Slashdot Mirror
Mac OS X Trojan Horse Infects MP3s
frequnkn writes "The Mac News Network reports that Intego has anounced an update to their anti-virus app for snagging the first Mac OS X Trojan horse, MP3Concept (MP3Virus.Gen), which exploits a weakness in Mac OS X where applications can appear to be other types of files."
I can stand that.
Big difference. People used to spread stuff under Windows by faking different extensions too.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
I suppose I'll start to panic as soon as apple acknowledges it, rather than take the word of a company trying to sell me anti-virus software.
What this article doesn't mention is how (or if) the code gets around the normal OS X restrictions requiring that one enters an administrator's password. Even if applications can be hidden, I question the amount of damage they can do... Surely nobody will enter an admin password requested by an ".mp3" file.
Besides, this isn't a virus so much as a security flaw. Why pay $60 for software when Apple will surely release a patch soon?
Oh, and for all the PC assholes who are currently saying "In your face, mac zealots" or whatnot--nobody claims that OS X is bulletproof--no computer system is. Nevertheless, it seems to be a lot more secure than, say, Windows, which has security problems all of the time.
It was just a matter of time before someone used it maliciously to confuse the line between instructions and data.
I can see the fnords!
Heh... Interesting that the first trojan horse/virus yet to be seen for OS X uniquely exploits the discordance between the "Classic" pre-OS X way of specifying file types (File Type/Creator metadata) and the new, inherited-from-Windows, file extension method.
.mp3 extension... the Finder thus displays an MP3 icon for it yet launches it as an application when the user double-clicks.
The basic gist of this trojan from what I've read so far (there is very little information aside from what Intego has on their own web site) is that it is a file with type AAPL (executable application) but with an
What this basically comes down to, then, is the Finder making the wrong decision as to how to present the file to the user. Specifically that it presents it in one way, but acts upon it (when double-clicked) in the other. Whether it should first obey the deprecated file type metadata or the file extension is left to be argued about... what's certain is that it should always behave with the file the same way it presents it. I predict a bug fix for this will be in OS X shortly.
No one ever said it was physically impossible for Mac OS X to have a trojan...the only thing that even MAKES this a "trojan" is the fact that the file can *appear* as an ordinary MP3. Writing an application that can be destructive is no difficult task; it's just that this can appear to be an MP3 due to a shortcoming in the way OS X displays and handles Carbon/CFM vs native file type information. A security update can easily fix the shortcoming. Still, 1 trojan vs. thousands? I'll take Mac OS X, thanks...
Short answer: yes
Targeting windows users would seem to be a lot more advantageous if the RIAA were out to infect the world.
slashdot, news for crazed liberal socialist zealots
So what? Mac OS X can have trojans. Mac OS X can have viruses. Mac OS X can have security issues.
Yes, of course we all know that OS X can have viruses, the point is that until now it basically hasn't had any. At least nothing that I've heard of or had to worry about. Now I will have to think twice about opening random mp3 files which somehow appear on my hard drive (?).
No, that wasn't mac zealots falling off their soapboxes. We were just busy laughing at the company that put this application out.
...
...
... I mean, it's not like we can do this in Linux:
Let's see
so, this "trojan" can make applications appear as MP3s
How evil
mv filename.sh filename.mp3 (which of course Gnome / KDE would display as an MP3 icon)
or this in Windows:
rename filename.exe filename.mp3
(same thing in Windows)
Damn! These trojan writers are clever bastards!
(gimme a break, money-grabbing anti-virus bastard types)
What's relevant here is now that this has exposure (and we all know that /. == exposure to those who matter), how quickly will Apple respond and rectify this by issuing a patch?
Here's wagering that they don't sit on it like M$ has been known to do, if not for any other reason that M$ has a far greater volume of virsus/trojan horses/etc. to deal with!
-Nanter
It's news because it is the first Mac OS X specific virus/trojan in existence. No one claimed OS X was immune to them, just that they hadn't occurred yet. Now they have. That fact is news.
'Sensible' is a curse word.
The preview of the file shows no play functionality like an ordinary mp3 file but reads 'Kind: Application'. It may mislead users but it is simply spotted (with the naked eye).
It's just a lot harder to exploit all of these things on Mac OS X for numerous logistical, technical, and statistical reasons.
Yes, because my house has never been broken into before means its more secure than any other.
//Blessed are they that run around in circles, for they shall be known as wheels.
> Linux is special in that it's only a kernel
No, Linux is special because it allows pedantic shitwits like you to make specious arguments when it suits your shoddy advocacy.
Fact is, the box says "Foo Linux", people are going to call the entire thing "Linux". If you got a problem with that, take it up with Linus Torvolds who licenced his trademark to those people.
"It is quite ironic that a company selling you a fix happens to find the problem and releases the solution for the low price of 59.95. "
/Inigo Montoya ]
[ Inigo Montoya ]
I don't think that word means what you think it means.
[
That's not ironic. It may be, to tinfoil-hat-wearers, SUSPICIOUS, but it's not ironic at all.
Hell, just avoid downloading MP3 files that are in Stuffit (.sit) archives.
.mp3 files in filesharing networks wouldn't be a risk, because the programs won't preserve the resource fork.
The Stuffit archive is required to preserve the resource fork, with the CFM executable code.
No, but the artitecture and OS together is rare. How many linux viruses you seen. How many MAC viruses. Now how many Linux viruses compiled to run on PPC arhitecture? It would be like trying to infect Atari 800XL computers. You might make the virus but how the hell do you get it to the target? It certainly wouldn't spread like a worm infecting all those 800XL's in existence around the internet. Unless maybe through an Atari 800 IRC channel you get specific information of specific peoples computers. You would have to send it directly to the victum via an email or in an application that would probably be 100% traceable back to you. It's the same here, the virus would literaly have to be in the yellow dog distribution or spammed to TeraSofts mailing list. There is safety in obscurity if your virus is not compatible with any other systems and nobody can find you.
The ramen worm was not an apache worm like I previously stated. It exploited wu-ftp, rpc.statd, and LPRng services. It then modified the apache homepage of the infected machine. My argument still stands though, if I port wu-ftpd to MacOSX and it gets infected via a worm, it's not a MacOSX worm, it's a wu-ftpd worm. It's not the fault of linux that the programs running on it were exploitable. However, MacOSX comes as a package and this vulnerability is at it's core, not a 3rd party application.
--pedantic shitwit
//Blessed are they that run around in circles, for they shall be known as wheels.
From my read of their PR page about this, it sounds like something they entirely fabricated themselves to sell their software. There is nothing in the wild and no reports on respectable security sites, just Intego saying they "isolated" something and you should buy their FUD^H^H^Hproduct. As others have pointed out, a trojan is possible on any system if you can get the user to jump through elaborate enough hoops. So the next time you download an unknown MP3 (or whatever) file with an intact resource fork from an anonymous source and give it executable status so you can double-click it instead of just adding it to your iTunes library (or playing it in Finder with a single click in column view), be glad you also shelled out money to Intego so that you are protected from your own stupid and unnecessary actions! That it's come to this shows just how hard it is for anti-virus types to make money on the Mac.
The kind of user who wants to use the standard format for audio compression that is widely used today, was widely used yesterday, and will be supported long into the future. The amount of work done on the mp3 spec is incredible -- check out LAME, which offers speedy, high-quality compression. Ars Technica's Machintoshian Archaia forum had a long thread about optimizing LAME for OS X. I can't find the thread, but I think it indicates that there's still good reason to encode using MP3s.
That's not to say there's anything wrong with using AAC. But mp3 still works for me and numerous others. Until a compelling reason exists for change, I'll continue ripping my CDs to mp3.
You find it ironic that a problem is found by people who make their living looking for such problems???
I have a hard time seeing why the parent is flamebait, especially when given a smile.
He *is* right in that what you have here is an honest-to-God architectural security problem with the Mac OS. It isn't a coding bug or a stupid user -- Apple clearly defines how to determine file type in their specs, which will now need to be revised.
And I think he's pretty accurate in claiming that this *does* embarass a lot of people that were making semi-bogus security claims about the Mac OS.
Had he said "Yes, now we can all tell that Mac OS X security sucks", then sure, he'd be flamebait. But he was spot-on accurate in his statement. Modding him down because you don't like the truth of something he's saying is just silly -- a religion, a text editor, or a computing platform that cannot stand up for itself on its own merits should not have you trying to suppress valid criticisms of it. If it can, it doesn't *need* you trying to suppress valid criticisms, because those are minor compared to the benefits of the platform.
May we never see th
A .Mac subscription comes with a free copy of Virex (McAfee) along with all the other free apps.
Personally I'm just going to download the Virex update when it becomes available, but since I've now gotten used to installing countless Security updates via OS X's Software Update app without hearing a whisper about any vulnerabilities I'm guessing Apple's ahead of the game.
Personally I like the fact that we now have a trojan - proves at least that we're not defended entirely by obscurity as some might suggest :)
One virus or Trojan every three years? I can stand that.
Can you understand that past performance does not indicate future performance?
Also your sample size is questionable. Classic Mac OS' history is irrelevant to Mac OS X. Mac OS X is a far more interesting and potentially lucrative target. It combines a highly capable Unix environment (home turf/holy grail for hackers) with a usually unsophisticated (wrt security) users who have no admin to watch over them. This is only the beginning, get used to that.
OS X has been out for three years. This is the first trojan/virus (giving this the benefit of the doubt). Ergo, 1 every 3 years.
Yeah, there's no admin to watch over them/us. What's your point? The system will protect the user as much as it can (have to authenticate to install/write to system areas, or create sockets on privileged ports). It's a bit more secure than Windows where a user needs a nanny standing over her slapping her wrist and saying "don't do that" or "don't open that". If it does become a target, it's more hardened. It's not like Windows saying "take me, big boy."
Illogical. Less likely to be exploited does not make it more secure, it only makes the exploit less likely to happen. It is just as secure or insecure in numbers of 1 or 1000.
//Blessed are they that run around in circles, for they shall be known as wheels.
Well, it's been all of these things for what, about thirteen years now? When exactly are you expecting this massive wave of exploitation to take place?
Second, an OS X application is actually a directory with '.app' trailing the name. This is possibly the dumbest thing that I've ever seen Apple do recently. Not only is it cumbersome and extremely resource intensive, but it is a glaring security hazard.
A.) Apple didn't do it - NeXT did.
B.) How is this cumbersome?
C.) Resource intensive? Bollocks.
D.) Glaring security hazard? Bollocks again. Double bollocks.
No but if the houses of people in your town were broken into 50% less than in another town it'd mean that your town is more secure (at least for the time being).
Statistics take no role in making Macs more secure, but they can be surely used as an index to decide if they are more secure nowadays.
Diego Rey.
diegoT
And in all fairness quicktime has been around for more than a decade and IE has been around for what, half that? Looking at the number of exploits for each I would not be doing that many comparisons yet.
Underloved Movies and Pub Quiz: donotquestionme.org
It's installed on everyone's machine, it's very hard to remove
How exactly is dragging it into the trash to remove it hard?
it's not open source
Yeah, like that matters, when you consider the massive numbers of WMA and Real viruses.
it autoplays content on the web
Easy to turn off in preferences.
it's a big black box waiting to be exploited.
It's been around for what, a decade? I guess we'll have to wait some more for this particular exploit to happen.
Thanks for playing, please try again...
And posting this twice in the same discussion makes me believe you half as much.
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
- Download file with a name like Yeah-Usher.mp3.sit with your favorite downloader.
- Decompress said StuffIt file. If you use Safari and have "Open "safe" files after download" or use Camino and have "Automatically open downloaded files" checked you can skip this step
- Open up the file in attempt to view/listen to it
- Suffer ill effects of worm
I'm not too worried even if a Security Update isn't released to fix the problem. I suppose a worm of this sort will affect the sort of people that open attachments from strangers and type in their administrators passwords despite warnings against such actions. For them there isn't much you can do except take their computer away.I'm a loner Dottie, a Rebel.
I have an extra user account for mucking around with programs I don't trust. Fast User Switching makes this relatively easy -- I guess if I was paranoid, I would use the dummy account more often.
How hard would it be for Apple to make it possible to log in as several users, but have those users' apps running on one screen? I.e., how hard would it be to implement Fast User Switching on a per-application basis (maybe with the user indicated in the upper right corner of the window)? Then if apps by default were launched by a low-security user, even this sort of trojan horse wouldn't be able to damage my important files.
If Apple did this, surely we OS X fans could claim it is inherently more secure (without getting shot).
No, he's referring to Fahrenheit 451 -- you know, where the firemen are the ones starting the fires, not putting them out... Mix this with a little cut-throat capitalism, and you have a conspiracy theory (a damn good one at that)! :^)
Slashdot's first reaction to VMware
Average Windows users know command lines?! What kind of fucked up world do you live in?
The average Windows user doesn't know how to map a network drive; doesn't know how to properly unmount a USB Storage Device in Win2k; doesn't know how to CANCEL PRINT JOBS if there isn't an annoying window from the bullshit software that pops up when you print.
The average Windows user doesn't know how to format a disk; doesn't know how to look at a full mail header, doesn't know how to Mail Merge.
The average Windows user doesn't differentiate between hard disk and "memory"; doesn't know how to clear the Recent Documents; doesn't know how to change their password.
The average Windows user hasn't used net send, ping, or even winipcfg. They don't know where to change the resolution on their monitor; they only change the Background from a right-click menu in Internet Explorer.
They have never intentionally used an F-Key that wasn't modded to do something special on their multimedia keyboard. They have no idea that Ctrl-F6 will switch between panes, so you don't need to click back and forth when designing a table in Access.
They don't know that Print Screen copies their screen to the Clipboard. Hell, they don't know what the Clipboard is.
The average Windows user doesn't know what Temp files are; has no concept of file permissions, can't make a Pivot Table; doesn't know how to uninstall programs; Has at least two things in their system tray they can't identify; has never performed a full backup of their data; and certainly has never touched their Registry.
Even tech support often doesn't know enough about the command line, like using "~1" doesn't mean you don't need the extension, or that Program Folder 8.1.1 becomes Progra~1.1 or that you can type the whole damn thing in quotes.
Maybe ten years ago the average Windows user knew something about the command line, but not anymore.
Huh? I normally drag MP3 files to iTunes and then press the play button anyhow.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
That entire argument can be simply disproven: Mac OS 9. No security, no viruses.
It actually disgusts me to see the usual OS bashing bullshit that continues to go on and on and on and on around here. My OS is better than yours Nah Nah Nah. Nice. Can't we have more intellectual conversations around here? I've been coding since the late 80's being weened on x86 assembler on DOS, Q'nix and yes - even 16/32 bit windows - and to see comments like "the average windows user can barely tie their shoelaces" bullshit irritates me. To be quite honest, computers to the average joe are scary. Just because they don't know how to mount a drive or know what shl ax,1 means doesn't mean their stupid. Its like asking /.'s to describe a date with a woman.
Want to know something amazing? I've been using Windows since it came out and have YET TO BE INFECTED WITH A VIRUS. Yes you heard right. I have NEVER been infected by a Trojan, Worm or Virus. Be a dumb user - you get burned. Simple.
Its like every 5th post is about how shitty Windoze is. Lets drop this dribble. No one is gonna win this argument.
Geeks of the World, Unite!
After her mom says that, are you going to take the chance and dump her?
He has no choice now but to marry, or move and get extensive plasic surgery. (Jury is out on which is more expensive)
still apple's fault..
because they should have reviewed and remedied the code beforehand.
The .mp3 was just a proof of concept. Compression is how a lot of windows viruses in the loose work in very similar means now, as many mail servers now block file formats like .exe . Yes, most people won't be fooled by a .mp3.sit but what about something like a .doc.sit?
Marxism is the opiate of dumbasses
It's been around for what, a decade? I guess we'll have to wait some more for this particular exploit to happen.
Remember when Larry Ellison, CEO of Oracle, decided to call some release of his database "hacker-proof", and about a week later, an exploit was publically going around?
Claiming that your system can't be exploited on Slashdot is, really, an exceptionally bad idea. I felt the twinges of wanting to poke at QuickTime a bit just hearing you say that, and if I had had an OS X box handy, I probably would have started poking about. A description of a crashing bug in QuickTime that barfs all over the stack would have made a nice reply to your post.
I would be very dubious, given how performance-critical QuickTime is and how frequently extended it's been, that there are no holes in it. If there are none, it would be an exceptional record, far better than other media-playing code historically has done. Remember that even the reference zlib (which had been hammered on by everyone for *ages*, and was *open source*) had a subtle exploit in it for a long time.
May we never see th
Oh, yay: an "insightful" comment that gets it dead wrong from the very start. Where did this "OS X runs on FreeBSD" myth get started, anywya? OS X uses some userland apps from FreeBSD.
Stating on Slashdot that I like cheese since 1997.
From what I've read so-far, this is not a virus or a trojan horse at all. It's a concept of social engineering. The idea is that you can make an attachment look like one thing and be another.
A virus spreads without your intervention - AFAIK this doesn't.
A trojan horse pretends to do one thing while doing another - AFAIK this doesn't.
I know, right now some of you are jumping up and down and getting ready - or have already - hit the reply button and have all manner of argument.
Let me point this out:
A trojan horse pretends to *do* one thing while *doing* another. This doesn't pretend to be an MP3 file - it just looks like one - nor from what I read is it actually playable in iTunes - so it's not an MP3 - it's an application.
Also it doesn't spread by itself - though it conceivably mails copies of itself to others if you launched it, so it's not a virus.
Back to my original statement:
So.Hope you've stopped being huffy, and got to this part - what do you do about it? For starters, don't launch things you get from people you don't know or don't expect.
Second, don't launch things you get from people you don't know or don't expect.
From my perspective this is just an attempt to create a marketing need for anti-virus software for the Macintosh.
Here endeth the lesson....
(PS. I've you've got something to rebuke the above, I'm all ears - I don't profess to know everything about everything, but I'll confess I know a lot about a great many things to do with computing - hint: I've been doing this for a few years :-)
(Second hint: My first computer was a Commodore Vic-20)
|>>?
Actually, there is some truth to the statement. The Darwin kernel is basically a Mach microkernel, with a BSD server providing the POSIX layer (Mach itself does very little more than pass messages between different userland processes, unlike a traditional UNIX kernel which provides the POSIX system calls itself). The BSD server in the original Mach was based on BSDLite. I believe NeXT used one based on 4.4BSD (although I may be completely wrong here). The one used in Darwin has had code imported into it from the FreeBSD kernel. It's not a FreeBSD kernel, but some of the code originates there.
I am TheRaven on Soylent News
uhm you are, unfortunately, entirely wrong and have been misled by Intego. 1>Their algorithm falsely marks as positive any CFM executable file with a document extension - in this case it's a plugin for Acrobat 5. (see this slashdot post) http://apple.slashdot.org/comments.pl?sid=103394&c id=8809962
2>"mp3virus.gen" does not exist in the wild, and was only discussed as a concept on a security mailing list a few weeks ago, so it's not even likely that you could be 'infected'.
3>It's a trojan so you would have had to download a stuffed archive of an MP3 from someplace and double click on that in the finder to get it - surely you would remember doing this?
'Virused' is not a verb, thank goodness. You could use infected, if you had a virus, and if this was even a virus and not a trojan. I hate to break it to you, but your 50 bucks were indeed spent for nothing.