Mac Security: Identifying Changes to the File System
Subject:   Mac OS X Rootkits
Date:   2005-10-13 13:58:41
From:   peterhickman
Response to: Mac OS X Rootkits

It's true that opener was never really a rootkit (even if it was the nearest that OS X has had to a rootkit scare). It was more of the 'look what we could do if we ever managed to root a system'.

But that said the first hurdle is to gain enough of a foothold on a system to install all the opener type tools in the first place, just because someone has gained access to your system does not mean that they have root. For me an essential part of a rootkit is the ability gain root from any foothold. Any such rootkit is to be truly feared.

Anything that will only work if it is given root on a plate is best described as proof of concept just like the proof of concept OS X viruses.

What you say is right and my go at Togroot was cheap shot but at this point I do not believe that we are facing a real threat.

For me a rootkit will allow a hacker to gain root access and so I see little threat on the horizon if they require root on a plate. Your definition does not require the ability to gain root access so you will be assessing things differently.

Perhaps we need a better taxonomy for rootkits, 'proactive rootkit' for those that can gain root themselves and 'nursery rootkit' for those that get it given to them.

Whatever species of rootkit it is, you wouldn't want it on your Mac.