Slashdot Mirror
Mac OS X Trojan Horse Infects MP3s
frequnkn writes "The Mac News Network reports that Intego has anounced an update to their anti-virus app for snagging the first Mac OS X Trojan horse, MP3Concept (MP3Virus.Gen), which exploits a weakness in Mac OS X where applications can appear to be other types of files."
In six years, Intego has made a name for itself in the Internet security and privacy market for Macintosh.
I always wonder where the sources are for the majority of viruses. It is quite ironic that a company selling you a fix happens to find the problem and releases the solution for the low price of 59.95. Yet a goggle and Symantec Security search didn't yield anything about MP3Virus.Gen. Hmmm - it's awfully nice they fixed this virus so fast.
I have my doubts about this trojan, as I opined on my website at destination-life.com, but there is one problem: this proof of concept at this link:
At Google Groups
I opened the file in BBEdit, and it appears that there is in fact executable code in the file, but it doesn't appear evident to me how the binary code would be executed if the audio file is opened inside of a music player.
Hopefully this ends up being a hoax, or at least some more details come out soon.
We needed an OS X virus just to liven things up! The ratio of viruses in the wild to lab viruses leads one to believe that the Anti virus companies created some to keep them in business. The WildList should be enough to keep all the Antivirus companies on their toes now.
Have you Meta Moderated t
Surely nobody will enter an admin password requested by an ".mp3" file.
Don't kid yourself. Most users do exactly what the computer tells them to do -- they have no idea what the logic is behind the admin password.
If anything, the admin password box provides an "out" for smarter users, like most slashdotters. That is all. Still there's stuff on OS X that gets installed as SUID root and so on -- I think even many smarter users don't understand the full implications of OS X's sudo feature.
Trojans aren't new in the Mac world, of course. There have been viruses made for the original Mac OS, but very, very few in comparison to, say, MS-DOS and Windows: Approximately 50 Mac OS viruses compared to 20,000+ viruses and their ilk in the Windows world.
The method in which this trojan infects isn't new: Windows viruses often hide their true extension in the same way as this empty-payload Mac OS X trojan.
What is significant is what a payload-laden trojan could do the today's Mac OS world. As a tech, I get to see a fair audience of Macs in use and what software they use. The very concerning part is that very few (my estimate: less than 1 in 50) Macs use ANY kind of antivirus software.
Not that you can't find any: Aside from Intego (who make a fine firewall as well as their virus products), you can get Norton AntiVirus from Symantec and Virex from Network Associates. Yet, most of us don't own any AV software.
That's bad for two reasons. One: While most Windows malware we Mac users may receive by mail are harmless to our Mac OS X systems, we remain Typhoid Mary-esque carriers to other PCs. Two: Our complacency in saying that "Macs don't get viruses" does not ensure that we will not experience one later.
That "later" is now.
Further, the "security through obscurity" protection is gone with the move to OS X. It's just a UNIX OS now, no longer a relatively-closed OS, which means there are more people who are UNIX-savvy who can create malware than before. (Fortunately that also means there are plenty of Good Guys who can spot this stuff before Apple or AV vendors are made aware.)
While I doubt there will be lots of new Mac attacks soon, I would not wait until one shows up with a nasty payload. Buy some AV software and keep puttering along. I'm sure there's some ass out there with too much time on their hands who, like the guy who took the Word Macro "Concept" virus, added a payload and sent it on its way, who will love to make some pitiful Mac users suffer.
Also, consider creating a regular user account, which cannot install software. In the event that you do open something with a payload on that account, hopefully OS X's permissions will stop any attempts to change any file or program except those in that account's home folder. Thank God for the UNIX permissions system.
Vos teneo officium eram periculosus ut vos recipero is.
The Trojan description is:
1) Make a valid MP3 file
2) Make the beginning of the file a JMP instruction (assembly code) that tells it to jump to the point in the MP3 where the ID3 tag is stored.
3) Put a virus in the ID3 tag.
What's to prevent this from working on Windows? It's a brilliant, and scary plan... . It would be especially effective if linked on a website, as Windows accepts MIME-types first and extensions second now.
Like I said, this is trivial and stupid... but I spent a few minutes and made a different version of this trojan. Check it out below, it "looks" like a jPG file (if you have "always show file extensions" off), but is really an application with an embedded JPG file which it open after printing some benign messages to the console.
.app package so it would be kind of hard to distribute it via a P2P mechanism or something, since it needs to be .zipped (or whatever) to transfer it as a single file.
It is
Anyway, check it out:
fakeJPGTrojan.zip
Sanity is not statistical.
I noticed alot of people going on about, "I'll now be more suspicious of any mp3's I get like this", but what no one has mentioned is that it aint just mp3 files you could do this trick with, it is probably a wide array of file types.
This is a self launching application in sheeps clothing, who says it has to be an mp3 flavored one, and it doesn't have dependancy on the app to run, only that it be there.
I wonder if the virus can progate as a shared iTune? So if someone on a corporate lan added that to their shared iTunes and someone played I wonder what would happen?
"With enough memory and hard drive space, anything in life is possible!"
I downloaded this sample virus and tried to open it, but Panther told me I didn't have permission to open it. So, unless you're logged as admin it looks like it ain't gonna work.
If I didn't have absolutely NOTHING to do, I wouldn't be here.
Does my speculation about the RIAA's involvement in the creation of an MP3 trojan put me in the tin foil hat crowd?
;)
Actually, my bets on on the Mac AntiVirus camp. They've been hurting a lot more recently.
While I tend to agree that Quicktime is not a "big black box waiting to be exploited" You will find that QuickTime is much more than the few applications you find in your applications folder. If you were to actually delete all of quick time you would have some serious issues with OS X. It is possibel to run Darwin sans Quicktime and it MAY be possible to run OS X sans it but I have never heard of anyone trying let alone being sucsessful at it. Quicktime is very tightly integrated into the UI and OS.
Bad Panda! No Bamboo for you! In matters of importance ACs will not be responded to. Want to say something critical,OK
I seem to recall that common Macintosh viruses were things like MDEF (menu definition) viruses or MBDF (menubar definition) viruses or WDEF (window definition) viruses. These are the names of certain kinds of code resources on Macintosh systems that could be used to define a custom look-and-feel in certain places where necessary. To hook up an MDEF virus and get it to execute, you would insert an MDEF resource into the program (*very* easy to do), and then modify one of the MENU resources to use that MDEF to draw itself. (similarly for MBARs with MBDFs and WINDs with WDEFs). There were also certain resource numbers you could choose to hide the corresponding system resources while running the program, and you wouldn't have to do anything else to change the program.
True it is more valuable. But what I was (trying to?) saying before they can get out of my system, they have to get in it. And that OS X has more protective mechanisms than WIndows (and linux, for that matter because it's harder to get a root shell when you don't have root enabled).
:-)
The existence/nonexistence of a root login is irrelevant. Secondly, they don't need super user privelages to get onto the net and raise mischief from a system. Assuming of course that the user clicking on the trojan is able to access the net. Your fixation on super user privelages is erroneous and you are doing a good job of exemplifying the false sense of security some Mac OS X users have.
Now that I think of it super user prilages are not that far away with a little social engineering. The trojan can simulate a Software Update or similar dialog where the user is prompted for a higher privelaged password.
NeXTSTEP did not run on four different platforms. OPENSTEP might have - NeXTSTEP did not.
And they never used 'fat binaries'. Apple did, NeXT did not. The whole idea of subdirectories under 'Contents' such as 'MacOS' contravenes this - they had different directories for different binaries at best, but remember, NeXTSTEP did not use HFS+, they used UFS, so there was no way they could have made a fat binary anyway.
The directory as an app only means you have a different model for application development. They saw no reason to bake everything into the same file so you got things that were only accessible by products such as Resource Workshop and the like.
The presumption is as well that few standalones, even on other platforms, are true standalones, and so - especially with the NSBundle class at your service - you can create and manage a single self-contained entity.
Yes, you could have multiple binaries within foo.app; but these are not 'fat'; they're distributed into different subdirectories. Big difference.
Cocoa apps are a security hazard, but then so is X11. Cocoa apps can be compromised through their input managers, the Objective-C runtime, and the Apple services menu. Which is why no Cocoa app should ever run SUID root: anything invoked will be root too.
But that being said, Apple have about the most secure platform going today. SUID stuff is taken care of being the scenes by console apps which are much more difficult to compromise, and security awareness is very high.
If I were to put my money on exploiting either Cocoa or X11, I'd go with X11.
and to see comments like "the average windows user can barely tie their shoelaces" bullshit irritates me. To be quite honest, computers to the average joe are scary. Just because they don't know how to mount a drive or know what shl ax,1 means doesn't mean their stupid.
;)
I understand there's a fear factor, I work face to face with the average windows user every day, in their home. Not knowing how to mount a drive is one thing, very forgivable. Not even eyeroll-worthy. It's when they get in a panic because their sound card 'stopped working' only to discover that they had been turning the TONE control rather than VOLUME on their speakers. Now that's sad. I don't say *most* average users are like this (well, not without data to support me), but they do certainly abound.
I hate OS wars too. But the fact is, the average Linux user (oh, I should mention, I'm not one) is a Linux user partly because they are comfortable with having to know some things about their machine in order to use it. You know, Old School, like back in the day when you simply didn't HAVE a computer if you weren't interested in delving into it. They would tend to be the sort of person that enjoys having to learn something in order to make good use of it. I believe that the majority of people do *not* want to keep filling their heads. To many people that's what school was for and that part of their life is done. It's sad, but it's a choice made for the sake of comfort. I can respect it that way, there's a lot of other things they know perhaps.
I did an install once for a Lawyer (an intelligent man, one must presume), who became upset when he discovered that our high-speed access advertized as "One click and you're there" (or something) wasn't true. Because you have to double-click a desktop icon (to open a browser or whatever) he was almost going to cancel the service. He was getting installed purely on the pressure of friends, as he had gone years without email. And he was mad as hell about the whole thing. He got really mad when I didn't have paper documentation for Internet Explorer to leave with him. I pointed out where the Help was, and that just seemed to piss him off more. He *resented* being forced to learn something new, and I tried to tell him that anything worthwhile requires some learning. I asked him if he had ALWAYS known how to drive a car. No of course not, at some point he had to do a bit of reading, get some experience, do some practice. From the look in his eye at this point I realized I was traipsing into sass-mouth territory and just dropped it. The computer was given to him by a friend, and thank every god that it wasn't running Linux.
There's no fixing them, but at least they pay us to fix their stuff for them.
Can't we all just get along?
Mac OS was designed from the ground up with security in mind.
Says who? I'm sorry, but says who?
OS X is NeXTSTEP, and that's based on - runs on - FreeBSD, and that's Unix, and Unix was definitely not designed from the ground up with security in mind.
In fact, security was a very low priority at Bell Labs, because they were all working together and primarily wanted an environment that worked for them.
The security that came to Unix came much later, and part or even most of this may be due to the fact that it was a multiuser system from the beginning, whereas Windows is little more than either 1) a hardware interface (MS-DOS) or 2) an isolated LAN server (NT).
Also, it's unfair bordering on hype to cite 'Mac OS' as being the inherently more secure OS and to leave Unix - and Linux - out of the picture. All these operating systems are Unix; Unix is today a lot more secure; but OS X, despite some good features, does not stand alone here, and - I know this is heartbreaking to accept - Apple did not design Unix.
They designed Copland.
Why not just back them up to your iPod? I don't make backups of my iTunes Music folder, since it is all on my iPod. Everything else goes onto an external HDD every night (I use PsyncX for making backups of my home directory and some other stuff).
And that part isn't even relevant, except in that it confounds discussion for a few extra days.
<cynic>... confusion leads to worry, and worry leads to sales...</cynic>
In a CFM application, the 'cfrg' resource indicates where the application's main code fragment is stored: e.g. whether in the data fork or in a resource, and at what offset.
The fact that the code was tucked into a usable offset within the MP3 contents in this case was clever and cute, but completely unnecessary: the resource fork already exists to hold the 'cfrg' resource and the custom icon, and there's no earthly reason it can't also carry a normal 'CODE' resource.
The data fork, then, is free to store anything at all: GIF, PDF, random bits, Windows EXE, or more traditionally nothing at all: a zero-length data fork.
So the use of an ID3 tag in this case was simply gratuitous.