Differentiating Between Types of Malicious Software | Apple Training Series: Mac OS X System Administration Reference, Volume 1

There's a wide variety of malware types and technologies out there, all waiting to attackand possibly damageyour network and individual computers on that network. To effectively diagnose and resist malware attacks, you must learn the differences between, for example, a Trojan horse, a virus, a worm, and other types of malicious software.

Trojan Horses

Just as in the classic Homer legend, Trojan horse software seems like something you can use, but actually conceals something that can cause as much destruction to data as an entire legion of soldiers.

It is extremely unlikely that well-known, shrink-wrapped software will contain a Trojan horse. The main concern here is that shareware, freeware, or other software distributed through nonretail channels can easily be modified by a malicious attacker. A well-written Trojan horse, however, can install itself on top of shrink-wrapped software to disguise its actual sourceso it may not be have originated in the application you purchased or downloaded, but from another source entirely.

Viruses

A virus attaches itself to a good program and can not only attack its host computer, but, like a biological virus, can replicate itself and spread to other computers. Viruses can be triggered only when an infected program is opened, so human "cooperation" is requiredmost commonly by inadvertently opening an attachment from an email. If a virus-infected program is not opened or executed, the virus will not infect a system.

Note

Currently, Microsoft Office Macros can adversely affect your Microsoft Office documents, depending on the type of virus.

Worms

Worms are similar to viruses, with one important exception: Worms can spread to other computers without human involvement. A worm will take advantage of a transport mechanism on a single computer and automatically spread itself to other computers.

The most common worm is an email-address bookworm, which obtains all of the email addresses stored on a single computer and sends a copy of itself to each addressee.

The email attachment that it sends is often a virus that installs a worm that repeats the process, infecting all of the computers in the recipient's address book.

Note

Microsoft Outlook e-mail worms can spread to other computers if you forward e-mails that have not been checked for Outlook worms.

Spyware

Spyware is very insidious. A system may seem like it is running normally, but a spyware is running in the background, secretly sending private information to an unauthorized recipient. A spyware-infected computer may be transmitting anything from address book contacts to passwords to confidential client information without the user even being aware that unauthorized data-sharing is happening.

Note

Spyware can also masquerade in the form of Microsoft Internet Explorer helper objects.

Understanding the Opener Rootkit

A rootkit is a hacker term for a software package whose intent is to provide the hacker with access to a system's root account. In UNIX systems, the root account has superuser capabilities and can make changes anywhere in the system. In other words, if you have root access, you control the system and can have it do anything that you would like. Rootkits are used to extend the attacker's capabilities once he already has root access, often by introducing backdoors into the system that the attacker can use at a later date.

Mac OS X and Mac OS X Server are UNIX-based and therefore do have root accounts. By default, the root account is disabled on Mac OS X but not Mac OS X Server. Even though the account itself is disabled, the support for the superuser account still exists. It is possible for an application to take on the superuser privileges to accomplish some task. This ability is important and is often used by trusted applications to effect changes within the operating system itself. A prime example of this legitimate usage is within the programs that make up the Systems Preferences panel.

Since there is this vulnerability, an attacker can use a rootkit to create additional, unauthorized programs that run as the superuser. With a rootkit installed, the hacker can execute any program with superuser privileges. This allows the hacker to make the system do anything he or she wants. Of course, even with root access the attacker still needs access to the system.

Most rootkits include additional programs that support remote access of the system and, as part of the rootkit installation, make configuration changes that enable the remote access programs. For example, most rootkits will enable the secure shell, ssh, that listens on Transmission Control Protocol (TCP) port 22 as well as adding a separate, "backdoor" application that is listening on another known TCP port. Either of these access points can be used to gain control over the system.

Because of the nefarious nature of most rootkits, additional work is performed during the installation to help hide the fact that the rootkit has been installed. This "hiding" process typically involves the installation of custom versions of many programs that are used to determine the status of a server. Some examples include ls and du, which are modified to not "see" the rootkit directory in the location that it has been installed; netstat, which is modified to not "see" the TCP ports that the backdoor programs are using; and ps, which is modified to not "see" any background processes that the rootkit has installed. Additional configuration changes will also be made to facilitate this "hiding" as well as to enable the continued operation of the rootkit. For example, changes will be made to the firewall configuration to open the backdoor TCP ports as well as the addition or modification of startup scripts to start up the rootkit programs whenever the system is restarted.

The installation of a rootkit on a system can lead to significant issues. Many rootkits are used to enable costly or destructive services such as anonymous email relays, file sharing, game servers, port scanners, Denial of Service (DoS) agents, IRC bots, and so forth. These services can cause the system or the local Internet connection to slow down to a crawl and impact their use for legitimate work. Even if a rootkit is not being used to implement a costly service, there can be other detrimental problems. If the rootkit installed was not built for the exact version of the operating system that it is installed on, there can be conflicts with the system libraries or event the kernel itself. This can cause the programs to behave erratically or even not work at all. Since these programs are often used either directly by users or by scripts and programs running on the system, this can cause significant problems.

Since the rootkits make many changes to a system, it is often very difficult to remove the rootkit and still have a working system. Because of this, if a system is ever compromised by a rootkit, recovery often requires a complete reinstallation the operating system from scratch.

It is important to note that the installation of a rootkit requires the use of superuser privileges. On Mac OS X (not Mac OS X Server), the root account is disabled by default. System administrators must use the sudo command to execute an application as the superuser. This significantly lessensbut does not eliminatethe possibility of a rootkit being installed. In addition to a user explicitly executing a program as the superuser, there are those legitimate programs that also operate with superuser privileges. The system's package installation program is a prime area of risk for a rootkit installation. By necessity the package installation program has to operate with superuser privileges to be able to install legitimate programs. This can be abused to install a rootkit as well. If you have administration access to the system, it is important that you know exactly what applications are being installed when you are prompted to enter the administrator password.

Even with all of the negative aspects of rootkits, they can have a noble use. In certain situations, it may be desirable to have backdoor access to a system. For example, you may have systems that have been deployed in a semipublic venue and you want to minimize the administration access to the systems. In that case, you may either disable the administration account or provide a random password to the administration account. This effectively locks out administration of the system. In this case, having undocumented, backdoor, superuser access can be beneficial.

If you do intend to install a rootkit on a system, it is important that you configure a system to be exactly the same as the system on which you want to install the rootkit. You will then need to build the rootkit on that system so that all of the versions of the rootkit programs and the libraries will match. Also, you will need to build an updated rootkit and reinstall the updated rootkit after each software update.

Currently, there were only three known rootkits for Mac OS Xosxrk, WeaponX, and jworm (known as Opener or SH/Renepo)and all of them are out of date. They will work only on Jaguar or Panther systems. Opener is a simple shell script that is a rootkit only in that it opens a system for someone to access that system as root. It does not have any provisions for the typical rootkit hiding. It should also be noted that even though Opener is labeled a worm, it has not been seen replicating in the wild.