Rare Worm Targets Macs, But Not Acquired via Internet

The SH/Renepo worm, also known as "Opener," attempts to turn off firewall and other security software, according to antivirus software vendor Sophos .

"You do not want the Renepo worm anywhere near your Mac OS X network," said Graham Cluley, senior technology consultant for Sophos. "Renepo makes so many security-related changes to your systems that all bets are off once you have been compromised.

"Because the worm attempts to harvest user, configuration and password data for a wide range of applications, it represents a huge security headache for all administrators, creating a backdoor to leave infected computers vulnerable to further attack," Cluley said.

However, the chance of being infected the worm would appear to be small since it is not transmitted via the Internet.

Volumn-to-Volumn Direct

Mikko Hyppönen, director of antivirus research at F-Secure , told MacNewsWorld: "This virus is only capable of spreading from one Macintosh to another by mounting volumes. Within a company, Mac users might have shared their hard drive with each other. In such an environment it could fairly easily spread to all those Macs, but it wouldn't really easily jump from that company to another one unless you took your computer over there and mounted a drive or shared files."

Because of its method of transmission, Hyppönen said the only way to get this virus from Australia, where it was found, to the United States would be to board a plane and bring it over.

Hyppönen said the virus seems to target OS X exclusively, although it was not certain it cannot also target earlier Mac operating systems.

Specifically, the worm can turn off the Mac OS X firewall and download and install hacker tools for password-sniffing and cracking. The worm will then make key system directories world-writeable and create an admin-level user for later system abuse. Renepo also turns off accounting and logging to help hide its presence.

Wake Up Call

"This is a shot across the bows rather than a pressing immediate danger to Mac environments," Cluley said. "The Renepo worm reminds Mac users who may have felt smug that most viruses target the Microsoft (Nasdaq: MSFT) Windows market that they should be careful not to turn a blind eye to security."

While viruses were almost exclusively a Mac problem in the late 1980s, Mac viruses are not at all common in today's computing world. And even this one has limited potential to spread.

Even though the Renepo virus has not been seen in the wild to date, analysts said it should be considered a warning to Macintosh users not to be complacent about the malware threat.

"When you think about e-mail worms that cross the Atlantic in seconds, it's not that serious," Hypponen said. "But this really shows us that there is very active underground development going on with the Mac. There is a community of underground hackers and that is a bit of a surprise."

Apple (Nasdaq: AAPL) did not return calls seeking comment.