Mac OS X Trojan Warning [Archive]

ebow

Apr 8, 2004, 03:49 PM

This sounds like outright b.s., though I could be wrong. Just look at this statement from the press release:
The Trojan horse's code is encapsulated in the ID3 tag of an MP3 (digital music) file. This code is in reality a hidden application that can run on any Macintosh computer running Mac OS X.
An application is embedded in an ID3 tag? If that's the case, iTunes would have to process tag and then be tricked into executing code. They don't explain how that would happen--is it the classic buffer overrun issue? Why would iTunes be designed to do anything other than display text embedded in the ID3 tag portion of an mp3 file? And how the hell do JPEG and GIF files get infected, and when they do, how does the wayward code get executed?

Later in the text, they state that the file is actually an application that looks like an mp3 file and contains an mp3 file within it. So... which is it, fellas? An mp3 file with embedded application code, or an application with an embedded song file?

Oh, I just read the Google Groups link. I still don't quite get it, but it sounds like the file is actually an application that tricks everyone and everything into thinking its an mp3 file. At the very least this is a poorly worded press release.

AngryLawnGnome

Apr 8, 2004, 04:02 PM

I don't know what to make of this. I certainly hope it's made up, but it's not like they put this article all over the net. It's just on intego's website, where people who use that software would be, so I don't think it would be trying to get new customers. The best thing about macs is the lack of viruses. If this is true, then...crap.

stcanard

Apr 8, 2004, 04:05 PM

Well, it's not like it could do anything other than erase my user files anyway. Nothing a quick restore from backups couldn't fix.

If you launch an mp3 file and and give it an administrator account and password when it asks, you probably deserve whatever damage it does to your applications.

MacRumors

Apr 8, 2004, 04:11 PM

Intego issued a security warning regarding the first Trojan to attack Mac OS X computers.

Mac OS X displays the icon of the MP3 file, with an .mp3 extension, rather than showing the file as an application, leading users to believe that they can double-click the file to listen to it. But double clicking the file launches the hidden code, which can damage or delete files on computers running Mac OS X, then iTunes to play the music contained in the file, to make users think that it is really an MP3 file . While the first versions of this Trojan horse that Intego has isolated are benign, this technique opens the door to more serious risks

yoman

Apr 8, 2004, 04:12 PM

I guess I'll go into hiding until this blows over. :)

puffmarvin

Apr 8, 2004, 04:13 PM

yikes. :mad:

clonenode

Apr 8, 2004, 04:14 PM

I can't even get the Intego site to load.... very slow, crawling.

Computer_Phreak

Apr 8, 2004, 04:14 PM

hopefully this will negate the myth that macs are not vulnerable to virii / trojans

Oirectine

Apr 8, 2004, 04:15 PM

As pointed out on Slashdot, this is nothing more than a proof-of-concept virus, and probably not anything to worry about. Read (posted below)

blueflame

Apr 8, 2004, 04:15 PM

that blows, i really wish they would give more info on this
Andreas

iElvis

Apr 8, 2004, 04:15 PM

Maybe I should finally get some A.V. software.:( By the way, does this also count as the first virus for OS X?

Mr Maui

Apr 8, 2004, 04:16 PM

MacCentral reports (http://maccentral.macworld.com/news/2004/04/08/trojan/index.php?redirect=1081429654000) on a security warning regarding the first Trojan to attack Mac OS X computers.

Did the article say what the name of the MP3 file was? Perhaps I missed it.

Masao[RY]

Apr 8, 2004, 04:16 PM

hopefully this will negate the myth that macs are not vulnerable to virii / trojans
Indeed, hopefully it will. Although makes one wonder if someone just wrote this to prove this very point...

Oirectine

Apr 8, 2004, 04:16 PM

>:O Why doesn't HTML work on these boards??

Here (http://apple.slashdot.org/comments.pl?sid=103394&cid=8807280) Here. (http://apple.slashdot.org/comments.pl?sid=103394&cid=8807336)

realityisterror

Apr 8, 2004, 04:16 PM

hopefully this will negate the myth that macs are not vulnerable to virii / trojans

hopefully??
this could make it impossible to claim that there are no mac viruses. what a stupid virus writer. he must really hate apple and the mac. :mad:

reality

etoiles

Apr 8, 2004, 04:18 PM

what does Intego sell again ?

iJed

Apr 8, 2004, 04:20 PM

You'd have to be download or run this...

First its an application that you must run by yourself. Second its a CFM application so it needs its resource fork, creater fork and file type to run.

You'd have to download this thing encoded in a format such as a Stuffit archive and the double click it to run. Basically you'd need to be pretty stupid.

_pb_boi

Apr 8, 2004, 04:21 PM

hopefully this will negate the myth that macs are not vulnerable to virii / trojans

I wanna negate the myth that virii is the correct plural of virus :p Its Latin roots dictate the correct ending to be "viruses" - as in "buses", for example. Rather than "busii" (buses), or "sinii" (sinuses) :)

Ah well - people argue and argue over this one. It's in the Latin :)

As Slashdot mentions, its a proof of concept - but, the proof of concept is all it takes to make people follow suit, improvise, and, ultimately, refine their technique. Maybe we can rely on the fact a proportionately higher number of Mac users are intelligent ;) jk :)

andy

rman2008

Apr 8, 2004, 04:22 PM

Intego makes security stuff?
but what exactly does this mean. does this only happen while using there software. because its talking about mp3's and its making me think that if i download stuff with poisoned or whatever that the files could be infected. please clarify. thanks in advance

amd60305

Apr 8, 2004, 04:25 PM

I'm not too sure about how real this is, for instance, you can take any Application and change the extension and icon to match an MP3

Nny

Apr 8, 2004, 04:26 PM

By the way, does this also count as the first virus for OS X?

Yes and no. Maybe. Depends.

The Nimda Worm could affect Macs by creating lots of annoying files. (http://www.securemac.com/macosxnimdasamba.php) Not really it's purpose, though, but annoying none-the-less.

And there was that Samba (or was it Apache?) scare last year.... not a virus or trojan I'm told... just malicious code that had been added to a circulating open source distro of Samba (or Apache, don't remember... too lazy to find link). Very evil.

There are other Unix/Linux viruses and security vulnerabilities that can supposedly affect Mac OS X, but nothing has ever been done.

As far as I know this is the first virus created for intent on harming OS X.

PawnTrader

Apr 8, 2004, 04:28 PM

_pb_boi

Apr 8, 2004, 04:28 PM

I'm not too sure about how real this is, for instance, you can take any Application and change the extension and icon to match an MP3

Yes, but this has the added, potentially real, possibility of permitting execution of arbitrary code, without user knowledge, for example. Potentially damagaging consequences; it's all potential, baybee. Let's hope it stays that way.

andy

bousozoku

Apr 8, 2004, 04:32 PM

This is too funny.

Virus Barrier sales must be minimal. They've been claiming a great need for anti-virus software but there hasn't been any need until now for Mac OS X. One would wonder if they've gone to the trouble to create it themselves. In the days of Ben Franklin, nothing sold fire insurance policies like the company setting your house or business on fire. :eek:

rueyeet

Apr 8, 2004, 04:37 PM

I wonder if the same technique would be viable on the Windows side as well?

If so, I can see the RIAA littering the file-sharing landscape with MP3 files rigged with tag code to erase every MP3 on the user's hard drive and mail itself to everyone in the user's address book, for starters.

stcanard

Apr 8, 2004, 04:40 PM

Why do people keep saying "well if an MP3 file prompts you for your password and you give it up, you deserve to be hosed!"?

From what I've read, nothing leads me to believe it would require a password. Installers and things that touch /System need a password, but simple standalone apps don't.

And for the record, this is a [possible] trojan, but *not* a virus or worm.

A Trojan is only good if it can insert itself in the filesystem so it continues to exist even after you remove the original source. If it can't write into /System, /bin, /sbin, /etc or /Applications it can't do anything long-term.

The worst it can do is mess up your home directory, which is an easy clean (the clean becomes very tricky when you don't know if it's trojaned the programs you would normally use for the cleaning, or trojaned another program so that it can continue to re-insert itself).

Nothing can protect your home directory, besides regular backups and creating a test account for untrusted applications.

Rower_CPU

Apr 8, 2004, 04:44 PM

nakedshaggy

Apr 8, 2004, 04:45 PM

it seems to me that if MOST people who know enough about osx to write a virus for it are not the same people who hate it. not absolutely for sure. right now, however, i think a virus is bad news for osx simply because not that many mac users run any form of virus software. i don't even use a firewall.
in contrast, it seems windows users hate windows users and other windows related companies or companies that use windows servers/computers.
and, of course, allot of linux boys write malicious code for windows as well and they are generally anti-M$.
i know everything

MetallicPenguin

Apr 8, 2004, 04:46 PM

killmoms

Apr 8, 2004, 04:47 PM

hopefully this will negate the myth that macs are not vulnerable to virii / trojans
Mod(Computer_Phreak,-1,PC Troll)

Even if it is a trojan, it doesn't sound much different than running an evil application, it's just that it looks like an MP3 file. Besides, who has an MP3 that prompts them for their password? For the app embedded therein to do any real damage, it needs sudo access privileges, so I can't see this being that large a threat.

--Cless

7on

Apr 8, 2004, 04:47 PM

bah, has anyone used of opened this offending file?

If it is a trojan, all I could see that it could be would be an Applescript file that runs "sudo rm -r /System" or maybe /Users. Even then it'd need a password.

Personally sudo has never settled right with me. Apple should rid the system of the command and only allow root access by logging in as root. Sure it'd be time consuming to delete an undeletable file, but it'd be worth it for the security.

macMaestro

Apr 8, 2004, 04:48 PM

Actually, I have concealed an application, though the app I concealed was concealed as a Quicktime Movie and only gave a mac a fit of belches...

How it's done:
1. Get an application.
2. Get Info application.
3. Reveal 'Name & Extension'
4. Change extension (.app to .mp3)
5. Click 'Use .mp3' in the dialog box that pops up
6. Change the icon

Voila! I'm unsure if this is how the virus was changed, because in every other way than the icon and the name it appears to be an application (Kind will always read application). If this is how the virus was changed, it's not particularly lethal because mail.app will try to prevent you from opening it.

powerofthekiwi

Apr 8, 2004, 04:52 PM

jeffgarden

Apr 8, 2004, 04:52 PM

webman2k

Apr 8, 2004, 04:52 PM

bah, has anyone used of opened this offending file?

If it is a trojan, all I could see that it could be would be an Applescript file that runs "sudo rm -r /System" or maybe /Users. Even then it'd need a password..

Yes, but what if it was just programed to delete everything in ~/Library/Preferences? To many, that would be a nightmare, and it wouldn't need authentication. Or it could delete your address book, or mail folders - all these things are unprotected.

Wraithe

Apr 8, 2004, 04:54 PM

Intego is trying to tell you, in a very roundabout way - "We're idiots, PLEASE do not use our products."

I've downloaded the "proof of concept" "virus". Ok.

It's an app. With a .mp3 tag on the end. Oooooooooooh! Spooky!

With an (Badly done) iTunes MP3 icon as it's icon. This is not an MP3 file with info hidden in the ID3 tag. (A quick trip to MP3Rage takes care of that)

It's freaking carbon app with an icon and an extension, welcome to Intego's up to date (assuming you still live in 1989) technology. WooOoooOOoooOOO!

Hell, one of the techs at my company built a better Mac OS 9 virus than this a couple of years ago. And by "better" I mean this mofo would torch your system to the ground. It was an Applescript.

The trick isn't making something ugly that can trash your system. It's the propagation, stupid. Most of the windows viruses wouldn't be so bad if they didn't get into your system automatically, mail themselves out to everyone in your address book, etc. That will be the first virus/trojan horse that Macs need to worry about. Not this elementary school level BS that Intego is talking about.

spinko

Apr 8, 2004, 04:55 PM

Intego runs .asp - that can't be serious ...

~Shard~

Apr 8, 2004, 04:56 PM

I'm not too worried about this one - sounds like it would be only in very select cases that someone woud have an MP3 on their desktop. After all, if you rip CDs, or download AACs from the iTMS, they aren't going to be MP3s. So having an MP3 on your desktop is a rarity in itself the way I see it. Other than the odd tune you might grab from a website or something, the only way I see people having MP3s on their desktops are from illegally downloaded music files. And if people like that get their system fried, oh, gosh darnit, I'll just be so sad for them... :rolleyes: ;)

I think this is a trojan developed by a Mac anti-virus software company. They're obviously sitting around with nothing to do and making no money, since there aren't any real virii/viruses for the Mac, so they decided to drum up some business for themslves! ;) :cool:

svenr

Apr 8, 2004, 04:57 PM

Here's the proof-of-concept virus. It works. No password required. It doesn't harm your system. But it's obvious that it could.

http://www.scoop.se/~blgl/virus.mp3.sit

And apparently, it was not the security company who wrote it, or some mysterious Mac haters, but it came out of a theoretical discussion on the comp.sys.mac usenet news group

nagromme

Apr 8, 2004, 04:59 PM

The "myth" that Macs aren't susceptible to viruses and trojans? Who honestly ever suggested that. The truth that Windows fans don't like is that OS X is much SAFER from viruses than Windows--in large part by design. Nobody ever said ANY OS is perfect.

Having said that, a trojan horse is essentially something pretending to be something else. It could be nothing more than an image on the screen telling you to put your Documents folder in the trash! A trojan horse is human-driven, and no OS can prevent people from tricking other people.

Wake me up when OS X gets its first VIRUS. This ain't it.

Then we won't be able to say "OS X has no viruses." We'll have to settle for "OS X finally has 1 virus" :)

AHDuke99

Apr 8, 2004, 04:59 PM

so how do we get this virus? email? or it just appears randomly on the desktop?

coolfactor

Apr 8, 2004, 05:00 PM

You know what's funny? I was just talking about making little scripts and stuff that will ask you for a domain and stuff and then oprn safari and bring you to them as a nifty little thing. But it did that and open Mail and email at the same time behind Safari. So I think it is a coincidence this comes up because it is pretty much what I was doing for fun. And then after that I made one that looked like a picture, so I'm surprised this isn't my doings.

You are right, it is funny. This is obviously the work of someone determined on making Macs looks bad. Mac users wouldn't waste time creating something that would harm their favorite operating system. And if someone started learning about OS X just to create something harmful, there's a good chance they'd see just how great OS X was and not proceed.

Nonetheless, OS X tight integration and underlying framework of AppleScript is a HUGE potential for malicious activity.

jimthorn

Apr 8, 2004, 05:01 PM

First its an application that you must run by yourself. Second its a CFM application so it needs its resource fork, creater fork and file type to run.

You'd have to download this thing encoded in a format such as a Stuffit archive and the double click it to run. Basically you'd need to be pretty stupid.

iJed is the only person so far who's mentioned the most important point. This is a Carbon app with a Application (AAPL) filetype, but with a file extension of .mp3. But the filetype/creator code is stored in a resource fork. Transferring this file through a non-Mac system will lose the resource fork, thus neutralizing the threat. So if you download an "mp3" file that isn't contained inside a resource-fork-friendly archive file like a .sit or .dmg, you basically have nothing to worry about.

macMaestro

Apr 8, 2004, 05:02 PM

Just found out, it is concealed in the way I just outlined.

For anyone interested in owning a copy of a mac 'virus', here it is:

http://www.scoop.se/~blgl/virus.mp3.sit

<sarcasm>Be careful...</sarcasm>

[EDIT: Damn, someone beat me to it...]
[2nd EDIT: Added sarcasm tags. Happy now 7on? :) ]

7on

Apr 8, 2004, 05:04 PM

Just found out, it is concealed in the way I just outlined.

For anyone interested in owning a copy of a mac 'virus', here it is:

http://www.scoop.se/~blgl/virus.mp3.sit

Be careful...

[EDIT: Damn, someone beat me to it...]

yeah, I don't think it did anything when I opened it.

Diatribe

Apr 8, 2004, 05:05 PM

iJed is the only person so far who's mentioned the most important point. This is a Carbon app with a Application (AAPL) filetype, but with a file extension of .mp3. But the filetype/creator code is stored in a resource fork. Transferring this file through a non-Mac system will lose the resource fork, thus neutralizing the threat. So if you download an "mp3" file that isn't contained inside a resource-fork-friendly archive file like a .sit or .dmg, you basically have nothing to worry about.

So if it needs a .sit or .dmg file type in order to "survive" it's fine... who downloads those kind of archive files from unknown sources anyway?

macMaestro

Apr 8, 2004, 05:06 PM

yeah, I don't think it did anything when I opened it.

Shoot, forgot the :rolleyes:

It was sarcasm.

jimthorn

Apr 8, 2004, 05:06 PM

So if it needs a .sit or .dmg file type in order to "survive" it's fine... who downloads those kind of archive files from unknown sources anyway?

EXACTLY.

jxyama

Apr 8, 2004, 05:11 PM

Giaguara

Apr 8, 2004, 05:11 PM

google does not finding anythign with MP3Virus.Gen yet.

who would WANT to have a virus like that by the way?

the first answer i can think of is RIAA. scaring people away from pirating music ...

it'll be really curious to see once they will capture this troyan writer and / or the powers / money behind the trojan. RIAA is for sure one instance that will approfit from scaring the users of p2p-ing.

jettredmont

Apr 8, 2004, 05:13 PM

This sounds like outright b.s., though I could be wrong. Just look at this statement from the press release:

An application is embedded in an ID3 tag? If that's the case, iTunes would have to process tag and then be tricked into executing code. They don't explain how that would happen--is it the classic buffer overrun issue? Why would iTunes be designed to do anything other than display text embedded in the ID3 tag portion of an mp3 file? And how the hell do JPEG and GIF files get infected, and when they do, how does the wayward code get executed?

Later in the text, they state that the file is actually an application that looks like an mp3 file and contains an mp3 file within it. So... which is it, fellas? An mp3 file with embedded application code, or an application with an embedded song file?

Oh, I just read the Google Groups link. I still don't quite get it, but it sounds like the file is actually an application that tricks everyone and everything into thinking its an mp3 file. At the very least this is a poorly worded press release.

My assessment is that these virus software vendors saw this little exploit talked about and decided it would be good for business to raise a huff about how MP3 files are vehicles for viruses but didn't understand the real issues enough to communicate them.

1) This is an issue with resource forks and OS X gladly executing code in resource forks. It has nothing to do with MP3, and certainly nothing to do with ID3 tags within the MP3 files. The dead giveaway there is that the virus vendors claim the same attack makes JPEG and GIF format files equally at risk: these obviously don't have ID3 tags.

2) The "fix" would seem to be fairly simple for Apple: adjust the Finder to call CFM/resource files "Apps" if indeed double-clicking on them would cause them to execute instead of being sent to another application. It's simply a matter of the left hand not knowing just what the right hand is doing, and that's emminently fixable.

3) For us "normal folks" there's really not much if anything to worry about. Why? Well let's start another list:

A) You need to download an MP3 (or other data) file with a resource fork attached to it for this to be a problem. When was the last time you downloaded a file with a resource fork that wasn't obviously Mac-specific (ie, an application)? When was the last time you saw an MP3 download wrapped in a .sitx or .dmg wrapper to preserve the resource forks (.zip of course loses resource forks as we all know, right?)

B) There is still, of course, very little likelihood of someone targetting Macs with this type of virus. Doesn't say anything about overall Mac security, of course, but the facts on the ground are the facts on the ground: you don't need to build the bomb shelter and stock up on vats of water just yet.

C) While the virus software writers obviously went to pains to cast as large a net as they could with this, to drum up as much fear as possible and to create as much business as possible in return, there is no specific file type which is a "new threat" here, and this particular threat has been viable for many years (when were resource forks introduced?) They may just as easily have said that this is the latest Word .DOC virus, which this time targets Macs!

fixyourthinking

Apr 8, 2004, 05:13 PM

This isn't a shameless plug [fingers crossed behind my back] but I wrote an article on my website a few weeks back called,

http://adzoox.com/macfanaticvirus.html

"Mac Fanatics cause iVirus"

One of the points I make is that Mac users were actually hit by the Sobig and Modoom virus(s) because they were email propogation worms - Macs get email .... so.... email was FAR exceeding normal SPAM the few days of propogation.

Another point I raise is that Mac virus scans don't make much if any money - I wonder when the day will be when Norton progogates a virus (internally) to "achieve sales" - I already think they do this on the PC side.

I also said that mac lovers bragging about no mac viruses may be asking for it to happen ... even prompting it.

Fiveos22

Apr 8, 2004, 05:14 PM

bah, has anyone used of opened this offending file?

Holy cow! I believe I have this file. I downloaded it using Poisoned about a month ago (it was titled something that I was looking for) and when I opened it up I remember it royally hosing iTunes. Not realizing that the mp3 was the cause, I tried it again when I rebooted my computer to the same result. My computer has run just fine ever since (no noticable lasting effects).

I believe I still have the file tucked away in some misc. folder on my computer...I'll check that out after my exam tonight and post the name of that mp3. Hell, I might even fire it up again just to make sure I'm thinking of the right thing (right after I back up my files :) )

zigzag

Apr 8, 2004, 05:16 PM

calm down. this is not a virus, its just an application with a filename and icon of an mp3. ie. my virus.mp3 w/ an itunes mp3 icon... big deal, go to list view for your mp3s and have the "Kind" column visible... now you can tell if its an mp3 (music file) or a virus (application).

Its nothing to worry about, it could have been done ages ago and i realized this on my own! Its not a virus in an id3 tag lmao... this is sad.

jimthorn

Apr 8, 2004, 05:21 PM

varmit

Apr 8, 2004, 05:21 PM

Move along, nothing to see here.

jxyama

Apr 8, 2004, 05:23 PM

Actually, it is benign, because it isn't a real "virus" yet, it's merely a "proof of concept" for a security problem in OS X. There is at this time no malevolent version of this file. Until Apple patches the OS, simply don't download a .sit file containing an .mp3 and then double-click it.

As far as the "who would be stupid enough to do that" part of your post, you're right -- if there was currently a threat, some people might be affected. But again, this type of virus cannot survive passing through P2P systems, most web servers, or email without being stored in a container that preserves the resource fork. This minimizes the threat significantly.

i absolutely agree, i just wanted to throw a little caution to a bunch here who seem to apply different standards, depending on the OS. i just have to say, it's lucky to have this kind of explorable discrepancy in the OS being uncovered by a benign proof of concept trojan rather than a malicious one.

fix it up, apple!

ajb13

Apr 8, 2004, 05:23 PM

Does anyone have any proof this actually exists and isn't just a ploy?

Yes, it exists, but not as an actual virus yet, hence the "Benign". It is a proof of concept. Doesn't do anything malicious.

It started initially a virus hoax that started about 1 1/2 years ago, I think (Not my info)
http://members.tripod.com/helpcity/mp3virus.html

However, Bo Lindburgh recently (20 March 2004) created a Carbon CFM application that was a proof of concept, and it WORKS! Plays as an MP3 in iTunes, but it really is an application. A damn good Trojan horse if you ask me. Damn good!
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&frame=right&th=631707378ffe9292&seekm=blgl-5D750C.02150821032004%40news.bahnhof.se#link6

So, the thing is, there is not an actual virus in existance, but Intego has obviously noted the proof of concept working, and taken precautions should it actually happen. The easiest way to identify it, simple, Select the MP3,JPEG,TIFF,PNG,DOC etc etc file, and get info. You'll know it's an app immediately. For those of you concerned of the potential of being fooled, post a comment here, and if I get enough requests, I'll build you a little app to drop any file that should not be an app onto it, and it'll notify you and isolate any dangerous ones.

Someone made the comment in another forum about ID3 tags not existing in GIF,TIFF,JPEG etc, but they do contain tags that are not necessary for the display of the image, and there's where the data can be hidden. Being that it is a Carbon CFM app, it is identifiable. Doing this with a Mac OS X .app package or Carbon Mach-O app may be damn near impossible, but I can't be sure about that.

As with anything on the internet, check before you double-click. ;)

Santiago

Apr 8, 2004, 05:25 PM

The file is a CFM application. As others have pointed out, this means that it has a resource fork which it needs in order to be able to run. Thus, it must be downloaded as a compressed file. If the resource fork is stripped, it is harmless, as the payload will never be executed.

Its name ends in ".mp3", and the included icon is copied from an iTunes MP3 file, but its type code is APPL, an application. The data fork is a valid MP3 with PowerPC executable code inside the ID3 tags. When given to iTunes or another MP3 player, it simply plays the included sounds without executing code. When double-clicked on from the Finder, the surrounding bits of MP3 file appear to be ignored and the code is executed. The payload for the proof-of-concept displays a dialog box, then tells iTunes to play the file itself, presumably via AppleScript.

When double-clicked, it shows up in the dock as an application, though this could be suppressed in an actual hostile trojan just like many utility programs do. In the Finder, if one is using column view, it is identified as an Application instead of an MP3 File, and its icon is shown instead of a QuickTime-style playback bar for previewing the contents.

In terms of an actual exploit, the only thing going on that is even possibly questionable at an OS level is the presence of other stuff in the data fork before the Joy!peffpwpc tag. I am not certain if this is allowed in the definition of what a PEF executable is supposed to look like. Aside from that, there is nothing else that is tricking the OS into doing something it shouldn't do, only legally included information that is deceptive to a user who is not looking carefully at things.

fixyourthinking

Apr 8, 2004, 05:26 PM

Move along, nothing to see here.

Good detective work ... and wouldn't you know the intego site is slashdotted too. I sure hope these message boards continue to expose Intego for being so shameful.

gwuMACaddict

Apr 8, 2004, 05:26 PM

ok...

but dont you have to be stupid enough TO OPEN IT IN THE FIRST PLACE!? :confused:

wannaPM

Apr 8, 2004, 05:27 PM

The real purpose of this "virus"? Read the end of the page at Intego:
As the dangers of the Internet grow, Intego is hard at work, developing new software to protect users and their Macs from the latest security and privacy threats. We protect your world.

and it should be clear to you.
What really hurts me is that now many windows users will come with a big smile in their faces and saying: "oh, now even a Mac can get a virus!"

guifa

Apr 8, 2004, 05:28 PM

Take any existing application on your computer.

Look in its resources folder and copy an MP3 file icon to be its icon.icns file. Then set its display name to be "listenToMe.mp3"

When Finder opens a folder with it, it'll display "listenToMe.mp3" as the file name and an MP3 label as its icon.

Wow, I editted one plist file and copied one image file and I made Fire be hidden in an MP3 file.

I suppose on the one hand this means its not JUST a carbon problem with the resource fork, BUT, it still requires it to be downloaded in an archive form because an application package contains multiple files and directories.

bousozoku

Apr 8, 2004, 05:29 PM

jxyama

Apr 8, 2004, 05:32 PM

ok...

but dont you have to be stupid enough TO OPEN IT IN THE FIRST PLACE!? :confused:

that kind of "defense" would apply to any virus or trojan, regardless of the OS.

i don't think Mac users are any more immune from being "stupid" than windows/PC users, on average. (MR members are probably more immune. ;) ) (but i'd argue Mac users may be a bit more susceptible because many have been using Macs without ever having to worry about virus or trojans.)

Giaguara

Apr 8, 2004, 05:35 PM

Sooo .. keep the type of file visible always, and you will see it is a something.mp3.somethingelse .. :rolleyes:

Spades

Apr 8, 2004, 05:37 PM

Unless there's an actual exploit involved, this trojan is a non-issue. Displaying an mp3 icon and giving it a .mp3 extension is not an exploit. This is exactly how viruses used to work. It has to trick the user into actually launching the program, and programs can of course do whatever they want. If it exploited a bug, or worked without user interaction, then there would be something to talk about.

Reading the press release, this Intego company is definitely trying to drum up business. They should just be ignored. If you really want virus protection, there's several options. One of my favorites is getting .Mac and having Virex come with it, because you're actually getting something of value for the cost. The other idea I like is getting clamav, because it's free. You could always get Norton AntiVirus too, but if it's just for personal use, why not get a .Mac subscription for the same price, get the virus program, and get the extra features of .Mac?

Now if you'll excuse me, I need to go update my backups...

guifa

Apr 8, 2004, 05:38 PM

Sooo .. keep the type of file visible always, and you will see it is a something.mp3.somethingelse .. :rolleyes:
Unfortunately that doesn't work quite as well with applications. In their packages they have options for display names which are used instead -- hence people on a Spanish system can see "Agenda" instead of "Address Book." Neither display ".app" on my system if I have the option to always show extensions turned on.

stcanard

Apr 8, 2004, 05:44 PM

well, all the "this is benign because it won't survive..." or "who would be so stupid to do this and that..." is pure hypocracy. a lot of windows folks have the same idea, yet virus/trojan are problems in windows. ("who'd open an email attachment?" - but people do!)

The big difference is in culture and design.

The majority of Window users run accounts that by default have write access to the system32 directories. That's because it is too much of a pain to do otherwise (I wrote a long post in another security thread about why, I'm not going to go into it here)

In OSX, even if you are an admin account you still need to type a password to give it access to /System, /bin /lib, etc. So there is a warning system in place.

That makes a huge difference -- if windows users were presented with a dialog saying "Your MP3 file is about to modify system libraries", (which is what the password dialog in OSX means) you bet they would be suspicious.

As for modification of ~/Library/Preferences, you do take regular backups right? So it's not much of a pain to replace it.

If you're running untrusted binaries in an account with important data that is not backed up, again I fall back on ... maybe next time you'll learn, and at least unlike the average Windows user at least you can be confident that you don't need to reinstall your OS because it's still clean thanks to sudo.

jxyama

Apr 8, 2004, 05:48 PM

Unless there's an actual exploit involved, this trojan is a non-issue. Displaying an mp3 icon and giving it a .mp3 extension is not an exploit. This is exactly how viruses used to work. It has to trick the user into actually launching the program, and programs can of course do whatever they want. If it exploited a bug, or worked without user interaction, then there would be something to talk about.

when you double click on an ordinary mp3 file, you expect the Finder to launch iTunes or any other default mp3 player and play the file.

what this trojan does is instead of the file being played as an mp3, it is launched by Finder as an application, even though it looks like an mp3 file to the user.

that's a bug and there's potential for it to be exploited. the problem is, Finder shows one thing but acts on it differently.

like others wrote, because of the way applications are packaged, it's hard to propagate. it's a bug and an exploit, nonetheless.

Kalomir

Apr 8, 2004, 05:52 PM

Please check Macbidouille latest news on that matter on hardmac.com (English version of MB)

varmit

Apr 8, 2004, 05:52 PM

Can't I sue them for creating a virus. I mean, law enforcement is tracking down virus writers for the PC, what about my Mac. I'm not worthy of having my attackers captured. LOL....but really, I'm sick of this being a ploy for that damn company. They write a virus and then make a program to stop it, isn't that extortion. Pay up or you could get this virus we made.

If I made a virus for the PC, and said pay me or you COULD get this, I would be in jail quicker than I could say my IP address.

stcanard

Apr 8, 2004, 05:52 PM

Personally sudo has never settled right with me. Apple should rid the system of the command and only allow root access by logging in as root. Sure it'd be time consuming to delete an undeletable file, but it'd be worth it for the security.

It's just the opposite actually.

If you have a root shell open for administration, it's too easy to accidentally type the command in the wrong window, and before you know it you've done something stupid to your system.

Ever accidentally shut down your remote server when you meant to reboot your home computer, because you picked the wrong window? It's the same idea (and trust me, doing that is really embarassing, and quite a pain if you end up having to do go into the office to restart it so other people can get in...)

By requiring you to type sudo before the command, there is far less chance of accidentally executing something at root privilige because the focus wasn't where you thought it was.

The administration by sudo is one of the smarter things Apple has done security wise, and the linux distros would be wise to take a page from their book.

jxyama

Apr 8, 2004, 05:54 PM

The big difference is in culture and design.

The majority of Window users run accounts that by default have write access to the system32 directories. That's because it is too much of a pain to do otherwise (I wrote a long post in another security thread about why, I'm not going to go into it here)

In OSX, even if you are an admin account you still need to type a password to give it access to /System, /bin /lib, etc. So there is a warning system in place.

That makes a huge difference -- if windows users were presented with a dialog saying "Your MP3 file is about to modify system libraries", (which is what the password dialog in OSX means) you bet they would be suspicious.

As for modification of ~/Library/Preferences, you do take regular backups right? So it's not much of a pain to replace it.

If you're running untrusted binaries in an account with important data that is not backed up, again I fall back on ... maybe next time you'll learn, and at least unlike the average Windows user at least you can be confident that you don't need to reinstall your OS because it's still clean thanks to sudo.

i don't disagree with you. i too believe OS X to be more secure by design.

that's not the issue for me. i posted what i did because many of the posts that appear (to me) hypocritical in nature do not mention any of the design or inherent differences - many of them simply state why this trojan is stupid or not dangerous using reasons that are just as applicable to any windows trojans/viruses. ("who'd open this? it would be so stupid, so this isn't harmful.")

ktrout

Apr 8, 2004, 05:57 PM

I wanna negate the myth that virii is the correct plural of virus Its Latin roots dictate the correct ending to be "viruses" - as in "buses", for example. Rather than "busii" (buses), or "sinii" (sinuses)

Ah well - people argue and argue over this one. It's in the Latin

As Slashdot mentions, its a proof of concept - but, the proof of concept is all it takes to make people follow suit, improvise, and, ultimately, refine their technique. Maybe we can rely on the fact a proportionately higher number of Mac users are intelligent jk

andy

Considering that your English is less than perfect, I seriously doubt that we should trust your Latin. ;)

A wise conclusion. My Latin dictionary gives:

Vir/us -i n. slime; poison; offensive smell; salt taste.

So the Latin plural of "virus" is indeed "viri" (not "virii") like any other 2nd declension noun. Certian words ending in "-ius" do end in "-ii" for the plural, though.

Generally, the rule in English is to permit either the Latin or anglicized plural. For example, both "indexes" and "indices" are correct. "Bus" isn't a Latin word. "Sinus" (in the sense in which I think the original poster means it) is, but is not a 2nd declension noun (4th, I think) and the plural is "sinus" except with a long "u." If you are still awake at this point, "sinus" means, among other things, "curve, fold." There is another Latin word, also spelled "sinus" (except with a long "i") meaning "large cup." The plural is "sini."

So much for pointless pedantry.

jimthorn

Apr 8, 2004, 05:58 PM

Unless there's an actual exploit involved, this trojan is a non-issue. Displaying an mp3 icon and giving it a .mp3 extension is not an exploit. This is exactly how viruses used to work. It has to trick the user into actually launching the program, and programs can of course do whatever they want. If it exploited a bug, or worked without user interaction, then there would be something to talk about.

Actually, it's a bit more sophisticated than "displaying an mp3 icon and giving it a .mp3 extension". It's a bit of code stored within the id3 header information on the mp3 file. It is a real mp3 file. The resource fork has a filetype of application. So when you double-click the file, the resource fork's filetype tells the Finder to execute the hidden code as an application. If you simply open the mp3 file using iTunes's "Add to Library", it will work as a normal mp3 file. Interesting bit of exploitation, eh?

fixyourthinking

Apr 8, 2004, 06:02 PM

Please check Macbidouille latest news on that matter on hardmac.com (English version of MB)

Intego is a French company or at least that's what their who is records says.

Macbiduoille is French too ... maybe there's a connection .... maybe there is some sort of marketing ploy between the two. This really smells of fraud.

INTEGO
10 rue Say
PARIS 75009
FR

Domain Name: INTEGO.COM

Administrative Contact:
WHITE, MARYCLARE (3167502I) mcwhite@intego.com
10 rue Say
PARIS 75009
FR
33 1 55 07 27 27 fax: 123 123 1234

Technical Contact:
White, Maryclare (MW5519) mcwhite@TRANSEO.COM
Transeo
10 rue Say
Paris 75009
FR
33-1-55 07 27 00 fax: 33-1-55 07 27 01

jimthorn

Apr 8, 2004, 06:03 PM

Kalomir

Apr 8, 2004, 06:04 PM

Actually you're mistaken.
It's just that we're in the same time zone, yet if I'd known I'd get suspected that way, I just would have gone to sleep without translating...

jxyama

Apr 8, 2004, 06:07 PM

Intego is a French company or at least that's what their who is records says.

Macbiduoille is French too ... maybe there's a connection .... maybe there is some sort of marketing ploy between the two. This really smells of fraud.

geez, it's not a fraud. there's a genuine exploitable flaw. perhaps the anti-virus company may have had some ulterior motives, but that doesn't make it a fraud. the flaw is in the OS X already, they didn't make the flaw and exploited it.

NusuniAdmin

Apr 8, 2004, 06:09 PM

and you idiots did not beleive me when i said os x can get viruses or trojens, i think you all should eat ur shoes now!

jelloshotsrule

Apr 8, 2004, 06:09 PM

Intego is a French company or at least that's what their who is records says.

Macbiduoille is French too ... maybe there's a connection .... maybe there is some sort of marketing ploy between the two. This really smells of fraud.

NTEGO
10 rue Say
PARIS 75009
FR

Domain Name: INTEGO.COM

Administrative Contact:
WHITE, MARYCLARE (3167502I) mcwhite@intego.com
10 rue Say
PARIS 75009
FR
33 1 55 07 27 27 fax: 123 123 1234

Technical Contact:
White, Maryclare (MW5519) mcwhite@TRANSEO.COM
Transeo
10 rue Say
Paris 75009
FR
33-1-55 07 27 00 fax: 33-1-55 07 27 01

a boring life you lead, eh?

Giaguara

Apr 8, 2004, 06:09 PM

while basahing the french ... http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&frame=right&th=631707378ffe9292&seekm=blgl-5D750C.02150821032004%40news.bahnhof.s%20e#link6

what about this Bo Lindbergh (http://www.google.com/search?q=+Bo+Lindbergh&ie=UTF-8&oe=UTF-8)? Start to bash the Swedish as well.

stcanard

Apr 8, 2004, 06:10 PM

i don't disagree with you. i too believe OS X to be more secure by design ... [snip about misinformation in the thread]

Okay good in that case I agree :-)

I see way too much confusion about the difference between "a virus cannot be made", and "the system architecture means that it is very difficult for a virus/trojan to have widespread effects on a properly maintained system".

That and the apparent belief I see so regularly on this site (and in the newspapers) that a security update that patches a local privilege escalation is somehow as big a problem as a Windows remote root vulnerability kind of puts me on a hair trigger when security is discussed.

jelloshotsrule

Apr 8, 2004, 06:10 PM

and you idiots did not beleive me when i said os x can get viruses or trojens, i think you all should eat ur shoes now!

unfortunately, i think you've eaten your phonics book already.

my shoes aren't worth eating right now. perhaps i need a better marinade. any ideas?

B!nej

Apr 8, 2004, 06:15 PM

It's a Carbonized classic style app (not a bundle) with an .mp3 extension. Get info on it and it shows "Application" not mp3 audio, and if you ctrl-click/right click the icon, it doesn't have an "Open With" menu.

I think this would probably catch people if you put a payload in it, so it's worth being aware of, but given people download applications and click on them without thinking, it seems a bit pointless to bother hiding it. :rolleyes:

fixyourthinking

Apr 8, 2004, 06:15 PM

a boring life you lead, eh?

Rubber & glue... okay it's your turn.

I was pointing out a quick whois search yielded a french company and that MacBidouille was also the first to report this.

Further, this is NOT a virus, it's not even a NEW exploit. It will have people scared in their boots tomorrow morning because the majority of people don't read boards like this (even if they read the main pages of websites)

Point is I want people to know who this company is and that this is embarassing for them to do this.

It's almost like this is a 7 day too late April Fool's joke.

and now who has the boring life? (jelloshotsrule public profile):
Join Date: 02-07-2002

Posts

Total Posts: 6,985 (8.83 posts per day) <--- doubletake!

Find all posts by jelloshotsrule

Find all threads started by jelloshotsrule

Spades

Apr 8, 2004, 06:18 PM

It is a real mp3 file. The resource fork has a filetype of application. So when you double-click the file, the resource fork's filetype tells the Finder to execute the hidden code as an application. If you simply open the mp3 file using iTunes's "Add to Library", it will work as a normal mp3 file. Interesting bit of exploitation, eh?

I see. That is interesting. It's basically two things at once, because at least one of the applications isn't doing sanity checking to make sure it's a file it really should be trying to open.

Um. Ignore the first paragraph of my above post. It really is exploiting a bug. :o

But given that, how is an anti-virus program supposed to protect against this? There's no real signature you can use to detect a virus like this. You can catch each individual virus as it's created, but it sounds trivial to create this type of virus. Stopping this whole class of viruses will probably take a good amount of work on Apple's part.

I'm still personally not worried. It is exploiting a bug, but it still depends on tricking the user into running it. I'm no more (or less :p ) likely to be tricked now than I was before.

jxyama

Apr 8, 2004, 06:19 PM

Further, this is NOT a virus, it's not even a NEW expoloit.

care to explain why the exploit this trojan (no, it's not a virus) takes advantage of is not new?

UncleSteveO

Apr 8, 2004, 06:21 PM

So the Latin plural of "virus" is indeed "viri" (not "virii") like any other 1st declension noun. Certian words ending in "-ius" do end in "-ii" for the plural, though.

Nope.
http://www.perl.com/language/misc/virus.html

_pb_boi

Apr 8, 2004, 06:22 PM

http://www.perl.com/language/misc/virus.html

Ah. Thanks for that info, mate.

I like the article quote: "Writers who, searching for a fancy plural to virus, incorrectly write *viri are doubtless blindly applying an overreaching -us => -i rule"

Also: "Anyway, Latin already had a word viri, but it was the nominative plural not of virus (slime, poison, or venom), but of vir (man), which as it turns out is also a 2nd declension noun. I do not believe that writers of English who write viri are intentionally speaking of men. And although there actually is a viri form for virus, it's the genitive singular[1], not the nominative plural. And we certainly don't grab for genitive singulars for the plurals when we've started out with a nominative. Such hanky panky would certainly get you talked about, and probably your hand slapped as well. "

One last thing: "This apparently invariant use of virus as a genitive singular may also imply that it's 4th declension, as some scholars believe."

Apologies for quoting at length.

*********

If it is a trojan, all I could see that it could be would be an Applescript file that runs "sudo rm -r /System" or maybe /Users. Even then it'd need a password.

As mentioned - it'd need a password. It would also need to edit the sudoers file to give info on just what it can run while availing of root priviliges, I think. If the sudoers file is chmodded to allow only root access - it would have nowhere to begin. What do you reckon?

andy

NusuniAdmin

Apr 8, 2004, 06:30 PM

unfortunately, i think you've eaten your phonics book already.

my shoes aren't worth eating right now. perhaps i need a better marinade. any ideas?

Try some dinasaur bbq sauce, that will spice them up haha.

ktrout

Apr 8, 2004, 06:33 PM

Nope.
http://www.perl.com/language/misc/virus.html

Wow, that pointless pedantry exceeds even mine.

_pb_boi

Apr 8, 2004, 06:36 PM

lol

Thanks for that link UncleSteveO.

I was expecting barbed retribution, ktrout - well, the link restores my good(ish) name, I guess. ;)

andy

fixyourthinking

Apr 8, 2004, 06:37 PM

care to explain why the exploit this trojan (no, it's not a virus) takes advantage of is not new?

You've been able to do this pretty much since OSX has been out. MP3concept has been out for over a year and a half. It is not a trojan horse NOR a virus because it is written into a benign portion of ASCII information that is not executeable.

Don't get confused with what the actual exploit is and what people are analyzing that it is here.

It's plain and simple - this is a marketing ploy by Intego.

corvus

Apr 8, 2004, 06:37 PM

Here we go… :(

Nope. I don't think so.

Intego's PR on this says:

Due to the use of this technique, users can no longer safely double-click MP3 files in Mac OS X. This same technique could be used with JPEG and GIF files, though no such cases of infected graphic files have yet been seen.

Intego VirusBarrier eradicates this Trojan horse, and Intego remains diligent to ensure that VirusBarrier will also eradicate any future viruses that may try to exploit this same technique. All Intego VirusBarrier users should make sure that their virus definitions are up to date by using the NetUpdate preference pane in the Mac OS X System Preferences.

The is so much BS. I actually use a PC also and run no virus protection. I'm just careful about the source of everything that comes into my machine. For example, I would never download MP3, JPEG and GIF files from the Intego web site. ;)

Don't waste your money on this obvious promo by Intego. Use your Admin account only for doing admin things. This way if you do get a virus, it only has access to your user account files. This is not totally fool proof, but very close to it.

unfaded

Apr 8, 2004, 06:37 PM

When you're downloading from P2P protocols, typically the entire file name comes up, with extension. it would be .mp3.app, not juts .mp3. Same things happens in Mail.

This is the WORST attempt at a virus written in the entire course of human history. Wow.

Makosuke

Apr 8, 2004, 06:45 PM

This is, admitedly, a little bit of a security glitch, in that the file can be two things at once (though it sounds like Intego doesn't know what it's talking about, on account of the whole tag thing).

That said, it's just as easy to rename any carbon application .whatever and paste a different icon on it--took me about 5 seconds. (Interestingly, if you try to stick a different extension on a cocoa app, OSX automatically shows the .app on the end, after whatever you added. Neat!)

But the real issue is that this isn't significantly different fom ANY OTHER TROJAN. Try this: write a program that asks for a user's admin password and erases their Applications folder. Or, just one that deletes their home Preferences folder (yes, easy to work around with a backup, but still destructive). Now, call it "Radeon9800 Enabler", put an interface on it that looks like it optimizes your graphics or something, and start talking about it on Mac sites.

Bingo, security exploit, and people are a lot more likely to give it a shot than an .mp3 encapsulated in a .sit. You can write a destructive trojan for any OS with little effort, and frankly I'm surprised there aren't more for OSX already. The specific security issue connected to this, though real, is so minor that it's barely worth talking about on its own.

Intego seems to be playing this for far more than its worth, and lots of know-nothing Windows fans will jump on it as an exposed vulnerability in OSX, when it's really not significantly different from any other trojan in existance (at least OSX needs to ask for an admin password to cause any system-level damage).

Incidentally, trojans are quite capable of infecting the computers of inexperienced people, but you generally have to work significantly harder at it--specifically download one from someone malicious or too stupid themselves to know it's a trojan--rather than a virus, which self propagates, and in the case of MS Outlook, often doesn't even require you to click on anything to infect your computer.

We can still proudly claim to be yet to see the first OSX virus, and this isn't the first trojan--I've heard of others floating around on filesharing networks.

space2go

Apr 8, 2004, 06:49 PM

But given that, how is an anti-virus program supposed to protect against this? There's no real signature you can use to detect a virus like this.

Well there is a simple pattern to search for:
The files suffix is associated with a data format and the file has a ressource fork -> You must be kidding me!

space2go

Apr 8, 2004, 06:52 PM

Nope.
http://www.perl.com/language/misc/virus.html

I so hate it when somebody beats me to posting that link!
Just kidding, keep up the good work! :)

Bernd

Apr 8, 2004, 06:52 PM

They suggested that Apple makes a warning in the OS that the first time any application is run that the OS gives a warning asking a question like do you really want to run application ZZZZ? with a yes and cancel buttons.

Edit take a look at the mac Central story Mac Central link (http://maccentral.macworld.com/news/2004/04/08/trojan/index.php?redirect=1081430763000) look for the posts by JDB8167 and the one by wings. The ones by JDB8167 seem to involve some looking at the code of the concept trojan.

Awimoway

Apr 8, 2004, 06:56 PM

Nope. I don't think so.

Cut me a little slack. :) The story was just breaking and it was not yet crystal clear that Intego was exploiting a proof of concept to stir up sales. I've already stood down to Defcon 5 (code green, if you're Tom Ridge). :cool:

Counterfit

Apr 8, 2004, 06:57 PM

Prom1

Apr 8, 2004, 06:57 PM

hopefully this will negate the myth that macs are not vulnerable to virii / trojans

What would be funny is that Mac OS X & Apple computer products sales increase significantly because of this, giving the company a status of popularity amongs computer owners instead of notoriety - the other 95% of the market I mean.

Also could we see more unconfirmed, by the securities commissions or Apple themselves, virii news when the movie Troy nears its cinematic launch date?? ;)

still not seeing this as a serious threat

Mr.Hey

Apr 8, 2004, 06:58 PM

For all those users complaining about the lack of substance in MR rumors update, I hope this news keeps you busy for a bit. :D :p

123

Apr 8, 2004, 06:58 PM

it would be .mp3.app, not juts .mp3. Same things happens in Mail.
Wrong.

Giaguara

Apr 8, 2004, 07:05 PM

from macbidoulle

http://www.macosx.com/forums/attachment.php?attachmentid=4096

stcanard

Apr 8, 2004, 07:10 PM

Incidentally, trojans are quite capable of infecting the computers of inexperienced people, but you generally have to work significantly harder at it--specifically download one from someone malicious or too stupid themselves to know it's a trojan--rather than a virus, which self propagates, and in the case of MS Outlook, often doesn't even require you to click on anything to infect your computer.

Just to be pedantic :D

The Outlook stuff is a worm, because it actively self-propogates across networks.

This as coded is currently a trojan, because it claims to do one thing but really does another.

A virus attaches itself to other programs, and then is passively propogated with the distribution of the original program. On thinking about it, it seems to me this could quite easily become a virus -- on execution could it not quietly rewrite the resource forks of other files in your system, thus propogating itself inside your computer?

I haven't looked into how this works, but could it rewrite the resource fork of another application so that the virus code is run first, then it launches the initial app? Assuming of course you give it permission to write into those directories...

Parikh1234

Apr 8, 2004, 07:17 PM

coolfactor

Apr 8, 2004, 07:17 PM

and you idiots did not beleive me when i said os x can get viruses or trojens, i think you all should eat ur shoes now!

Idiots?

It's not that we didn't believe you... a Mac is a computer afterall. Your point is moot. The fact is that viruses weren't being written to exploit the weaknesses on the Mac platform, but that is changing now.

I'm confident Apple will have this issue addressed immediately.

Finally, my complimentary version of McAfee from .Mac will have some real value... ;) Macs will continue to be more secure and less exploited that Windows machines.

0 and A ai

Apr 8, 2004, 07:23 PM

5 bucks says intego had a hand in this trojan directly or indirectly.

Haouka

Apr 8, 2004, 07:32 PM

This is so good because we will spend days talking about this, I will forget waiting for an updated iBook, CNET will write in big that Mac is not safe, everybody will sleep better ...

curmi

Apr 8, 2004, 07:34 PM

(Interestingly, if you try to stick a different extension on a cocoa app, OSX automatically shows the .app on the end, after whatever you added. Neat!)

You can trick the user here though - just enough to make them think it is a different extension.

For example, if the file is SexyGirl.app, and you want to make it look like a jpeg, you can change the name to 'SexyGirl.jpg'.app and hide the extension. The file will look like 'SexyGirl.jpg' in the finder. Yes, it has quotes around it, which may be obvious only to a more seasoned user. Similarly, you can change it to SexyGirl.jpg..app, hide the extension, and it looks like SexyGirl.jpg. in the Finder - which to the casual observer looks like a jpeg.

This is in Panther. In previous versions of OS X (not sure about 10.2, definitely in 10.1) you could actually just change the name to SexyGirl.jpg .app (ie put a space at the end of the jpg), and the Finder would display it as SexyGirl.jpg. Apple at least now ignore spaces, as that was a very obvious exploit.

mabino

Apr 8, 2004, 07:37 PM

Does it still execute its code if you change the file's UNIX permissions?

Maybe the OS needs a visual indicator for --x--x--x.

find / -name '\*.mp3' | xargs 'chmod 644' after every mp3 download.

space2go

Apr 8, 2004, 07:39 PM

Earlier someone asked how it could infect JPEG and GIF files. I'm not sure if GIF has it, but many JPEG's include EXIF data, like an ID3 tag for pictures. I don't know if it could also include executable code, but that's were it would be. Of course, if you download a 4.4MB JPEG and it's 256 colors and 100x400 pixels... :D

Well as long as you want to keep only the double-click feature alive every format can be abused that way because the program can simply open a partly view of itselft in the real app (e.g. by copying the "good" parts into another file and opening that).
But if you want to be able to open the thing by hand in that app you'd need a format that takes being filled with garbage like mp3 does. ;)

Now something I learned from toying around with this:
There is a big misconception running around with this little program. The actual runnable code is NOT in the ID3 tag. It's in the resource fork.
What is in the ID3 tag is mostly just the meta information needed for the OS to recognize the program as such and a jump command to reach the actual code in the resource fork. The most simple way to show this is cutting off the resource fork with a tool like GrimRipper [1] and then trying to start the prog. It will bounce and die without doing anything simply because the code is gone but the meta-data claiming this to be an app is still there.

Actually some code is still there. The data fork starts with a jump into the resource fork. That one will be executed, all of the massive amount of zero instructions in that fork (it's empty) will be executed as well and the app simply runs out. ;)

On the other hand when you manually open the thing in iTunes you'll hear the same demented laughter as before while starting the complete file so the mp3 data is obviously still there.
If the author had really done what he claimed (namely putting the code into the id3 tag) there would have been no need for a data fork as carbon apps that need no resources don't have one either.
You can see this yourself when opening the app with the resource fork cut off. It runs without an error message which surely would come if carbon apps would need to have a resource fork.

As for noticing something wrong with the filesize for the given picture quality + size (for pics) / encoding + length (for audio):
sorry dude no chance. A 100k virus is already hopelessly bloated and putting it into a 3 MB .mp3 or .jpeg would not change the size enough to cause people to wonder what's going on.

[1] - http://www.versiontracker.com/dyn/moreinfo/macosx/16168

gunnmjk

Apr 8, 2004, 07:47 PM

This Trojan horse has the potential to do any of the following:
- Delete all of a user's personal files
- Send an e-mail message containing a copy of itself to other users
- Infect other MP3, JPEG, GIF or QuickTime files

Uhh... What a virus has a potential to do, and what it actually does are two different thigngs. Intego does not even say what the virus actually does! I think they are just trying to get some headlines so that windows users can go: SEE! Which is pretty retarded.

The Article is also pretty unclear:

MP3Concept (MP3Virus.Gen), exploits a weakness in Mac OS X where applications can appear to be other types of files.

But then:
The Trojan horse's code is encapsulated in the ID3 tag of an MP3 (digital music) file.

So which is it, an application hidden in an MP3 file, or an Application that looks like an MP3 file?

123

Apr 8, 2004, 07:51 PM

What is in the ID3 tag is mostly just the meta information needed for the OS to recognize the program as such and a jump command to reach the actual code in the resource fork.
Are you sure there's anything at all in the ID3 tags?

edit: indeed, seems to be the case.

rdowns

Apr 8, 2004, 07:58 PM

']Indeed, hopefully it will. Although makes one wonder if someone just wrote this to prove this very point...

Steve Jobs will stop at nothing to deflect attention away from no new PMs, no new PBs, no new iMacs.

space2go

Apr 8, 2004, 08:12 PM

Are you sure there's anything at all in the ID3 tags?

Yes. The file starts with ID3 followed by the meta info needed for the app and after that garbage comes the track/album information as seen in iTunes. Shortly after that comes truly binary data that is the actual mp3 audio. Although i haven't read up on the ID3 "format" It sure looks to me like the auther used the tag to store the carbon app meta info. If that meta info were inside the proper audio part the track couldn't have the track/album info in iTunes plus you should hear a short strange noise at the start which one should be able to see in an audio editor like Audacity as well. And it simply sounds and looks like a normal recording of stupid lauther.

cb911

Apr 8, 2004, 08:14 PM

hhmmm... this is very interesting. and MP3Concept has been out for over a year? i'd have thought that someone would have been giving it publicity long before this.

and removing 'sudo' from the system? that's just plain crazy talk...

and even if this did develop into a new technique for making OS X trojans... surely Apple would include something in the OS X update to scan for those type of things.

Fukui

Apr 8, 2004, 08:19 PM

So, can we just get rid of resource forks already or what?

msconvert

Apr 8, 2004, 08:34 PM

The fact is that viruses weren't being written to exploit the weaknesses on the Mac platform, but that is changing now.

I'm confident Apple will have this issue addressed immediately.

The issue that most people are missing is that OSX is compatible with both MacOS file throught metadata and resource forks and with PC's with . extenstions. This trojan, by mixing the two, makes the finder show the file as one file type and its execution behavior another. Some much to the fact that when the application file virus.mp3 file is dropped onto iTunes it still plays the contents of the file as if it were just music. This virus has exploited the very feature that makes OSX significant. I don't see Apple 'having this addressed immediately' as the exploit is a necesity to the OS.

Even though this trojan must have both forks to work and would have to be packaged in a .sit or .hqx, It would be very easy to put the file on a web page with a link that has the html code show that the files was just an .mp3 where as the file path included the full .sit extention. Inocent people would click on the mp3 link and Safari, with its auto extraction feature, would extract the file for the user and the "expected file" would be where they wanted it. Double clicking on the trojan, would complete the deal.

Anyone who things this is no-big-deal should recognize that people are easily duped whether it is through web pages or simple deliver through email. Just because some are smart enought not to click on unknown files, we just have to look to the windows users to see that people are generally dumb.

coolsoldier

Apr 8, 2004, 08:43 PM

This is a system flaw. Two things need to change in OS X to fix it:

--If a file has an extension, the system should always use the extension to figure out what to do with it. It's confusing and a security hazard to have two different ways of determining file types for the same file, and AFAIK there are no legitimate carbon apps with extensions on their names. (Of course it could still use type/creator for files without extensions)

--The system should automatically throw up a flag if the executable data doesn't start at the beginning of the file. Allowing extraneous headers at the beginning of an application file is not a good thing.

space2go

Apr 8, 2004, 08:51 PM

One other thing.
I looked at the ID3v2 specs a bit and the author encoded the meta info (almost) correctly as a "General encapsulated Object". As every frame has a four byte size descriptor the complete payload would have easily fit inside that frame. Has anybody an idea why he did use the resource fork at all?
[Edited for insight]
I just got it! He used the resource fork for a resource! Clever trick huh?
No seriously the app needs to bring along its mp3 icon itself because an app won't get that just by calling itself .mp3. The proper place for that is the resource fork and looking at the .icns file of some applications 48k (the size of the resource fork) seems a plausible value for that.
And to be honest far more plausible than assuming such a simple program would need 48k.
Of course my old theory why the app simply dies without its resource fork is void. It does so not because it lacks program code but because it can't get initialized properly as a resource is missing and OS X does not deem that worthy of an error message.

I hope I can sleep now and in a few hours I'll try to extract the icon to proof my theory.

yamabushi

Apr 8, 2004, 08:54 PM

Seems like a problem with keeping data and executable code separated. Some kind of visual cue to demonstrate the difference regardless of file type could be helpful. That way a user could easily see the difference without carefully examining the full file extension and file info. Since icons are easily modified perhaps some kind of default graphical overlay by the system on top of all icons attached to any file recognized as executable or a modification of the text of applications to display in a different font or color might help. The key is to have the system perform the modification to the appearance rather than rely upon the creator of the file to supply the appropriate appearance and file extension for the file.

thejazzman10

Apr 8, 2004, 09:25 PM

i for some reason don't think this will have any effect...

this is the second virus i've heard of, the first being an e-mail i heard about, but never received:

"You have received a virus! To fix the problem, launch terminal and type the following exactly:

sudo rm -r /System

When prompted for your password, please enter it.
Congratulations on being virus free!"

or something like that...

reality

lol....this is the most primitive one that i have heard of....talk about gullible!! (that code erases the hard drive for all of you that dont know)

Doctor Q

Apr 8, 2004, 09:34 PM

Apple could change Mac OS X to lessen the chances of this problem. Suggestions have been given for ways this could be done. Before I think about which of the solutions seems best, I would like to know how likely it is that Apple will actually decide to make any such change. Will they consider making changes to the Finder either because they want to help avoid disguised applications, or simply because of this type of publicity?

SiliconAddict

Apr 8, 2004, 09:38 PM

nightcap965

Apr 8, 2004, 09:39 PM

Gang, there is No Such Animal as an uncrackable computer. I know there are no extant viruses for MacOS X. I still run Virex. I know there are virtually no extant viruses for Linux. I still run ClamAV. And as for my Windows machines - I got antivirus and firewalls and rubber gloves!

That said, any virus for Macs is not going to propagate very well. Yes, Unix-based computers are built with greater security in mind, but also people who run Unix-based computers tend to be a little smarter than the average bear. But there are no guarantees, so don't click on that file promising nekkid pictures of Russian tennis players.

Nope. I don't think so.

Intego's PR on this says:

The is so much BS. I actually use a PC also and run no virus protection. I'm just careful about the source of everything that comes into my machine. For example, I would never download MP3, JPEG and GIF files from the Intego web site. ;)

Don't waste your money on this obvious promo by Intego. Use your Admin account only for doing admin things. This way if you do get a virus, it only has access to your user account files. This is not totally fool proof, but very close to it.

SiliconAddict

Apr 8, 2004, 09:50 PM

lol....this is the most primitive one that i have heard of....talk about gullible!! (that code erases the hard drive for all of you that dont know)

Sometimes primitive ones are usually the best. One of the more interesting hoaxes I've run across in windows is a hoax propagated by well meaning individuals.

It goes like this:

found the little bear in my machine because of that I am sending this message in order for you to find it in your machine. The procedure is very simple:

The objective of this e-mail is to warn all Hotmail users about a new virus that is spreading by MSN Messenger. The name of this virus is jdbgmgr.exe and it is sent automatically by the Messenger and by the address book too. The virus is not detected by McAfee or Norton and it stays quiet for 14 days before damaging the system.

The virus can be cleaned before it deletes the files from your system. In order to eliminate it, it is just necessary to do the following steps:
1. Go to Start, click "Search"
2.- In the "Files or Folders option" write the name jdbgmgr.exe
3.- Be sure that you are searching in the drive "C"
4.- Click "find now"
5.- If the virus is there (it has a little bear-like icon with the name of jdbgmgr.exe DO NOT OPEN IT FOR ANY REASON
6.- Right click and delete it (it will go to the Recycle bin)
7.- Go to the recycle bin and delete it or empty the recycle bin.

IF YOU FIND THE VIRUS IN ALL OF YOUR SYSTEMS SEND THIS MESSAGE TO ALL OF YOUR CONTACTS LOCATED IN YOUR ADDRESS BOOK BEFORE IT CAN CAUSE ANY DAMAGE.

Here the kicker. The file is a Windows file for MS Visual J++ runtime debugger. It won't cripple windows if you delete it but its a beautiful example of social engineering the crap out of gullible people and like it or not there are gullible people on Windows and on Mac.

Analog Kid

Apr 8, 2004, 09:54 PM

Yeah, Integro may have been feeling a little bit like the Maytag repairman, but I think people are coming down on them way too hard.

A proof of concept that could potentially exploit social engineering to run an arbitrary app on your machine has been distributed. The one they found isn't harmful. They proactively added protection against it before anyone got hurt. Now they're getting slammed for promoting their product.

If you ask me, the question should be why the other vendors haven't implemented similar measures?! Are they waiting for an event to prove it necessary?

This kind of protection before the problem is what you pay for with a virus scanner.

Sure we all want to believe we wouldn't click something before we knew what it was. Windows users think that too. I'm sure someone would open it though-- they always do.

Imagine an emailed file from an infected friend saying "Hey, check out my latest GarageBand creation!", or a spoofed email from MoveOn.org saying "Proof Bush knew there were no WMDs".

I, for one, always assumed data files to be safe. Clearly they're not. Forget about whether you'd open an MP3 or not. This isn't about your favorite music codec! Have you ever thought a jpeg could bring down your machine? Do you assume that word docs are safe if you disable macros?

At least I now know that OS X doesn't do a very good job of distinguishing between data and code. Regardless of how this information got out there, it really is important to know.

This is a warning shot across the bow. Hopefully it can be and will be patched by Apple before things get bad.

aarond12

Apr 8, 2004, 11:09 PM

This is NOT a virus. A "trojan horse" is malicious code that does something bad when executed, then terminates (just like any other application). A "virus" is code that stays resident, embedding itself into the system -- something Mac OS X will not allow unless the administrator password is entered.

This "proof of concept" is complete crap. Why? First, Mac OS X applications are composed of many files, not just a single file like an MP3. (Control-click on an application, select "Show Contents" and see what I mean.) You would have to download a compressed archive with the MP3 trojan inside.

Additionally, this same spoof can happen MORE EASILY on Windows systems. Create a trojan horse application and give it an icon file of an MP3 file (very easy using Microsoft Visual Basic). Then name the application "trojan.mp3.exe". Windows 2000 and XP, by default, hide the extension of applications, so what would the user see? "trojan.mp3".

Hello! That is the exact same issue they're making a big deal about on OS X, except it's even easier on Windows because they can download the .exe file directly, not putting the file into an archive.

Unlike Mac OS X, Windows applications *can* be composed of a single file. Although someone downloading "trojan.mp3.exe" is about as likely as a Mac OS X user downloading "trojan.mp3.app.sit".

This is another Windows lover's attempt to make Mac OS X look bad.

-Aaron-

SiliconAddict

Apr 8, 2004, 11:11 PM

The big question I have is when will the more biased new sources get wind of this. cnet.com \ zdnet.com and make an over the top fuss over this. Is it a big deal? Kinda. Will they blow it out of proportion? Definitely.

iMeowbot

Apr 8, 2004, 11:17 PM

Yes, but what if it was just programed to delete everything in ~/Library/Preferences? To many, that would be a nightmare, and it wouldn't need authentication. Or it could delete your address book, or mail folders - all these things are unprotected.

Yeah see, this is a common block that gets into people's heads when they think of malware. You have to (rather literally) think outside the box to appreciate why trojans can be a genuine problem.

Deleting a user's files would be a pretty lame attack. Fishing through a user's address book and other files, then sending out spam (perhaps containing a Windows virus just for kicks, or perhaps mail out a nice offensive tirade to your employers or customers) could have more serious consequences. It can also be used to execute a networked attack on some other machine, so that you get the blame for someone else's antics. It can quietly add a few lines to $HOME/Library/Prfeferences/loginwindow.plist to do its thing long after you forgot about that little file you downloaded. It can be written to present dialogs that spoof Software Update or the wake-from sleep password dialog after it's waited for a few days, gaining root access for itself after the download has been forgotten. And from there a program can do whatever it wants. And so on. Even the smartest people can be distracted or have bad days, and fall for a convincing cover story.

ionas

Apr 8, 2004, 11:20 PM

apple has to accept that the world isnt that easy as mac os x suggest it to be.

there are many types of "data", archives, documents, applications.. and so on.

as long as you cant "script" applications via files so that they damage the operating system yo can SAVE the the whole situation.

just add an icon that is overlayed over each application and marks that as an application, do that with files too, and things are differnt than those both types get extra markup icons.

no problem left imho.

musicpyrite

Apr 8, 2004, 11:48 PM

Sorry if I'm offending anybody, but even one little hit of a virus, and you guys get your panties all in a wad. I swear, what happens when OS X becomes mainstream and has 80,000+ viruses,trojans,etc.

:rolleyes: :rolleyes: :rolleyes:

Steven1621

Apr 8, 2004, 11:57 PM

autrefois

Apr 9, 2004, 12:52 AM

Nope.
http://www.perl.com/language/misc/virus.html

You're all wrong.

Judging from the .mac forums, the correct plural for virus is Virex. :)

voicegy

Apr 9, 2004, 02:18 AM

elgruga

Apr 9, 2004, 02:47 AM

Diatribe

Apr 9, 2004, 02:51 AM

You're all wrong.

Judging from the .mac forums, the correct plural for virus is Virex. :)

That one sounds awfully like Windex. :p :D

Skiniftz

Apr 9, 2004, 03:25 AM

Skiniftz

Apr 9, 2004, 03:33 AM

They actually had me going for a minute until I got down to this part of the statement... :rolleyes:

"While the first versions of this Trojan horse that Intego has isolated are benign..."

Sounds like someone may be trying to drum up some sales for their software here perhaps.
Ok guys listen up - you have been spared viruses worms and trojans on OSX so far, and so you are forgiven for being inexperienced in this area. The trojan mentioned is what's known as a "proof of concept" and is what security researchers do - they produce proof of concept code to prove their theories. They then (usually) contact the vendor (in this case Apple) with their proof of concept, and point out the problem. The hope is that the vendor will issue a patch to fix the issue.

Do not be lured into the myth that OSX is immune to any security threats. Trojans are particularly nasty to the often inexperienced computer users that the Mac attracts. Simply by clicking an icon CAN cause you problems.

The recent Netsky Windows virus was only successful because users were stupid enough to click on an attachment because the message told them to. OSX is not immune to this attack. If Netsky had, say, two attachments and said "OSX users click on the OSX attachment" then it would have spread via Mac users too.

Skiniftz

Apr 9, 2004, 03:57 AM

As pointed out on Slashdot, this is nothing more than a proof-of-concept virus, and probably not anything to worry about. Read (posted below)
You don't get it. The exact "trojan" discovered is nothing to worry about in itself, however the exploit has now been published. The thing to worry about is that there are people out there right now who will be coding up nasty things using that proof of concept. It like saying that someone has found a way to make a new weapon using easy to obtain household objects - like that guy who made his own cruise missile for example. The problem is not the inventor, but the people who will misuse the technology.

As the Mac gets more prevailent, we will see more of this sort of thing. If everyone used Mac's, then it would be very easy to have an incident on the scale of Netsky et al using this exploit.

For example: Here is an MP3 - please click on it (http://www.gdlive.com/dead/651103/2-mindbender.mp3)

Whats wrong? Lost your feeling of security?

TimDaddy

Apr 9, 2004, 04:44 AM

What Mac OS X fool has

1. Icons of music files on his desktop, which are

2. MP3, not AAC?

Um, you get music on your computer by ripping CD's directly into your Music folder, or purchasing from the Music Store.

Sounds like this one prays on music pirates. Boo hoo! :)

A few months ago I imported nearly all of my cd's. A few of the 12-15 year old ones were so scratched up that I couldn't get all the files to copy. So, I downloaded them from p2p networks. I still have the cd's here in my drawer. Am I a pirate? No, really, not trying to start a bitchfest. I am allowed to do this, if I already own it, right?

But, if I find any more cd's in this condition, I'll probably just do without those songs until I hear more about this. I'll bet the RIAA is loving this!

guet

Apr 9, 2004, 05:48 AM

A few months ago I imported nearly all of my cd's. A few of the 12-15 year old ones were so scratched up that I couldn't get all the files to copy. So, I downloaded them from p2p networks. I still have the cd's here in my drawer. Am I a pirate? No, really, not trying to start a bitchfest. I am allowed to do this, if I already own it, right?

But, if I find any more cd's in this condition, I'll probably just do without those songs until I hear more about this. I'll bet the RIAA is loving this!

Please note that an MP3 file without a resource fork cannot carry this trojan - so it can't spread via most P2P networks which will throw away the resource fork. Also, importing/opening the file with itunes won't do you any harm (if there is valid MP3 data to read you'll get the MP3). The trojan carries a resource fork with instructions for the code offset - the code itself is carried in an MP3 Tag I think, personally I haven't looked at it.

The problem comes when you double click on it in the finder - the finder looks at the resource fork, decides it's an application and executes the code, which can then do what it likes. I imagine we'll have a fix from Apple fairly soon as it would be easy to thwart - comes down to the rules for interpreting the type of a file from the extension/file && type/creator used by the Finder.

If you want to find out more go look at the slashdot discussion.

http://apple.slashdot.org/article.pl?sid=04/04/08/1922237&mode=thread&tid=126&tid=172

space2go

Apr 9, 2004, 06:07 AM

Please note that an MP3 file without a resource fork cannot carry this trojan.

That's not entirely true.
The executable is actually in the ID3 tag of the mp3 as the file is both a valid mp3 and a valid carbon app.
The resource fork contains the icon and a plist. Without the resource fork the file is still recognized (by the system) as an app and started on double-click. As stated above it no longer can be properly initialized without the resources and simply dies. This should no longer be true if it were rewritten to not expect resources anyway.
Of course without the resource fork the thing gets the generic app icon which hopefully keeps at least some people from double-clicking it. ;)

reflex

Apr 9, 2004, 07:28 AM

visor

Apr 9, 2004, 07:30 AM

The same problem arised on XP last year - minor difference was that you didn't even need to click on the file. It was sufficent to open the Folder.

Anyway, the problem is not trivial, but a conceptional problem with the Finder. I think Apple will need to come up with a solution that discovers more or less obvious resource fork misuse.
An obvious misuse would be an .mp3 file beeing a carbon App. Some alert dialog informing of the fact that the file is not was a normal user would think it is, would be one first neccessary step to security.

Mac-Xpert

Apr 9, 2004, 07:43 AM

I think that nobody should be posting any of these "proof of concept" viruses on any board. If you would find out a new way to create a virus or some Trojan that could exploit flaws in a system, you should contact the vendor of that particular OS/system. By giving away the concept of a virus or Trojan, you lend a hand to *evil* programmers to make a real virus/Trojan out of it. They might not have come up with the idea in the first place if nobody would have mentioned the possible exploit/weakness of that system.

So only when someone discovers a real virus / Trojan they should warn people about it.

space2go

Apr 9, 2004, 07:46 AM

The Latin plural would be viri, not virii btw.
No it would not. Virus simply has no latin plural; similiar to english "milk". Just as milk does today the original meaning of virus simply described something that could not be counted. So every language using virus to mean a computer virus must come up with a plural according to its own rules. In german it's "Viren" and the english version seems to be "viruses".
Additionally if you wanted to know a definite answer on wether and how to create a "proper" latin plural for that word you would have to ask the only latin speaking country in the world - the vatican. ;)

tny

Apr 9, 2004, 07:58 AM

I wanna negate the myth that virii is the correct plural of virus :p Its Latin roots dictate the correct ending to be "viruses" - as in "buses", for example. Rather than "busii" (buses), or "sinii" (sinuses) :)

Ah well - people argue and argue over this one. It's in the Latin :)

As Slashdot mentions, its a proof of concept - but, the proof of concept is all it takes to make people follow suit, improvise, and, ultimately, refine their technique. Maybe we can rely on the fact a proportionately higher number of Mac users are intelligent ;) jk :)

andy

Close, but not exactly. The Latin word virus (which means "blight") doesn't occur in the plural in any of our texts, and it's hard to imagine how one could come up with a plural given the usage we see; but if there were a Latin plural, that plural would have been "viri" - ONE "i" - because "virus" is a second declension noun. (Yes, it would be a homonym of the plural of the word for man, "vir, viri"). It's not like apparatus, then.

Anyway, on the subject of this "trojan" - this is the Mac equivalent of a Windows double-extension. In Windows, by default file extensions that are recognized by the operating system are hidden from the user. Windows exclusively uses the file extension - the part of the file name after the last period - to determine which application should be used to open the file. If Windows has a file association available in its registry, it will access the file with the appropriate application. What virus writers do is to write VB scripts and executables and give them file names like this: KoolNewSong.mp3.exe . If Windows (as it does by default) has file extensions shut off, the file will look like an MP3 file, though the icon will actually be determined by either an embedded icon in the executable or the default Windows icon for the file type (.exe, in this case), rather than the default Windows icon for the file type it's masquerading as.

This Mac "trojan" is analogous, though of course the Mac file system handles things much differently. I haven't found complete explanations, but (unless I'm misunderstanding the information I'm reading about this case) basically the "trojan" is a real MP3 file - in the data fork. But the application fork includes "malicious code" linked to the ID3 tags. The metadata for the file is set to indicate that it is an application, not a file, but the icon and "file extension" say it's an MP3. If you get both forks of the file and you double-click it in the finder, the "malicious code" will launch. If you only get the data fork, it won't work. If you bring it into iTunes and try to play it, you'll get music.

The thing I don't know is whether the malicious code is capable of disrupting the system as thoroughly as the average Windows virus is without requesting an administrator password. The issue with Windows is that there's a scripting host (similar to AppleScript's, but using VisualBasic) that has the same system privileges as the user; Apple's permissions are a little bit more granular than this. But my knowledge and understanding of the Apple with regard to security isn't strong enough (I know Windows security pretty well), so I may be misunderstanding these issues, and welcome correction.

Anyway, the point is that this is a proof-of-concept, and the payload doesn't actually do anything malicious. The fact is that even if the security model for Mac were no different from that for Windows, I wouldn't expect as many viruses for Mac as for Windows. Not because Mac is a smaller target: but because virus writers have access to far fewer Macs to test their code on! After all, a Windows box is cheap to build . . .

[didn't see the above messages. correct "application fork" to "resource fork," and note the comment above that one could create a resource-fork-less version if one didn't mind the wrong icon showing up.]

fixyourthinking

Apr 9, 2004, 08:06 AM

You don't get it. The exact "trojan" discovered is nothing to worry about in itself, however the exploit has now been published. The thing to worry about is that there are people out there right now who will be coding up nasty things using that proof of concept.

No, you have been able to change the icons on files in OS 9 & X and change extension names for years. You get the appearance of a different file.

Further, the MP3Concept virus theory has been around pretty much since the end of Napster 1.0 - the reason - the RIAA had considered doing this. Since Mac/Linux/Windows users all downloaded (illegally according to them) - they had to come up with an exploit that would be system wide. That said, MP3 concept ONLY was completed for the Windows platform - but still benign. It was never integrated and IT NEVER COULD BE - it is in a benign piece of ASCII text (the ID3 tag of the Mp3) - you cannot execute code from here - you cannot gain root access from here - and even if you could you would need a password. If you clicked on an MP3 (not an AAC file) but an MP3 - wouldn't you be cautious if you're asked for your password?

Now, here's where one COULD get a virus from this on ANY platform:

1) One could download a song from Kazaa that has the Mp3 concept code in it. (Mp3 concept has been around for MORE than 18 months!!!)

2) One could also download ANOTHER VIRUS or "parent app" that could find the code from the ID3 tag, combine it, compile it, run it. But take into account someone would STILL have to write a virus into the ID3 tag which HAS NOT BEEN DONE (for Macs)!!!

3)Then there is a possibility you you could be infected - this is NOT an exploit, it is NOT a trojan. The reason -

A) I could send you a text file right now called, "this is a virus"

B) In the text I could say, "Go into this guy's computer and mail me all his passwords, credit card numbers, and while you're at it; send me a naked picture of his wife"

C) Just because I've said that doesn't mean it will happen. This is essentially what MP3Concept is - it is just theorizing that code COULD be typed into the ID3 tags and LATER combined with other code. IT IS NOT EMBEDDING ANY KIND OF APP - at least directly.

I get .pif files (PC virus) all the time on my Mac in mail.app. These were most commonly the MoDoom/MyDoom virus. I have even opened them on the Mac - since the MoDoom/MyDoom virus doesn't work on Macs - it does nothing. Same here - since MP3concept doesn't even WORK - it can't do anything.

Point is - the "exploit" has been around for a while. Should people be concerned? Yes. Should they buy Intego Virus barrier to fix it - no! No! NO!

The dead giveaway there is that the virus vendors claim the same attack makes JPEG and GIF format files equally at risk: these obviously don't have ID3 tags.

Please read the rest of the board - we have already covered this - jpegs and movie files even have exif data - this is SIMILAR to ID3 tags for Music - the exif data contains date/cropping/thumbnail/editing data.

You are correct in saying that this COULD happen from there too - but read above - exif data has been around for YEARS! NO ONE HAS BEEN ABLE TO SPREAD A VIRUS THIS WAY! NO ONE HAS YET WRITTEN A VIRUS FOR THE MAC PLATFORM.

Intego's scare into buying their software is simply based on the fact that someone could! I could win a million dollars tomorrow. In fact, it's likely it will happen. There could be a mac virus tomorrow - in fact - it's likely it will happen.

Likely = 1 chance in 1 million!

If a virus DOES spread by this method in the near future - Intego should be investigated as suspect #1!

eSnow

Apr 9, 2004, 08:09 AM

1) This is an issue with resource forks and OS X gladly executing code in resource forks. It has nothing to do with MP3, and certainly nothing to do with ID3 tags within the MP3 files. The dead giveaway there is that the virus vendors claim the same attack makes JPEG and GIF format files equally at risk: these obviously don't have ID3 tags.

I just looked into the thing and there is no code in ressource forks. The executable is in the data fork - only the custom item is stored in the resource fork.

Mattski

Apr 9, 2004, 08:31 AM

I'm betting:
(1) Intego (whoever the hell they are) have employed an idiot who knows how to write a press release, and this happens to co-incide with poor sales.

(2) If it is real, then it's really just an app that does what it is supposed to do, and has no ability to delete any system files unless you are logged on as an administrator

Probably best if you are not logged on as an Administrator when you are generally using your computer.

Most Unix admins will tell you the same thing.

If you want to do something as an admin, login as an admin. If you want to do something as a user, login as a user.

In any case if you don't have a backup of *everything* including your music, emails, files etc. then you are an idiot. There is much more chance of your hard drive dying than there is of getting a virus on OS X.

_pb_boi

Apr 9, 2004, 08:34 AM

The Latin plural would be viri, not virii btw.

You're right in saying it's not virii. And correct that the Latin plural WOULD BE, rather than is - since there is no Latin plural for virus. But:

"Writers who, searching for a fancy plural to virus, incorrectly write *viri are doubtless blindly applying an overreaching -us => -i rule." [source] (http://www.perl.com/language/misc/virus.html)

"So what we have here is something of a mixed or invariant declension. Trying to find a plural for something that didn't take a plural (possibly because it was not a count but a mass noun), or at least, one for which no plural is classically attested, is a fruitless endeavour. Best to stick with English and use viruses. "

Presumably the author is trying to say that, because there is no real Latin plural for the word, we should refrain from justifying exotic endings and use plain English. Who knows :)

andy

space2go

Apr 9, 2004, 08:36 AM

I just looked into the thing and there is no code in ressource forks. The executable is in the data fork - only the custom item is stored in the resource fork.
Yup the resource fork contains the icon that takes 44k which is most of the fork, the plist file giving OS X all the info it ever might need about the app plus some mostly empty text files that seem normal for carbon apps.

If you want to look more closely, ResPloder [1] is a nice little app that "explodes" the resource fork of a file into a directory structury and places the contents into the data fork of files it creates there.

This mp3 really is nicely done I have to say.

[1] - http://www.versiontracker.com/dyn/moreinfo/macosx/14523

visor

Apr 9, 2004, 08:39 AM

Close, but not exactly. The Latin word virus (which means "blight") doesn't occur in the plural in any of our texts, and it's hard to imagine how one could come up with a plural given the usage we see; but if there were a Latin plural, that plural would have been "viri" - ONE "i" - because "virus" is a second declension noun. (Yes, it would be a homonym of the plural of the word for man, "vir, viri"). It's not like apparatus, then.

The thing I don't know is whether the malicious code is capable of disrupting the system as thoroughly as the average Windows virus is without requesting an administrator password. The issue with Windows is that there's a scripting host (similar to AppleScript's, but using VisualBasic) that has the same system privileges as the user; Apple's permissions are a little bit more granular than this. But my knowledge and understanding of the Apple with regard to security isn't strong enough (I know Windows security pretty well), so I may be misunderstanding these issues, and welcome correction.

Well, on a Mac it's not quite as capable of destroying the whole system. To me that doens't matter to much, since it can destry at least the whole user space, and anything the user has write access to.

If you are a non superuser, you can destroy your home folder. If you are logged in with admin rights, which is the typical setup for a single user mac, it can destroy the users home, and everything that he has write acces to, basically the whole Applications folder.

As such, it has the capability of infecting shared applications which can then be used by other users, which in turn infect their home directories...

All but the very basic System Folders can be infected this way. If it's a smart trojan, it infects everything for a time, and starts destructive work after a defined time of incubation.

OK, now this is the worst case scenario, It's not true yet, but I just mean to say that the thing has capabilites most people here choose to ignore, which is not very smart.

eSnow

Apr 9, 2004, 08:47 AM

This Mac "trojan" is analogous, though of course the Mac file system handles things much differently. I haven't found complete explanations, but (unless I'm misunderstanding the information I'm reading about this case) basically the "trojan" is a real MP3 file - in the data fork. But the application fork includes "malicious code" linked to the ID3 tags.

There are only two forks on HFS(+): resource fork and data fork. This thing is basically an application masquerading as an mp3-file. The executable code is in the data fork (like it always has been since the introduction of PPC), the icon shown by the finder is in the resource fork.

The "high-concept"-trick with this trojan is that the data fork starts off with a valid mp3-header, followed by a PEFF-code segment starting off at position 64 in the data fork which in turn is followed by the mp3 data.
The mp3 file format contains information as different chunks. PEFF also allows code in segements. If you are clever, you can interleave code and mp3. This allows the file to be played as an mp3 without any noise to reveal the true identity.

It works obecause the 'cfrg'-Resource allows executable chunks to start at an offset in the byte stream. The first member in this resource is located at 64 bytes - this is where the system jumps into if you launch it.

This kind of virus could have been engineered years ago - since the advent of Carbon 1.1 (not because Carbon is insecure, but because it introduced the 'cfrg'-resources) on MacOS 8.6.

id3info shows how the datafork is structured:
*** Tag information for virus.mp3
=== GEO (General encapsulated object): (virus)[virus.mp3]: application/octet-stream, 3221 bytes
=== TEN (Encoded by): iTunes v4.2
=== COM (Comments): (iTunNORM)[eng]: 00000A0C 00000000 000055AC 00000000 00000187 00000000 00007E8A 00000000 0000016D 00000000
=== TT2 (Title/songname/content description): Wild Laugh
=== TAL (Album/Movie/Show title): iMovie
*** mp3 info
MPEG1/layer III
Bitrate: 64KBps
Frequency: 44KHz

The application code is in the General encapsulated object (lines starting with === denote ID3-tags, so it is in a tag). Conveniently, iTunes does not show the existance of GEO-tags...

Yeah, it's a trojan all right. A friendly one, but a valid one nonetheless.

The blame lies squarely at Apple.
- iTunes should - under no circumstances - play anything that identifies itself as an applications. But it does and this is wrong, because it allows users to play this from the web, then store it and double click it one day. This would not be the case if it did not play in the first place.

- The Finder should mark each and every piece of software it would launch. Including AppleScripts, shell scripts, Carbon and Cocoa apps.

- The CFM-Launcher disregards the Unix executable bit (chmod -x and you still can launch it). I can't figure out why - exept for the notable disregard inside Apple of anything Carbon. Hell, the NeXTies are too lazy to even look after security-relevant problems.

Outlook:
the same trick could be employed with every "chunky" file format. TIFF comes to mind, as well as QuickTime (we all never double click QuickTime .movs, right?), and... AAC. Apple better move fast to do something about it.

A further version could contain code that doctors existing mp3-files to become infected, thus spreading on your disk.

Besides the obvious "erase the home directory", a boosted version could employ AppleScript to read your contacts from the Adress book and send spam mails via Mail.app. This is the exact thing we have seen on windows for years now.

k2k koos

Apr 9, 2004, 09:18 AM

True or not, I really do not see what someone would gain by writing virus and other anoying cr**.
True, it is useful to explore the weak points so that computer companies can make their software even more secure, but don't anoy the rest of the world with it, go work for a software developer or something, and get a real life, find a girlfriend or whatever, this is just childish behaviour.
:mad:

eSnow

Apr 9, 2004, 09:32 AM

True or not, I really do not see what someone would gain by writing virus and other anoying cr**.

Well, when I was much younger (14), i wrote a virus to spread in my schools cs classes. This was in '87, when the concept of viruses was brand new and the computers in question were Apple II's. It caused total mayhem, because people did not know what was going on.

Why? Just because it was possible. It was entertaining, writing something like that in some 2-3KB (yes, KB). It was a nice secret, and I kept it close to my chest until 10 years later. It was unethical too, I agree.

However, everytime I see the complete fools here and in other Mac forums blasting Windows security and bragging about MacOS X and how bulletproof it is, it itches me a lot to show them...

Actually, looking at this trojan was fun for me. I like the cleverness with which it is built. Kudos to whoever did this.

gdanko

Apr 9, 2004, 11:53 AM

then you deserve it. don't pirate music and you don't have to worry. I have no sympathy for anyone getting bitten by this trojan.

macnews

Apr 9, 2004, 12:28 PM

Why do so many people want to deny this is a problem? It is a problem, one we knew would come about sometime (remember os9 had virus problems). Also, the average users may be either inexperienced or too cocky thinking "macs don't have virus!".

Sure, this may not be able to delete your whole file system or prevent your computer from running, but it can cause a pain in the ass! Not everyone backs up, yes they should. Hopefully, Apple will provide some sort of fix, but this can't be the first time this has happened. OS X also has the benefit of being Unix based. That has been around for a much longer time so perhaps there are other similar issues out there that have already been fixed on other *nix platforms.

Common sense will help but putting your heads in the sand and saying it isn't a big deal or down playing it does no one any good.

voicegy

Apr 9, 2004, 12:36 PM

Well, when I was much younger (14), i wrote a virus to spread in my schools cs classes. Why? Just because it was possible. It was entertaining, writing something like that in some 2-3KB (yes, KB). It was a nice secret, and I kept it close to my chest until 10 years later. It was unethical too, I agree.

However, everytime I see the complete fools here and in other Mac forums blasting Windows security and bragging about MacOS X and how bulletproof it is, it itches me a lot to show them...

Lot's of things are "possible" and may be considered "entertaining" by those with time on their hands and a sense of mischief - the mind reels at what has been done of a more destructive nature with such mindsets. I hope that was a passing phase and you now do more productive things with your time. At least you understood the unethical nature of your action. Please keep your talents on the side of "right," and don't scratch that itch. :)

123

Apr 9, 2004, 12:41 PM

There are only two forks on HFS(+): resource fork and data fork.
Plus file system meta data. Without that, the file would be recognized as mp3 file only, based on its suffix.

- The CFM-Launcher disregards the Unix executable bit (chmod -x and you still can launch it). I can't figure out why - exept for the notable disregard inside Apple of anything Carbon. Hell, the NeXTies are too lazy to even look after security-relevant problems.
Try setting the executable bits in OS 8.6 or something. So, if someone builds a carbon app it shouldn't run on X at all or what's your point? Besides, do you think the virus programmers would be too stupid to set the executable bit?

Besides the obvious "erase the home directory", a boosted version could employ AppleScript to read your contacts from the Adress book and send spam mails via Mail.app. This is the exact thing we have seen on windows for years now.
Mail.app will warn you if you want to launch the movie/mp3/whatever file if it was encoded as application. That and the small and clustered Mac user base (only Macs can pass it on) will probably be enough to stop such a virus from spreading quickly. Although... maybe not. We'll see soon enough.

fsbilly

Apr 9, 2004, 12:44 PM

Well, I, for one, just downloaded a legally distributed free mp3 today. It was a promotional mix a dj is giving away.

Good. Then you know the source of the MP3. This will only affect people who d/l MP3s from less reputable places.

wdlove

Apr 9, 2004, 12:52 PM

Plus file system meta data. Without that, the file would be recognized as mp3 file only, based on its suffix.

Mail.app will warn you if you want to launch the movie/mp3/whatever file if it was encoded as application. That and the small and clustered Mac user base (only Macs can pass it on) will probably be enough to stop such a virus from spreading quickly. Although... maybe not. We'll see soon enough.

Entourage gives me a warning also. So I only open up an application if it comes from someone that I know. As others mentioned, all would be much better if brilliant individuals would use their knowledge for good!

NusuniAdmin

Apr 9, 2004, 12:54 PM

then you deserve it. don't pirate music and you don't have to worry. I have no sympathy for anyone getting bitten by this trojan. Um it comes in emails genious, i dont know about u but i get lots of emails from friends that have songs they have written as attachements, but i really doubt this trojan hacks your address book and sends the email via the emails (like many windows viruses and trojans do). So most likely the thing sends an email from like "your_wife_nude@yahoo.com" or something along those lines.

0 and A ai

Apr 9, 2004, 01:05 PM

form

Apr 9, 2004, 01:20 PM

Here's my concern:

PCs are notorious for running into tons of trojans and spyware. The fact that mac has hardly ever had any significant virus/spyware scares is, in my opinion, a big selling point for them. Incidentally, the same fact is also probably the result of their numbers staying small, and pc numbers being so large.

If the mac platform becomes virus and spyware prone, like PCs, then there will not really be any major convenience-related reasons for me to stick to mac anymore...for the longest time, that has been one of the primary selling points to me, their convenience through safety from troublesome things like the PCs run into so often on the web. Disagree with me all you want, but, since I don't do audio/video editing, I just wouldn't buy a mac for performance, because mac isn't faster for what I'm interested in, both productivity and entertainment-wise.

twixster

Apr 9, 2004, 01:24 PM

I downloaded the so called mp3 and my main question is who would double click on it anyway. The only time that i double click on a song is when i am in iTunes. However, i always look at my files in list mode which tells you that it is an application or what not so common cents should tell you that unless it is an app that you downloaded or made for your self don't open it. Also, we have been able to do things like this since os 9. I believe that they are just not having good sales and are trying to drum up some mac sales for being one of the only virus protection programs that catches it.

space2go

Apr 9, 2004, 01:24 PM

That and the small and clustered Mac user base (only Macs can pass it on) will probably be enough to stop such a virus from spreading quickly. Although... maybe not. We'll see soon enough.

The smaller user base would not slow down the propagation significantly.
The witty worm [1] had only a 12k target pop and managed to infect most of that in less than a single hour. By sending itself to random IPs no less.

A mail worm that needs user interaction is generally slower than those that exploite a remote vulnerability like witty did but if it were to send itself to all email adresses in a mac users adress book it would inevitably hit some other mac users just like windoze worms get addresses of other windoze users. Plus it simply could send itself to <random>@mac.com as well and get some guaranteed hits.

As in biology the spread of a computer virus that is transmitted through relationships of carriers is mostly a function of the "linked-ness" of the target population almost regardless of the relative size of vulnerable pop in the overall pop.

In other words: As long as the average mac user knows a few other mac users and the worm has a way (like random sending) to jump borders between (mostly) isolated groups it will spread fast even though we might only own ~5% of all computers.

[1] - http://www.caida.org/analysis/security/witty/

Doctor Q

Apr 9, 2004, 01:31 PM

Even if the Finder learns to give warnings, I've found that a lot of people will click OK in almost any dialog box, without reading it. If the Finder said "This is an unknown application from a suspicious source, disguised as a data file, with a misleading extension. OK to launch it?" they would click OK. Of course, if instead it said "This is an unknown application from a suspicious source, disguised as a data file, with a misleading extension. OK to not launch it?" they would also click OK.

msconvert

Apr 9, 2004, 01:34 PM

then you deserve it. don't pirate music and you don't have to worry. I have no sympathy for anyone getting bitten by this trojan.

This was just a proof of concept! It doesn't have to be a music file. It could be a jpg or a doc or a pdf. It was just written to show that it could be done. Thankfully, this trojan also was benign, but now that it is out, ANYONE can put in mallicious code. Yes, it takes human intervention, but that is what makes it a Trojan [horse]. (ever read greek mythology/history)

Take your crass attitude elsewhere. It isn't constructive.

msconvert

Apr 9, 2004, 01:41 PM

That's not entirely true.
The executable is actually in the ID3 tag of the mp3 as the file is both a valid mp3 and a valid carbon app.

The mallicious executable is not in the ID3 tag. It is all in the resource fork. Wired got it wrong and so did Intego. Look at the source and see for yourself. I don't have to prove it to you.

EDIT:

There is nothing corrupt about the header. This is the only strange part of the ID3 tag and it is in the comments is the following:

00000A0C 00000000 000055AC 00000000 00000187 00000000 00007E8A 00000000 0000016D 00000000

Not sure, but even if it is binary, it isn't an application. Again, the executable code is in the resource fork not the ID3 tag. Kill the resource fork and the you kill the trojan.

Fukui

Apr 9, 2004, 02:16 PM

So, I'm guessing this is because there are two conflicting ideas of what makes an executable and executable. The type/creator codes if set to an exacutable, and contain the right resources, are taken before a check to the file extention because classic Mac OS ignored exentions as just part of the name. So, if resource forks are removed, or type/creator codes ignored and only the extention recognized, then this type of trojan would be alot less possible?

Rower_CPU

Apr 9, 2004, 02:38 PM

A couple of links people might not have seen:
Apple responds to Trojan horse advisory (http://www.infoworld.com/article/04/04/09/HNintegowarns_1.html)
"We are aware of the potential issue identified by Intego and are working proactively to investigate it," said Apple in a statement given to MacCentral. "While no operating system can be completely secure from all threats, Apple has an excellent track record of identifying and rapidly correcting potential vulnerabilities."

Intego Q&A re: Mac OS X Trojan (http://www.intego.com/news/pr41.html)

msconvert

Apr 9, 2004, 02:38 PM

This is the only text that is inteligible in the resource fork of the the file in question:

virus.mp3 version 1.0Kvirus.mp3 version 1.0, Copyright
2004 by E. Cracker. All rights reserved.
\<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist SYSTEM "file://localhost/System/Library/DTDs/PropertyList.dtd">
<plist version="0.9">
<dict>
<key>CFBundleIdentifier</key>
<string>mp3.virus</string>
<key>CFBundleName</key>
<string>virus.mp3</string>
<key>CFBundleGetInfoString</key>
<string>virus.mp3 version 1.0, Copyright
2004 by E. Cracker. All rights reserved.</string>
<key>CFBundleShortVersionString</key>
<string>virus.mp3 version 1.0</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleSignature</key>
<string>vMP3</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>CFBundleDevelopmentRegion</key>
<string>English</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>LSPrefersCarbon</key>
<true/>
<key>CFBundleIconFile</key>
<string>128</string>
</dict>
</plist>

cl0r0x70

Apr 9, 2004, 02:46 PM

Executing any suspicious file on any OS, be it Windows/Mac/Linux/BSD, can be dangerous.

This has less to do with an actual threat, and more to do with simply being smart.

The dangers to be concerned about are those viruses that can attack your computer without user idiocy as part of their methods. This, on the other hand, is nothing to be concerned about.

MacVault

Apr 9, 2004, 03:01 PM

Is there anything Apple can do to fix this problem or would that break everything else in the system???

Fukui

Apr 9, 2004, 03:11 PM

Is there anything Apple can do to fix this problem or would that break everything else in the system???
Probably only carbon apps. They might have to ignore HFS Type Codes and just go with extentions, maybe they'll have to change all the carbon apps to have .app extentions or something... Maybe the finder could be changed not to open carbon applications if they have an extension...that might not break anything...only apple knows for sure I guess...

eSnow

Apr 9, 2004, 03:19 PM

The mallicious executable is not in the ID3 tag. It is all in the resource fork. Wired got it wrong and so did Intego. Look at the source and see for yourself. I don't have to prove it to you.

Actually you should, because you are utterly wrong. There is no executable code in the resource fork, it is in the data fork, embedded in an ID3-tag. Go back one page - I have disected the thing.

eSnow

Apr 9, 2004, 03:23 PM

Try setting the executable bits in OS 8.6 or something. So, if someone builds a carbon app it shouldn't run on X at all or what's your point? Besides, do you think the virus programmers would be too stupid to set the executable bit?

You can't because 8.6 has no Unix underpinnings and detects executables by a different mechanism. The point is that the x-bit is an important security mechanism in Unix and disregarding it is a bad thing[tm].
Apple needs to look at it's state before launching a CFM-application like it looks at it before launching a MachO-app (not that it would have prevented this specific trojan, but maybe the next).

eSnow

Apr 9, 2004, 03:34 PM

Lot's of things are "possible" and may be considered "entertaining" by those with time on their hands and a sense of mischief - the mind reels at what has been done of a more destructive nature with such mindsets. I hope that was a passing phase and you now do more productive things with your time. At least you understood the unethical nature of your action. Please keep your talents on the side of "right," and don't scratch that itch. :)

Oh absolutely - that little experience told me a lot about the interconnection of power and responsibility. Especially seing people desperate because their work kept vanishing made me sorry for them.

So, my ethical stance has evolved quite a bit since then - I have found other sources of feeling powerful than letting loose evil programs.
But I still cannot help admiring those who are able to think different and work around security measures (Hackers, Virus writers, phone phreaks, the "PlayFair"-writers...) to show who's the one with the higher skills :D

jettredmont

Apr 9, 2004, 03:42 PM

In the Finder, if one is using column view, it is identified as an Application instead of an MP3 File, and its icon is shown instead of a QuickTime-style playback bar for previewing the contents.

So, it's less damaging than even I thought.

This is no more malicious than any executable (be it an .app bundle or a single-file "Unix tool" app) being labeled ".mp3" except that it will "work" for those of use who open it through iTunes or drag onto iTunes instead of double-clicking to execute.

IMHO, if you're just blindly double-clicking on something you downloaded, no matter what you think it is, you are yourself a security risk to be dealt with. If OS X is properly identifying this as an application, then when you double-click the application is run ... well, that's not OS X's fault now is it?

Gee, some day maybe we'll get the alert that if someone drops an applescript file into your mail titled "Anna Kournikova Pics.jpg" we've got the first real live OS X JPG virus!

"Stupidity-borne" trojans are not platform-dependant at all. Stupid people are everywhere, and will always double-click things never understanding that since double-click means different things for different kinds of things they should really know what kind of thing they're double-clicking before doing it. Apple can't stop that particular bit any more than Microsoft can, which is why things like the aforementioned "Kournikova" "virus" of several years back doesn't really count as a ding against Microsoft.

msconvert

Apr 9, 2004, 03:50 PM

Actually you should, because you are utterly wrong. There is no executable code in the resource fork, it is in the data fork, embedded in an ID3-tag. Go back one page - I have disected the thing.

OK so you dissected it. then what is in the resource fork and why does it break when you 'cp virus.mp3 clean.mp3' (cp doesn't know what to do with the resource fork). This is how I made my deduction - maybe I am wrong. but the resource fork cannot contain just the icon. It is an integral part to the function of the Trojan.

If it is at all dependent on information contained in the ID3 tag, then this exploit cannot be potentially mutated as others suggested, no ID3 tag in the PDF spec or the JPG spec or ...

eSnow

Apr 9, 2004, 03:59 PM

OK so you dissected it. then what is in the resource fork and why does it break when you 'cp virus.mp3 clean.mp3'

The res-fork contains a 'cfrg' (short for configuration) resource that tells the system that one code chunk is contained in the data fork starting at offset 64 into the data and having a length of 3215 bytes. The system reads this information and then opens the data fork and executes the code there. If the description in the 'cfrf' resource is not available, the trojan cannot be launched.

If it is at all dependent on information contained in the ID3 tag, then this exploit cannot be potentially mutated as others suggested, no ID3 tag in the PDF spec or the JPG spec or ...
jpg might be fine, jpeg2000 is likely not. AAC and TIFF are likely also at risk, as is .mov. It is nothing special to .mp3, could happen with any file format that is structured and tagged.

msconvert

Apr 9, 2004, 04:30 PM

The res-fork contains a 'cfrg' (short for configuration) resource that tells the system that one code chunk is contained in the data fork starting at offset 64 into the data and having a length of 3215 bytes. The system reads this information and then opens the data fork and executes the code there. If the description in the 'cfrf' resource is not available, the trojan cannot be launched.

jpg might be fine, jpeg2000 is likely not. AAC and TIFF are likely also at risk, as is .mov. It is nothing special to .mp3, could happen with any file format that is structured and tagged.

So, This is my take. The MP3 spec allow users to add any kind of information to a file into 'containers' identified by the ID3 portion of the mp3. iTunes will parce the file looking for conatiners it knows (title, track, year, etc). They don't have to exist for iTunes to play the music track.

virus.mp3={
data-fork={ID3={title="Wild Laugh",rawcode={!@#$!@#$} album="iMovie",.....}musicdata={#######}}
res-fork={app. location={move over 31 characters in data-fork take next 8 characters}}
}

When iTunes see the file. It doesn't look at the res-fork at all. Looks in the ID3 tag to fill its own database, sees 'rawcode' and ignores its contents because it doesn't know what it means, finds music data and plays it.

When finder sees the file. It checks the res-fork. Sees the instructions for where the application binary is located in the datafork and runs that. Oblivious to ID3 and music data. (the code actually tells iTunes to open itself with the behavior explained prior) So, without the resource fork, the 'rawcode' ID is just fluff for every other mp3 app.

Do I get it now?

eSnow

Apr 9, 2004, 04:46 PM

Do I get it now?

Exactly. The neat part is in the interleaving between code and .mp3-data:

Normal mp3-file:
XXXXXX 11111111 22222222 YYYYYYYY....

infested file:

XXXXXX 1111111 VVVVVVVV 222222222 YYYYYYY....

(X: mp3-header, Y: mp3-data: 1 and 2: ID-Tags, V: viral code)

iTunes (and other mp3-players) start with the beginning of the mp3-header (XXXX), read it and the interesting ID-Tags and start playing the data (YYYY). Since the code is packaged as as ID-Tag, iTunes will not complain about a file format violation either.

The system is instructed by the 'cfrg'-Resource to jump right to the beginning of the V-chunk and execute the code it finds there, ignoring the rest of the mp3-File.

Really neat.

123

Apr 9, 2004, 05:27 PM

Even if the Finder learns to give warnings, I've found that a lot of people will click OK in almost any dialog box, without reading it. If the Finder said "This is an unknown application from a suspicious source, disguised as a data file, with a misleading extension. OK to launch it?" they would click OK.
Of course, but that's exactly why the whole thing here is a non-issue. You could just send the virus as an app with an app extension and everything, it's useless to build mp3 files because people would launch apps sent by someone they know just as quickly as an mp3 file that gives you a weird warning message.

123

Apr 9, 2004, 05:36 PM

You can't because 8.6 has no Unix underpinnings and detects executables by a different mechanism. The point is that the x-bit is an important security mechanism in Unix and disregarding it is a bad thing[tm].
Apple needs to look at it's state before launching a CFM-application like it looks at it before launching a MachO-app (not that it would have prevented this specific trojan, but maybe the next).

That really doesn't make any sense at all. a) it's trivial to set the unix and classic flags. b) If you want to be able to run carbon apps, you have to use the classic mechanism. c) The x-bit security mechanism is far from important when it comes to viruses.

msconvert

Apr 9, 2004, 05:40 PM

Exactly. The neat part is in the interleaving between code and .mp3-data:

[....]

Since the code is packaged as as ID-Tag, iTunes will not complain about a file format violation either.

The system is instructed by the 'cfrg'-Resource to jump right to the beginning of the V-chunk and execute the code it finds there, ignoring the rest of the mp3-File.

Really neat.

Exploiting the very feature that makes OSX so platform compatible/tolerant.

Slick.

Kalomir

Apr 9, 2004, 06:10 PM

If you wish to know, check macbidouille/ hardmac, as we're to publish an exclusive interview with Intego CEO... in no time in English... already (in French) on macbidouille.com

Bulgroz

Apr 9, 2004, 06:25 PM

You're right except that 'cfrg' is short for "code fragment" (resource type introduced with the CFM (Code Fragment Manager) with the first Power Mac to support Fat binaries (PPC and 68k in the same file))
All PPC applications have their code in the data fork. 68k applications had their code in the resource fork before CFM was introduced.

The res-fork contains a 'cfrg' (short for configuration) resource that tells the system that one code chunk is contained in the data fork starting at offset 64 into the data and having a length of 3215 bytes. The system reads this information and then opens the data fork and executes the code there. If the description in the 'cfrf' resource is not available, the trojan cannot be launched.

jpg might be fine, jpeg2000 is likely not. AAC and TIFF are likely also at risk, as is .mov. It is nothing special to .mp3, could happen with any file format that is structured and tagged.

space2go

Apr 9, 2004, 08:40 PM

Of course, but that's exactly why the whole thing here is a non-issue. You could just send the virus as an app with an app extension and everything, it's useless to build mp3 files because people would launch apps sent by someone they know just as quickly as an mp3 file that gives you a weird warning message.

It isn't a non-issue. Everybody knows / should know that unexpected Applications can be a threat. But data files, harmless, friendly, cute looking data files that only want to be opened? You must be paranoid!

Got the difference?

Oh and about that weird warning message. That's simply what this app does. It could just as easily mail random files to random people from the address book, send a copy of itself to everyone in said address book and then delete all your personal data. That is if you are logged in as a simple user..

On a side note every data format could be used this way. If it has no strange abuse-friendly headers it might simply look/sound like rubbish but who cares; broken files happen once in a while..
And even in such a case double-clicking could still result in a valid file of the appropriate type being opened thus keeping the cover intact.

jettredmont

Apr 9, 2004, 09:34 PM

I just looked into the thing and there is no code in ressource forks. The executable is in the data fork - only the custom item is stored in the resource fork.

I stand corrected.

However, as is fairly widely known now, the resource fork is required to trigger the code in the data fork. As I said, it is highly unlikely that you'll ever be able to get a resource-fork-equipped MP3 file on your Mac in the first place. Without the resource fork, the .mp3 is non-executable.

jettredmont

Apr 9, 2004, 09:49 PM

The blame lies squarely at Apple.
- iTunes should - under no circumstances - play anything that identifies itself as an applications. But it does and this is wrong, because it allows users to play this from the web, then store it and double click it one day. This would not be the case if it did not play in the first place.

True, but if iTunes is fixed (I agree it should be), what about all the other media players out there? This needs to be fixed by Apple, but this can't be the only fix.

- The Finder should mark each and every piece of software it would launch. Including AppleScripts, shell scripts, Carbon and Cocoa apps.

Hmmm. Yeah, I guess so. But then, I look at my files and I see all the Apps marked as such, all the scripts marked as such, etc. Although, only in column and list modes. Should Apple put something "around" the application icons in icon Finder mode? People got way too offended about how labels look ... and you don';t have to use those. How many cries of panic and disgust would Apple have to deal with if they introduced even a subtle effect to Application icons?

- The CFM-Launcher disregards the Unix executable bit (chmod -x and you still can launch it). I can't figure out why - exept for the notable disregard inside Apple of anything Carbon. Hell, the NeXTies are too lazy to even look after security-relevant problems.

Yeah, you shouldn't be able to launch a non-executable file. That's the whole reason for that flag (so you can keep "others" from executing apps without copying them elsewhere). But, on the other hand, one would expect that any mechanism for getting a resource-forked file onto your Mac would also be generally capable of chmod 755 on it. A valid complaint, but really off the topic here.

Outlook:
the same trick could be employed with every "chunky" file format. TIFF comes to mind, as well as QuickTime (we all never double click QuickTime .movs, right?), and... AAC. Apple better move fast to do something about it.

Problem is, this isn't an Apple-only problem, except the "user might keep the file around thinking it's a valid MP3/MOV" angle.

123

Apr 9, 2004, 09:50 PM

It isn't a non-issue. Everybody knows / should know that unexpected Applications can be a threat. But data files, harmless, friendly, cute looking data files that only want to be opened? You must be paranoid!

Got the difference?
No. There isn't any.

1) Every carbon app can be made to look "harmless, friendly, cute" in Mail.app. Neither you nor Mail.app can tell the difference, the added "benefit" of the ID3 technique is minimal at best. In fact, if you want to write a virus that spreads quickly, it doesn't make a difference at all. It's therefore a non-issue.

2) Everybody knows/should know that you should read warning messages, think and act accordingly. You always get the same warning message, no matter how hard you try to camouflage the app/virus.

Oh and about that weird warning message. That's simply what this app does.

Misunderstanding, this is the message I'm talking about:

The attachment "LOL.mp3" is an application. Since applications can contain viruses or be harmful to your computer, be sure this attachment is from a trustworthy sender before saving or opening it.

Would you say it is reasonable to proceed if you get that message when you try to listen to an mp3 file that has been sent to you? My suggestion to Apple: change the trustworthy sender part, pretending to be from a friend is exactly what those viruses do. Probably more important than the whole trojan news story that has been blown out of proportion.

And even in such a case double-clicking could still result in a valid file of the appropriate type being opened thus keeping the cover intact.
You mean keeping the cover intact after deleting all personal data? :p
I'm not convinced, the only new plausible strategy that the ID3 technique makes possible is stealth infection and distribution at glacial speed. And even if you manage to distribute some files like that (by user sent email), many infected computers aren't really "armed", the virus just sleeps in some files on some computers and can't be triggered. The whole exercise would be highly ineffective and extremely boring for the virus programmer -> proof of concept, nice, but essentially a non-issue.

space2go

Apr 10, 2004, 07:53 AM

The attachment "LOL.mp3" is an application. Since applications can contain viruses or be harmful to your computer, be sure this attachment is from a trustworthy sender before saving or opening it.

Would you say it is reasonable to proceed if you get that message when you try to listen to an mp3 file that has been sent to you?

Simply put the thing in a .sit.

The whole exercise would be highly ineffective and extremely boring for the virus programmer -> proof of concept, nice, but essentially a non-issue.

Have you ever looked at worms that spread in the windoze world?

Having the user open a password "protected" zip file with the supplied password by hand, navigating the resulting folder structure and then actually starting the damn thing (by hand again) is an example for the kind of help a worm may expect to get.
<sarcasm>
Of course you probably could get the same result with a mail like this:

Dear Sir/Madam I'm a virus.
Please forward me to every person in your adress book and join the spammer volunteers mailing list [1].
Thank you for your cooperation and have a nice day.
Yours sincerly, Joe Evildoer.
p.s. The person that forwarded me to you is an idiot.
[1] - subscription info

</sacrcasm>
Hoping for the receiver to save a sit to disk and then trying to open the automatically extracted content by simply double-clicking it is a far more valid strategy than the above.

Jerry Fritschle

Apr 10, 2004, 11:01 AM

bah, has anyone used of opened this offending file?

Personally sudo has never settled right with me. Apple should rid the system of the command and only allow root access by logging in as root. Sure it'd be time consuming to delete an undeletable file, but it'd be worth it for the security.

Actually, it's more of a security risk for your system to be set up to allow root logins, which Apple disables by default. Sudo allows root (or "super user") privileges on an 'as-needed' basis. Other linux and unix-like systems offer this, too.

123

Apr 10, 2004, 12:50 PM

Actually, it's more of a security risk for your system to be set up to allow root logins, which Apple disables by default. Sudo allows root (or "super user") privileges on an 'as-needed' basis. Other linux and unix-like systems offer this, too.

Since sudo is equivalent to root logins (sudo bash), it is actually quite a risk. For example, OS X doesn't ship with a secure FTP server and I'm sure many users just send their password in plaintext when they connect to their computer from a remote location (I do, for example) or when they access their email (for which they often use the same password). Having a root account solves those problems because you never have to ftp as root or read emails as root. Even if you are ssh-ing into your account it's better because people don't know when you enter the root password, sometimes you do it after 10 minutes, sometimes you don't do it at all, whereas they always know that the first thing you enter when you open a connection is the sudo password and it's easy to figure it out after watching you a couple of times. You can also put it this way: Administrator users in OS X constantly use "a" root password and this is certainly not secure.

In order to get both types of security (against others and against yourself), you'd probably have to set up an admin account which you only use to sudo and remove yourself from the sudoers file.

stcanard

Apr 11, 2004, 01:36 PM

For the reasons why sudo is more secure see my earlier post.

Since sudo is equivalent to root logins (sudo bash), it is actually quite a risk. For example, OS X doesn't ship with a secure FTP server and I'm sure many users just send their password in plaintext when they connect to their computer from a remote location (I do, for example)

Surely you're not that silly. You've got to be making this up to make a point. If you would prefer to set about setting up an insecure telnet or ftp server on your mac, rather than just checking the "Remote Login" box under sharing and using the incredibly secure ssh/scp/sftp (for which there are free clients for every platform), then, well, honestly I am at a loss for words.

or when they access their email (for which they often use the same password). Having a root account solves those problems because you never have to ftp as root or read emails as root.

If the person is security challenged enought that they are logging in via plaintext, and using the same password for their login account and email, do you really think they will use a different password for root?

It's a false security -- it gives no security benefit, but adds an extra difficutly for the novice users. For the advanced user, if you really do believe it is safer nobody is stopping you from disabling sudo access and enabling root.

Even if you are ssh-ing into your account it's better because people don't know when you enter the root password, sometimes you do it after 10 minutes, sometimes you don't do it at all, whereas they always know that the first thing you enter when you open a connection is the sudo password and it's easy to figure it out after watching you a couple of times.

If the person is so dedicated to trying to crack your box that they are sniffing the network trying to steal a password, 99% of the computer world has lost already through inexperience. I would put to you that this is a very unusual situation.

There's a continuum to watch -- the more secure a system, the more inconvenient it is, and so the less likely people are to use it. A balance needs to be struck and this is what Apple has done.

123

Apr 11, 2004, 05:53 PM

Surely you're not that silly. You've got to be making this up to make a point.

I'm not making this up, don't know why I should. There's no sensitive data on that computer and I'm educated well enough to know the risks.

If you would prefer to set about setting up an insecure telnet or ftp server on your mac, rather than just checking the "Remote Login" box under sharing and using the incredibly secure ssh/scp/sftp (for which there are free clients for every platform), then, well, honestly I am at a loss for words.
1) Many people do this. It's not widely known how sftp works, so they just check the FTP box. "loss for words"... get real.
2) There are only sucky clients on the platform unless you want to spend some money.
3) Also, sftp is a laughable concept. Now, if there was an auth-tls ssl FTP server bundled with OS X and free and good clients were available I could understand your reaction.

If the person is security challenged enought that they are logging in via plaintext, and using the same password for their login account and email, do you really think they will use a different password for root?

It seems you have no idea. People even use the same password on ebay and other web services, often transmitted in plaintext too. As for your question, you can enforce different passwords. Also, you can tell those people that it is extremely important that they don't use this password for anything else (play some sounds, flash the screen etc. when they enter the root pw, things people know from movies).

It's a false security -- it gives no security benefit
Of course it does, you don't log in with a root password (by which I mean a password that allows root login).

, but adds an extra difficutly for the novice users.
Why? It adds just enough difficulty to provide real security.

For the advanced user, if you really do believe it is safer nobody is stopping you from disabling sudo access and enabling root.
I'm not talking about the really advanced users. I'm talking about novices and about lazy people and about people like you who think logging in using a root password is good (even if they use ssh).

If the person is so dedicated to trying to crack your box that they are sniffing the network trying to steal a password, 99% of the computer world has lost already through inexperience. I would put to you that this is a very unusual situation.
Sniffing the connection is unusual? The tools are so easy to use, the average comp mag buyer has used them several times.

There's a continuum to watch -- the more secure a system, the more inconvenient it is, and so the less likely people are to use it. A balance needs to be struck and this is what Apple has done.
Yes, Apple has done something like that. But that doesn't mean sudo is better than a separate root login security-wise, which is the contention here, because it clearly is not.

As for sudo being more secure because you have to think about what you're doing... personally, I think this idea is completely overrated. How many times have you been saved by sudo? In my experience, I mostly run into those errors because I just forgot to enter sudo, not because I do something that normally wouldn't require root privilegies but now does in this very special case I haven't thought about (like being in the wrong directory and typing rm -rf *). So, the normal reaction to the error is: cursor_up ctl-a sudo enter. And a wrong sudo call ****s up the system just as bad.

So, again, in my opinion sudo should be disabled (at least for login users) and to give the novice and others an additional level of security, rm could be overriden to move files to the trash or a different directory which is cleared once every hour or so (I and many others are currently doing this anyway).