Slashdot Mirror
Mac OS X Trojan Horse Infects MP3s
frequnkn writes "The Mac News Network reports that Intego has anounced an update to their anti-virus app for snagging the first Mac OS X Trojan horse, MP3Concept (MP3Virus.Gen), which exploits a weakness in Mac OS X where applications can appear to be other types of files."
In six years, Intego has made a name for itself in the Internet security and privacy market for Macintosh.
I always wonder where the sources are for the majority of viruses. It is quite ironic that a company selling you a fix happens to find the problem and releases the solution for the low price of 59.95. Yet a goggle and Symantec Security search didn't yield anything about MP3Virus.Gen. Hmmm - it's awfully nice they fixed this virus so fast.
Does my speculation about the RIAA's involvement in the creation of an MP3 trojan put me in the tin foil hat crowd?
.. and I just bought a G4 PowerBook too!
That's it, I'm selling this, maybe I'll get one of those Sparc laptops instead..
- Cowboy
what, what?
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8 &oe=UTF-8&safe=off&frame=right&th=631707378ffe9292 &seekm=blgl-5D750C.02150821032004%40news.bahnhof.s e#link6
It appears that this is merely a proof of concept virus, hence, it is utterly benign. It was not made with any malicious intent, but to demonstrate one way that OS X could be exploited. The discussion group is concerned with making OS X more secure, not less.
Somehow, Intego got wind of it and blew it out of proportion, but I suppose it is theoretically possible that future viruses could be modeled on it. However I'm sure that Apple could, even more quickly, release a security update that fixes this.
I suppose I'll start to panic as soon as apple acknowledges it, rather than take the word of a company trying to sell me anti-virus software.
I'm switching to Windows!
What kind of OS X user would be caught dead using such ancient, PC-originated technology (and I use that term loosely) as an MP3?
It's bad enough that they'll be shunned by all their iPod-wearing, dual-CPU-owning, Mac cabal member friends, but now their computer get pwned? Talk about kicking them while they're down.
True story.
What this article doesn't mention is how (or if) the code gets around the normal OS X restrictions requiring that one enters an administrator's password. Even if applications can be hidden, I question the amount of damage they can do... Surely nobody will enter an admin password requested by an ".mp3" file.
Besides, this isn't a virus so much as a security flaw. Why pay $60 for software when Apple will surely release a patch soon?
Oh, and for all the PC assholes who are currently saying "In your face, mac zealots" or whatnot--nobody claims that OS X is bulletproof--no computer system is. Nevertheless, it seems to be a lot more secure than, say, Windows, which has security problems all of the time.
Heh... Interesting that the first trojan horse/virus yet to be seen for OS X uniquely exploits the discordance between the "Classic" pre-OS X way of specifying file types (File Type/Creator metadata) and the new, inherited-from-Windows, file extension method.
.mp3 extension... the Finder thus displays an MP3 icon for it yet launches it as an application when the user double-clicks.
The basic gist of this trojan from what I've read so far (there is very little information aside from what Intego has on their own web site) is that it is a file with type AAPL (executable application) but with an
What this basically comes down to, then, is the Finder making the wrong decision as to how to present the file to the user. Specifically that it presents it in one way, but acts upon it (when double-clicked) in the other. Whether it should first obey the deprecated file type metadata or the file extension is left to be argued about... what's certain is that it should always behave with the file the same way it presents it. I predict a bug fix for this will be in OS X shortly.
Somebody on macnn.com pointed out this: http://groups.google.com/groups?hl=en&lr=&ie=UTF-8 &oe=UTF-8&safe=off&frame=right&th=631707378ffe9292 &seekm=blgl-5D750C.02150821032004%40news.bahnhof.s e#link6
I have my doubts about this trojan, as I opined on my website at destination-life.com, but there is one problem: this proof of concept at this link:
At Google Groups
I opened the file in BBEdit, and it appears that there is in fact executable code in the file, but it doesn't appear evident to me how the binary code would be executed if the audio file is opened inside of a music player.
Hopefully this ends up being a hoax, or at least some more details come out soon.
It's news because it is the first Mac OS X specific virus/trojan in existence. No one claimed OS X was immune to them, just that they hadn't occurred yet. Now they have. That fact is news.
'Sensible' is a curse word.
This virus sucks unless it has ogg support. Jeez! Mac OS X is so lame..
The preview of the file shows no play functionality like an ordinary mp3 file but reads 'Kind: Application'. It may mislead users but it is simply spotted (with the naked eye).
The resource fork is a remnant of the pre-OS X days. Pre-Mac OS X files, including applications, had two "forks": data and resource. When Mac OS X was created, it had the ability to run its own native applications, as well as two types of "Carbon" applications, Carbon being an API that allowed portability of applications using a subset of the old Mac OS programming APIs. One type of Carbon application, CFM, uses a resource fork for, among other things, file metadata. One of these pieces of metadata is something called Type and Creator. "Type", in this case, is set to APPL, and thus identifies itself as an application. While OS X decides to display the file as an MP3, the launching behavior is that of an application - just an oversight. The issue I was referring to was the resource fork must be kept intact in order for the file to still work - and any type of binary transfer WITHOUT special handling or compression (e.g. StuffIt, MacBinary, etc) will strip the resource fork and render this little "trojan" useless.
Also, if you knew the first thing about Mac OS X, you'd readily admit that the design philosophy and fundamentals of the OS do make it far, far more secure than, say, Windows.
Oh wait, it is. And it doesn't.
Don't blame me; I'm never given mod points.
Utterly wrong. This is a CFM executable with no hidden extension. Double-clicking on it from the Finder will execute it, but dragging the file on to iTunes will only play the MP3 stream inside the file. Mail.app, however, correctly identifies it as an executable when you try to open it from inside an email.
Well, it's been all of these things for what, about thirteen years now? When exactly are you expecting this massive wave of exploitation to take place?
I downloaded this sample virus and tried to open it, but Panther told me I didn't have permission to open it. So, unless you're logged as admin it looks like it ain't gonna work.
If I didn't have absolutely NOTHING to do, I wouldn't be here.
The file is a CFM application. As others have pointed out, this means that it has a resource fork which it needs in order to be able to run. Thus, it must be downloaded as a compressed file. If the resource fork is stripped, it is harmless, as the payload will never be executed.
Its name ends in ".mp3", and the included icon is copied from an iTunes MP3 file, but its type code is APPL, an application. The data fork is a valid MP3 with PowerPC executable code inside the ID3 tags. When given to iTunes or another MP3 player, it simply plays the included sounds without executing code. When double-clicked on from the Finder, the surrounding bits of MP3 file appear to be ignored and the code is executed. The payload for the proof-of-concept displays a dialog box, then tells iTunes to play the file itself, presumably via AppleScript.
When double-clicked, it shows up in the dock as an application, though this could be suppressed in an actual hostile trojan just like many utility programs do. In the Finder, if one is using column view, it is identified as an Application instead of an MP3 File, and its icon is shown instead of a QuickTime-style playback bar for previewing the contents.
In terms of an actual exploit, the only thing going on that is even possibly questionable at an OS level is the presence of other stuff in the data fork before the Joy!peffpwpc tag. I am not certain if this is allowed in the definition of what a PEF executable is supposed to look like. Aside from that, there is nothing else that is tricking the OS into doing something it shouldn't do, only legally included information that is deceptive to a user who is not looking carefully at things.
It's installed on everyone's machine, it's very hard to remove
How exactly is dragging it into the trash to remove it hard?
it's not open source
Yeah, like that matters, when you consider the massive numbers of WMA and Real viruses.
it autoplays content on the web
Easy to turn off in preferences.
it's a big black box waiting to be exploited.
It's been around for what, a decade? I guess we'll have to wait some more for this particular exploit to happen.
Thanks for playing, please try again...
NeXT did it for a good reason:
.app directory so all the resources, bitmaps, and supporting files are in that one directory. That is why I can reinstall OS X and have MS Office X and all my other applications still work without reinstalling everything. I suppose they could still do fat binaries as well if they ever decided to do so.
NeXTSTEP ran on four different hardware platforms and had fat binaries. Within the foo.app directory, there'd be foo-moto, foo-386, foo-sparc, and foo-hpux binaries. The OS would then attempt to execute the appropriate binary for the hardware platform the OS was running on.
OS X uses the
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
Average Windows users know command lines?! What kind of fucked up world do you live in?
The average Windows user doesn't know how to map a network drive; doesn't know how to properly unmount a USB Storage Device in Win2k; doesn't know how to CANCEL PRINT JOBS if there isn't an annoying window from the bullshit software that pops up when you print.
The average Windows user doesn't know how to format a disk; doesn't know how to look at a full mail header, doesn't know how to Mail Merge.
The average Windows user doesn't differentiate between hard disk and "memory"; doesn't know how to clear the Recent Documents; doesn't know how to change their password.
The average Windows user hasn't used net send, ping, or even winipcfg. They don't know where to change the resolution on their monitor; they only change the Background from a right-click menu in Internet Explorer.
They have never intentionally used an F-Key that wasn't modded to do something special on their multimedia keyboard. They have no idea that Ctrl-F6 will switch between panes, so you don't need to click back and forth when designing a table in Access.
They don't know that Print Screen copies their screen to the Clipboard. Hell, they don't know what the Clipboard is.
The average Windows user doesn't know what Temp files are; has no concept of file permissions, can't make a Pivot Table; doesn't know how to uninstall programs; Has at least two things in their system tray they can't identify; has never performed a full backup of their data; and certainly has never touched their Registry.
Even tech support often doesn't know enough about the command line, like using "~1" doesn't mean you don't need the extension, or that Program Folder 8.1.1 becomes Progra~1.1 or that you can type the whole damn thing in quotes.
Maybe ten years ago the average Windows user knew something about the command line, but not anymore.
The Intego Virus Barrier software just flags as "infected" any CFM executable whose name ends in a common file extension... which is why it STUPIDLY flagged as viruses the BMP, PCX and PNG plugins for Photoshop Elements. Which means it does not even check for a dot and something else before the file extension.
Proof (jpg)
Can you say "crappy" ? I'm sure you could.
Maybe we deserve this world ?
Sorry to burst your bubble, but the whole 'app is really a directory' thing is a SOLUTION to the 'resource fork' storage problem. And it allows for cleanly implemented multi-platform 'fat' binaries. Apple's Classic fat binaries were kludgy, the CODE resource fork held the 68K binary and the data fork held the PowerPC binary, hardly extensible.
I've got an OSX install on purely UFS, and sure enough, it allows you to pack x86 and PPC binaries (or multiple PPC/X86 binaries, for optimization/bitness) into the same *.app so you can have one application file that executes on multiple architectures. It might not be Apple's hacked-up old kludgy way to get a 'fat binary' but it's effectively the same result but done MUCH cleaner and capable of living on many diverse file-systems.
Imagine how cool it would be to have ONE shared 'applications' folder mounted read-only on all your clients, the x86 clients execute the x86 code from camino.app and the PPC machines execute the PPC code from the same place. It would be an administrator's utopia!
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails