the meaning of. Worse, they’re quoting comments from someone who probably knows less than they do. Also, quoting an anti-virus company may seem like good journalism, but it’s a sure way of getting sensational quotes from what is basically a non-issue.

    From my perspective, I hold more contempt for “journalists” that promote “the sky is falling” type of fear over a non-issue such as this. If you understand the definition of a virus, if you understand what’s required to actually execute and even replicate this “malicious script”, you’ll realize how silly these “warnings” are and how foolish they make uninformed journalist sound to those with a moderate level of computer knowledge.

    Again, a friendly reminder not to be complacent is always a good thing, but the “sky is falling” type of message is not warranted. If you really wanted to gain credibility, you’d run an article describing that yes, this script has the potential to be dangerous, given that you provide admin password, or at least open up permissions on directories, etc. However, if you went on to describe how unlikely this scenario is and how other “journalists” don’t understand what they’re writing about, you’d be more respected and actually serve the public better in the process.

    Steve

  • prozac

    Actually, Prozac is an antidepressant. While one symptom of depression may be anger or “grouchiness,” I think you probably intended for “martincase” to ask the doc for a tranquilizer, no?

    Prozac will have the effect of flattening a patient’s emotions – gets rid of the lows, but cuts the highs as well. Tranquilizers will calm you down, or relax you.

  • michele

    I tried doing what the person in the thrid? post said to get the script to run and it didn’t do anything on my computer either but when I double clicked it instead of opening textedit it asked me to find a program to open it with! lol not much of a virus…

  • tom

    I am amazed at just how many reporters and industry experts don’t seem to understand this at all… I’ll try to explain it for you.

    Think of “opener” as a little spy-camera and your computer as an armored car. It won’t help a cracker get into your armored car but if you leave the door open then once inside the cracker can take pictures of what’s in your car.

    And that is all there is to the script. It does not in any way crack into a computer to begin with, the person installing it must already have access.

    This has all been blown totally out of proportion.

  • http://technovia.typepad.com Ian Betteridge

    Steve – Thanks for your comments. While I agree with you that it’s always dangerous to throw around the “worm” and “virus” words (and that, of course, is why I didn’t use them), it’s worth reading back in the history of viruses to the early days of DOS and Mac viruses, when the vast majority depended on someone, somewhere, downloading something and running it to infect their machine. The Opener script is primitive, but back in the late 1980′s people would have called it a virus.

    Michele – Serious, you downloaded a completely unknown script and ran it on your machine? If so, you’re (a) braver than I am, and (b) are much more lax with security.

    Tom – You don’t need to explain anything to me. I understand perfectly well what Opener is, and does. And I also understand exactly how easy it could be packaged up into a sweet little installer that looks like a legit application, and which would ask you nicely for your admin password, and thus infect your machine. Blown out of proportion? Perhaps by others, certainly not by my story.

  • http://technovia.typepad.com Ian Betteridge

    Prozac – personally, I want martin to get a life and stop hanging out on the Internet too much. Are there drugs which can make you do that?

  • Alan Patton

    As we say in Missouri, “show me”.

    In your article you state “A malicious script for Apple Computer Inc.’s Mac OS X has been discovered that is capable of harvesting passwords and installing remote control software and security backdoors onto a user’s machine.”

    Ignoring the fact that you are implying that this malicious script can do so of it’s own accord, can you show us which lines of the script install “remote control software” and/or “security backdoors” because I have looked that script up, down and sideways and it doesn’t install any such thing.

    In the very next paragraph you say it again – “then downloads and installs various remote control and password cracking applications.” The script does not download remote control software and downloads one and only one password cracker – john the ripper.

    The next paragraph boggles my mind… “Anti-virus companies warned that, although not yet found in the wild…” Did it occur to one single journalist to ask them where exactly they did “find” it if it is not in the wild? No, and it’s a shame too because that might be a story I’d like to read.

    “Although it attempts to copy itself to any mounted drive (including those on servers),” Ahh, this is the one solitary function in the script that makes it sound like a worm rather than just a script isn’t it? Did you bother to mention that under Apple’s implementation of file sharing the root directory of the hard drive is not shared and thus the script can not install itself to a shared volume? No.

    Did you mention that even if the entire drive were shared and even if the script were running on the local computer as root it would still not have write access to the StartupItems folder on the network drive? No.

    Did you tell your readers that in order for this script to even attempt to infect a network share that the share would have to be already mounted at startup prior to any user logging into the computer? No.

    In the future, why not just let Graham Cluley of Sophos write your articles for you so he can sell more of his snake oil to Mac users who don’t have any need for it at all. Do you own stock in Sophos or what?

  • http://technovia.typepad.com Ian Betteridge

    Dear Alan,

    As we say in England, “get your facts right”.

    Some questions for you:

    1. Is my statement that you happily quote in your second paragraph inaccurate? No. You can read into it whatever you want, I prefer to stick to what I wrote.

    2, Have you been through the latest version of the script, or the first version posted on MacUnderground? And why do you assume that the version posted on MacUndergound is the only version floating around? Do you think that no one has bothered doing any development on this since August?

    3. “In the wild” has a pretty clear meaning. I’m not even going to bother answering that one.

    4. It doesn’t matter if it’s copied to the root directory of a drive. It’s copied to the Public folder when file sharing is turned on. That means it’s shared. That means it’s potentially spreadable.

    5. Did I mention that if the drive were shared etc…? No. I did, however, say that it required admin privs to work. Duh! How many times in the story do you want me to mention this? Every paragraph?

    6. Shares in Sophos? Actually, Sophos wasn’t the first company to alert people to this product. And Cluley’s comments were, once again for the slow ones at the back, very muted about the whole thing. YES if this gets on to a machine it’s a pain in the ass. Yes, as he says, “We don’t believe it is spreading in the wild, and we think it is unlikely to.”

    Of course, if you’re happy for a script to install dsniff, snort, and other odd bits and bobs on your machine, then you don’t have a problem.

    Perhaps my saying “it relies on someone with administrator privileges running it in order to install itself to the /Library/StartupItems folder” wasn’t enough for you. Perhaps I should have said, instead “hey everyone, Macs are immune to malware!” Well sorry, but it isn’t true and if you pretend it is, one day, you’re in for a rude awakening.

  • not saying

    hey ian, not to jump into the middle here but your #4 is incorrect – the script does not copy itself to the public folder but rather it copies the users password and preference files to the public folder. so since it cant copy to a network volume and does not copy itself to a public share then its not a worm.

  • WildList

    http://www.wildlist.org/faq.htm

    ” What exactly is ‘In the Wild’?

    When a virus is reported to us by two or more Reporters, it’s a pretty good indication that the virus is out there, spreading, causing real problems to users. We consider such a virus to be ‘In the Wild’.

    As far as where is ‘out there’, we like the definition given by Paul Ducklin of Sophos, PLC in his paper ‘Counting Viruses’:

    For a virus to be considered In the Wild, it must be spreading as a result of normal day-to-day operations on and between the computers of unsuspecting users.

    This means viruses which merely exist but are not spreading are not considered ‘In the Wild’.

    Similarly, for a trojan to be considered “In the Wild”, it must be found on the computers of unsuspecting users, in the course of normal day-to-day operations. ”

  • Erika Valdez

    Hi Ian!

    I’m doing a report on “opener” for school and I have searched the web for different versions of “opener” but I can’t find any newer than version 2.3.8. At Sophos’ site they have an article with a picture of a version 2.4 so there must be a newer version – can you give me a link?

    Thanks!

  • Mike Whooley

    The moral of this story is: “Anything installed with administrator privileges can cause a lot of damage. Don’t install anything you don’t trust.”, though that’s true on any platform.

    There isn’t any worm, virus or Trojan here; and while some script kiddie may be busying himself incorporating Opener into one – he could just as easily stick in a “rm -rf ~/” which would be equally painful in my case. (Hope this comment doesn’t now constitute a malicious script in the wild! ;-)

  • Ryan Peterson

    Ian, I actually think you did a good job of not buying into some of the sensationalism that has surrounded this script. I think what has upset most Mac users including myself is the idea portrayed by some articles that this somehow shows Mac OS X to be as vulnerable to “worms” and “viruses” as windows. When in reality all this shows is that as is the case with any Linux/Unix system if you give admin access to the wrong person you are at risk. This is trojan horse is spread not by OS error but by operator error. This is not the same type of vulnerability that often occurs with Windows in which the system is compromised with little or no interaction from the user (especially the entering of a password) after which the virus or worm spreads itself automatically due to security flaws in the OS.

  • http://technovia.typepad.com Ian Betteridge

    not saying: Thanks for that. I’ve been told by others that have run it that it copies itself to the Public folder, so it appears there’s different variants floating around.

    Erika: I’m not sure that, even if I had one, supplying link to a more vicious version of opener on a public web site would be a good idea :) Sorry.

    Mike: Even things that don’t have admin privs can cause a lot of damage. For example, deleting everything in your /Documents folder :)

    Ryan: Thanks. It’s a complex issue, and sometimes journalists can overblow things. Of course, you also have to remember that not every journalist has ever used a Mac… :)

  • Ian is an idiot

    “There isn’t any worm, virus or Trojan here; and while some script kiddie may be busying himself incorporating Opener into one – he could just as easily stick in a “rm -rf ~/” which would be equally painful in my case. (Hope this comment doesn’t now constitute a malicious script in the wild! ;-)

    Posted by: Mike Whooley | October 27, 2004 04:14 AM”

    “Mike: Even things that don’t have admin privs can cause a lot of damage. For example, deleting everything in your /Documents folder :)

    Posted by: Ian Betteridge | October 27, 2004 03:27 PM”

    Hey Ian, do you even know what this simple command that Mike Whooley posted does? ( rm -rf ~/ )

    I think you should write about another subject from now on instead of computers as you obviously know nothing about them.

  • http://technovia.typepad.com Ian Betteridge

    Hey, “ian is an idiot”: Have you ever heard of a thing called “irony”? :)