PDA

View Full Version : Apple Response to Trojan Warning


MacRumors
Apr 9, 2004, 01:58 PM
MacCentral posts (http://maccentral.macworld.com/news/2004/04/09/appletrojan/index.php?redirect=1081507541000) Apple's response to yesterday's Trojan warning from Intego.

According to the statement, Apple is investigating the issue:

We are aware of the potential issue identified by Intego and are working proactively to investigate it

JrbM689
Apr 9, 2004, 02:01 PM
I hope Apple starts collaborating with the Open Source community to fight trojans and viruses... If they don't, we could be almost as bad off as Windows users.

JohnGillilan
Apr 9, 2004, 02:02 PM
Mac OS X Security Update 2004-04-10 . . .

Wait for it . . . Wait for it . . . . . Wait for it . . .

evolu
Apr 9, 2004, 02:04 PM
apple is rad.

wPod
Apr 9, 2004, 02:05 PM
i am not too worried, apple will get it fixed in time. i always feel safe knowing that hackers are more likely to attack 95% of computers instead of 3%. . . though the first person to do it would probably get pretty high recognition. . . not good recognition though. but mac users are also smarter and more careful than M$ users. . . right?!

Darwin
Apr 9, 2004, 02:06 PM
Glad Apple is on the case

This should encourage us that Apple does take these things seriously :)

jxyama
Apr 9, 2004, 02:06 PM
patch should be easy in theory. apple just has to make finder behave consistently - if it displays a file as one type, it should act on it as that type when double-clicked. (this used to not be a problem when finder didn't depend on extensions to figure out what the file type icon to display.)

JohnGillilan
Apr 9, 2004, 02:07 PM
Wait a second . . . maybe it's just me, but does it seem weird that Apple would give a statement to MacCentral???? That's seems odd. Wouldn't it be on their website in the support section or in a press release? Could this "statement" have been made up??

ultimind
Apr 9, 2004, 02:21 PM
Atleast Apple, unlike Microsoft issues regular security updates to it's operating system. Microsoft would have to issue security updates multiple times in a 24 hour period to keep up though. I'm betting Apple will put out a security update to deal with this...

Rower_CPU
Apr 9, 2004, 02:25 PM
Wait a second . . . maybe it's just me, but does it seem weird that Apple would give a statement to MacCentral???? That's seems odd. Wouldn't it be on their website in the support section or in a press release? Could this "statement" have been made up??

It's a general press release. The same statement can be found on other sites:
http://www.infoworld.com/article/04/04/09/HNintegowarns_1.html

Photorun
Apr 9, 2004, 02:25 PM
Maybe it's just me but what's the friggin' big deal here? No really?! I mean, a file that's executable on ANY computer system, be that a peecee craptacularbox or a Mac running OS X, OS 9, or hell, even Linux that is launched by a dummy without thought to where it came from can be launched and harm caused. Why is this a big deal at all? I'm lost? And OS X is still one of the most solid systems but any system, if someone launches something to attack it FROM it, I mean, so what? That's been the way I think all the way back to Basic and DOS. Go back, there's nothing to see here or better yet, just don't believe the hype!

msconvert
Apr 9, 2004, 02:27 PM
Atleast Apple, unlike Microsoft issues regular security updates to it's operating system. Microsoft would have to issue security updates multiple times in a 24 hour period to keep up though. I'm betting Apple will put out a security update to deal with this...

But I don't want apple just coming out with a quick M$ cludge of a fix. Right now we have to be on edge not paranoid. My real fear is that this is the way finder and iTunes are intended to work for compatibility of MacOS and PC files. I suspect that it will be a significant change when it comes. I just want it done right.

animefan_1
Apr 9, 2004, 02:28 PM
Wait a second . . . maybe it's just me, but does it seem weird that Apple would give a statement to MacCentral???? That's seems odd. Wouldn't it be on their website in the support section or in a press release? Could this "statement" have been made up??

No. Apple has given MacCentral (MacWorld's news arm) statements plenty of times before, while NOT posting the same info on their own website.

Besides, isn't it against the law to say someone said something, even though they didn't?

Rincewind42
Apr 9, 2004, 02:31 PM
Mac OS X Security Update 2004-04-10 . . .

Wait for it . . . Wait for it . . . . . Wait for it . . .

Don't bet on it.

patch should be easy in theory. apple just has to make finder behave consistently - if it displays a file as one type, it should act on it as that type when double-clicked. (this used to not be a problem when finder didn't depend on extensions to figure out what the file type icon to display.)

The Finder is behaving consistantly. The icon doesn't come from the Finder, but from the application itself. The application itself launches iTunes to play itself as if it were an mp3, so it looks flawless. This really isn't something that can be blanket fixed because there may be legitimate applications that do some of the same things. The proof-of-concept trojan is only given away by the fact that the Finder blatantly says the file is an application (or classic application if you strip the resource fork).

Fortunately this trojan is also extremely fragile, if the resource fork isn't preserved, the application can't even launch. They could try to do it with a standard bundled application, but they would also have to compress/encode it to send it to anyone, and couldn't use the normally invisible .app extension (because two extensions are always shown by OS X).

jxyama
Apr 9, 2004, 02:33 PM
Maybe it's just me but what's the friggin' big deal here? No really?! I mean, a file that's executable on ANY computer system, be that a peecee craptacularbox or a Mac running OS X, OS 9, or hell, even Linux that is launched by a dummy without thought to where it came from can be launched and harm caused. Why is this a big deal at all? I'm lost? And OS X is still one of the most solid systems but any system, if someone launches something to attack it FROM it, I mean, so what? That's been the way I think all the way back to Basic and DOS. Go back, there's nothing to see here or better yet, just don't believe the hype!

what you are saying is mostly true, but this is newsworthy just for the fact it's a confirmed vulnerbility in OS X/Finder that can be exploited by a trojan. it may seem like a hype to you, but it is definitely newsworthy.

being in the news doesn't make OS X any less "solid" and not being in the news doesn't make this problem go away.

3-22
Apr 9, 2004, 02:46 PM
Atleast Apple, unlike Microsoft issues regular security updates to it's operating system. Microsoft would have to issue security updates multiple times in a 24 hour period to keep up though. I'm betting Apple will put out a security update to deal with this...

Microsoft issues both regular security updates and out-of-cycle updates. What are you talking about?

True, it's not nearly fast enough for the amount of attacks. Not that admins could easily deploy to thousands of PCs any faster in a company.

MongoTheGeek
Apr 9, 2004, 02:47 PM
From the sound of these comments it seems that the trojan only affects machines that run 10 and have classic available?

That means that once classic goes away this won't be a threat?

Since classic is no longer a standard install this is a much smaller threat than it seems?

Foocha
Apr 9, 2004, 02:49 PM
Maybe it's just me but what's the friggin' big deal here? No really?! I mean, a file that's executable on ANY computer system, be that a peecee craptacularbox or a Mac running OS X, OS 9, or hell, even Linux that is launched by a dummy without thought to where it came from can be launched and harm caused. Why is this a big deal at all? I'm lost? And OS X is still one of the most solid systems but any system, if someone launches something to attack it FROM it, I mean, so what? That's been the way I think all the way back to Basic and DOS. Go back, there's nothing to see here or better yet, just don't believe the hype!
I think the issue is that the Finder misrepresents the file as an MP3 when in fact it's an executable. The problem arises from Mac OS X's halfway-house between OS 9 style File Type & Creator Codes and OS X style document extensions.

With Windows and Linux it's clearer what is executable and what's not. Since OS X has to provide backwards compatibility to OS 9, this one may be tricky for Apple to solve.

peterjhill
Apr 9, 2004, 02:53 PM
Did you all see this from the article:
Late Thursday night, Symantec Corp. said they were also aware of the Trojan, but noted that the virus has not been found in the "wild."

musicpyrite
Apr 9, 2004, 02:58 PM
MacCentral posts (http://maccentral.macworld.com/news/2004/04/09/appletrojan/index.php?redirect=1081507541000) Apple's response to yesterday's Trojan warning from Intego.

According to the statement, Apple is investigating the issue:


At least Apple is willing to acccept the fact the there could be a trojan and are going to try to investigate, unlike M$, they just deny it or give excuses.....

applekid
Apr 9, 2004, 03:06 PM
Did you all see this from the article: Late Thursday night, Symantec Corp. said they were also aware of the Trojan, but noted that the virus has not been found in the "wild."

Exactly what I was about to mention. It really isn't a big deal, but since the problem basically is a security hole in iTunes (that didn't exist in iTunes 3 according to the last message in this Google thread. (http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&frame=right&th=631707378ffe9292&seekm=blgl-5D750C.02150821032004%40news.bahnhof.se#link6) ) that seems very fixable.

0 and A ai
Apr 9, 2004, 03:13 PM
They have yet to say if anything malicious can come of this PROOF OF CONECEPT TROJAN.

And as symantec said its not out in the wild.

If its bad apple will fix it. If its nothing then intego has got problems coming there way.

Jookbox
Apr 9, 2004, 03:21 PM
ahh, so that's what the security update was for. that was quick and easy.

cait-sith
Apr 9, 2004, 03:33 PM
remember that macos is unix, and unix has trojans.

there's lots of trojans for unix that exploit the fact that you may have "." in your path, so put a file called "ls" in your path that does some nasty stuff then runs the real "ls" command, plunk it in the home dir of some user, and woosh. if it happens to root, you're screwed. but unix admins know that trick all too well and it's a known fact NEVER to put . in your path.

the problem here, is that many apple users have no experience with unix (most mac users i know were stunned to see me open up 'terminal', they had no idea what it was). so a lot of the old unix tricks might pop up. rm -rf anyone?

this says nothing about macos really, it's just the nature of computers and operating systems, as well as people having accounts that allow administrator access. one unix rule is don't log in as root unless you have to.

i can imagine mac people cringing thinking 'this is the end', but unix variants have faced this stuff for over 30 years and they're still considered rock solid and low risk.

killmoms
Apr 9, 2004, 03:33 PM
patch should be easy in theory. apple just has to make finder behave consistently - if it displays a file as one type, it should act on it as that type when double-clicked. (this used to not be a problem when finder didn't depend on extensions to figure out what the file type icon to display.)

OS X still has a filetyping scheme that is less than stellar; I hate that the Creator App is still the default behavior in OS X. BeOS stands as having both the best filesystem and filetyping setup that I've seen yet. I'm hoping Apple rips it off for 10.4 or 10.5.

Basically, BeOS would use MIME types to identify files, for instance if they were downloaded from the web. If there was no MIME type already defined, it would look at extension and associate it that way. If there was no extension, it would actually read the first bit of the file and see if that would allow it to determine what type of file it was looking at.

If Apple would do that, with the "Created by" field in there someplace in the hierarchy, maybe even make the hierarchy user-definable, I'd be in heaven.

Well, once that was married to a new version of HFS w/ always-on indexing, extensible (and indexed!) meta-data, and real-time queries of an incredibly configurable nature. 10.3 is a step in the right direction, but there's some underlying devices that need to appear first.

--Cless

Photorun
Apr 9, 2004, 03:46 PM
The update to this story posted basically backs what I said... don't believe the hype. Move along, nothing to see here.

HexMonkey
Apr 9, 2004, 03:47 PM
From the sound of these comments it seems that the trojan only affects machines that run 10 and have classic available?

That means that once classic goes away this won't be a threat?

Since classic is no longer a standard install this is a much smaller threat than it seems?

No, the application is Carbon, meaning it runs on both Mac OS X and Mac OS 9, as opposed to Classic, which runs on Mac OS 9 and is emulated on Mac OS X. I'm not sure if it's actually written to run properly on Mac OS 9, but it was written as Carbon so that it could use a resource fork. Having Classic installed has nothing to do with it.

wnurse
Apr 9, 2004, 03:50 PM
Exactly what I was about to mention. It really isn't a big deal, but since the problem basically is a security hole in iTunes (that didn't exist in iTunes 3 according to the last message in this Google thread. (http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&frame=right&th=631707378ffe9292&seekm=blgl-5D750C.02150821032004%40news.bahnhof.se#link6) ) that seems very fixable.

This is not a security problem with itunes. I'm as avid a mac user as any but people seem personally offended if a vulnerability of mac OS is revealed. This is a vulnerabilty of the OS itself. It is also different from just mislabelling a file or changing the extensions of a file as some users are suggesting. Don't believe me?. Change the extension of some windows exe to mp3 and then try to open it in windows media and see what happens. It does not play. This hack is clever because not only is the extension mp3 but it really is an mp3 to itunes and also an application to the OS. This of this as a file existing in two states simultaneously. Is it a big deal? maybe not but half of the window trogans are no big deal but mac users are quick to pounce on microsoft at the smallest vulerability. Mac users skepticism are further compounded if microsoft then says that the vulerability is no big deal. Hey, the shoe is on our foot. It does us no good to bury our head in the sand.

byamabe
Apr 9, 2004, 03:53 PM
If I write an application (*.app or *.exe) that deletes your files, then I make the icon look like an MS Word file, is that a Trojan horse?

wnurse
Apr 9, 2004, 04:02 PM
If I write an application (*.app or *.exe) that deletes your files, then I make the icon look like an MS Word file, is that a Trojan horse?

So what if it is?. There are many ways to write a trojan. What is your question proving?. Your scenario is not similiar to what is happening with this particular trojan. Would you then be able to go into word and open your file as a word file?. Obviously not!!. What is clever about this hack is not only that the file appear to be mp3, but it can actually be played in itunes and behaves as an mp3. I'd like to see an exe file behave as a word file. Behaviour is more than just having an icon.

byamabe
Apr 9, 2004, 04:06 PM
Behaviour is more than just having an icon.
Yes, the behavior of having your files wiped is the more important issue. Whether the trojan horse actually opens word is irrelevant. I got you to click the app and wipe your files. Are you still concerned that Word didn't open. Maybe you'll double click to try to open it again :)

wnurse
Apr 9, 2004, 04:24 PM
Yes, the behavior of having your files wiped is the more important issue. Whether the trojan horse actually opens word is irrelevant. I got you to click the app and wipe your files. Are you still concerned that Word didn't open. Maybe you'll double click to try to open it again :)

Of course it is, who is arguing that?. I thought we were arguing the uniqueness of the trojan approach. Strange, for years mac users boasted about not having trojans or virus and now we are told this is old news and really not a clever hack? Huh? Maybe i should just go back to windows then. I mean, what's the point, why put up with a platform with less applications, higher hardware cost if it too can be just as easily effected as a windows machine? The mac is cool but so what? Money is cooler. If i can buy a machine for less money, i'd definetly feel a lot cooler that the other guy spending more cash to get a mac and having less money.

neverfade
Apr 9, 2004, 04:34 PM
Of course it is, who is arguing that?. I thought we were arguing the uniqueness of the trojan approach. Strange, for years mac users boasted about not having trojans or virus and now we are told this is old news and really not a clever hack? Huh? Maybe i should just go back to windows then. I mean, what's the point, why put up with a platform with less applications, higher hardware cost if it too can be just as easily effected as a windows machine? The mac is cool but so what? Money is cooler. If i can buy a machine for less money, i'd definetly feel a lot cooler that the other guy spending more cash to get a mac and having less money.

Go back to Windows then... Is anyone stopping you? You actually tried to make that read as if the 'Mac Crowd' would give a flying **** what platform you choose.

People like windows, people like OSX. Take your pick. Who ****in' cares what you do...

Rincewind42
Apr 9, 2004, 05:23 PM
I think the issue is that the Finder misrepresents the file as an MP3 when in fact it's an executable. The problem arises from Mac OS X's halfway-house between OS 9 style File Type & Creator Codes and OS X style document extensions.

With Windows and Linux it's clearer what is executable and what's not. Since OS X has to provide backwards compatibility to OS 9, this one may be tricky for Apple to solve.

The Finder is NOT misrepresenting the file. Not one bit. The file is misrepresenting itself. This is only possible because Mac OS X allows applications that are built as a single file (Carbon/CFM or Classic/CFM with resource fork). A similar exploit is possible on Windows (although a Windows mp3 player may be less willing to play the file).

The only reason why this application even passes the 'double-click' test is because the icon looks like that of an iTunes MP3 file. You can just as easily create a Word document, a PDF file, or a shell script that looks like an MP3 file by just copying and pasting in the Finder in under a minute. The only difference is that it won't be recognized as an MP3 by iTunes (which the Trojan is only because of a little CFM hackery). And just like this trojan if you transfer it in a method that doesn't preserve the resource fork it is neutered. Given that most users have extensions hidden (because that is the default in the Finder) most users wouldn't be able to tell the difference between any kind of document if the icon looks like an mp3.

So really, this isn't an issue of the Finder, the Finder does it's job exactly as it should (it displays the icon the application says to use, and identifies the file as an application).

This is a vulnerabilty of the OS itself. It is also different from just mislabelling a file or changing the extensions of a file as some users are suggesting. Don't believe me?. Change the extension of some windows exe to mp3 and then try to open it in windows media and see what happens. It does not play. This hack is clever because not only is the extension mp3 but it really is an mp3 to itunes and also an application to the OS. This of this as a file existing in two states simultaneously. Is it a big deal? maybe not but half of the window trogans are no big deal but mac users are quick to pounce on microsoft at the smallest vulerability. Mac users skepticism are further compounded if microsoft then says that the vulerability is no big deal. Hey, the shoe is on our foot. It does us no good to bury our head in the sand.

There is no vulnerability here. At least, not one that is generally plausible. And remember that in Windows the default is to hide extensions also. Create a Windows executable with a Winamp MP3 icon on it and you'll get any number of users to double click on it hoping to listen to the latest Top 10 hit. And bang your dead. The difference here is that on Mac OS X it's a heck of a lot easier to get an application that is actually recognized as an mp3 by iTunes (because of a feature of the CFM format). That particular quirk is the only thing that actually makes this trojan interesting, because by the time that happens the user has already double-clicked the file and the trojan writer has won. The fact that the user gets to listen to their favorite song while their computer is getting owned is just a nifty side effect.

byamabe
Apr 9, 2004, 05:28 PM
Of course it is, who is arguing that?. I thought we were arguing the uniqueness of the trojan approach. Strange, for years mac users boasted about not having trojans or virus and now we are told this is old news and really not a clever hack? Huh? Maybe i should just go back to windows then. I mean, what's the point, why put up with a platform with less applications, higher hardware cost if it too can be just as easily effected as a windows machine? The mac is cool but so what? Money is cooler. If i can buy a machine for less money, i'd definetly feel a lot cooler that the other guy spending more cash to get a mac and having less money.
Sure, that you can drop an application into an MP3 player and it plays is a neat trick. You seem to be mixing the notions of security and abuse. I don't know of a platform that can prevent someone from writing an application that can do something abusive like wipe your files, start a DOS attack, or go to your password directory and start sending them out unless that platform is severely restricted in functionality (Java applets). However, some platforms are more resistant (not impervious) to things like buffer overrun/underrun.

I really don't understand your reasoning regarding viruses and the cost of the mac. I assume you bought your machine to get some task done as efficiently as possible (time is money). Viruses are an impedement to that efficiency, so are crashes, driver conflicts, overall system performanc and integration, etc. If you find that you can get your task done more efficiently on a Windows box then you probably should have bought one.

crees!
Apr 9, 2004, 05:41 PM
Don't you just love all our instant security experts here :D

Anyways, from Wired news: The program exploits a vulnerability that goes back to the original Mac operating system...The vulnerability was exploited several times by Trojans authored for previous versions of the Mac OS.

Sounds like old news to me and that it's not that big of a deal if it hasn't already been taken care of years later after knowing about it.

The program can't be spread by e-mail or through a file-sharing network unless it is compressed using software like Aladdin's Stuffit. Failing to compress the MP3 file before sending it renders the software inoperative.

coolfactor
Apr 9, 2004, 05:57 PM
patch should be easy in theory. apple just has to make finder behave consistently - if it displays a file as one type, it should act on it as that type when double-clicked. (this used to not be a problem when finder didn't depend on extensions to figure out what the file type icon to display.)

Somebody has probably corrected you on this already. The file in question is identified as an "application" by the Finder, even though it doesn't look like one. It's that visual disception that is at issue.

Snowy_River
Apr 9, 2004, 06:10 PM
Just as a thought for how Apple could consider providing a level of protection against this kind of thing. You know how alias icons have that little arrow? Well, what if Apple implemented a small symbol that would superimpose itself on top of the icon of a file to indicate whether it was an application file or a document file?

Just a thought.

sushi
Apr 9, 2004, 06:39 PM
Whether the trojan horse actually opens word is irrelevant.
Negative!

This is the worst type. The ones that affect your system without the user knowing.

If I double click on an icon and it does what it is supposed to do, such as play an mp3 song, then the user has no idea that his/her system has just been infected. That is the worry here.

Sushi

Fat Tony
Apr 9, 2004, 06:40 PM
And here we go... :rolleyes: Fresh off of CNN's homepage:

http://www.cnn.com/2004/TECH/internet/04/09/apple.trojan/index.html

Rincewind42
Apr 9, 2004, 07:21 PM
If I double click on an icon and it does what it is supposed to do, such as play an mp3 song, then the user has no idea that his/her system has just been infected. That is the worry here.

If the user has double clicked the file, then it is too late, they have been owned. The trojan can do whatever damage it is going to do in the few seconds it takes for the user to realize that the file they just double clicked does nothing and they have tossed it into the trash. The damage is done.

Again, the only thing that is particularly interesting about this is the fact that it has the novelty of also being a valid MP3 file. The application delivered it's payload long before the music started playing.

sushi
Apr 9, 2004, 07:39 PM
If the user has double clicked the file, then it is too late, they have been owned. The trojan can do whatever damage it is going to do in the few seconds it takes for the user to realize that the file they just double clicked does nothing and they have tossed it into the trash. The damage is done.

Again, the only thing that is particularly interesting about this is the fact that it has the novelty of also being a valid MP3 file. The application delivered it's payload long before the music started playing.
Yes, once you double click it is too late.

However, being owned has nothing to do with what I am talking about.

Sorry that I cannot go into more detail here...

Sushi

AppleJustWorks
Apr 9, 2004, 08:25 PM
I was just on Norton's site and they seem to have all the info. and know about mp3concept but on Mcafee Virex's site they don't have anything on it....Are they not as good as Norton? :confused:

Does this mean that Virex at the current time does not cover the trojan and norton does, or did they just not list anything(seems kinda strange tho)

QCassidy352
Apr 9, 2004, 09:26 PM
And here we go... :rolleyes: Fresh off of CNN's homepage:

http://www.cnn.com/2004/TECH/internet/04/09/apple.trojan/index.html

I was just about to post this. That's awful. Now people who don't know any better will think that there is actually a harmful virus out there that attacks macs.

Les Kern
Apr 9, 2004, 09:49 PM
....unlike M$, they just deny it or give excuses.....

I think that's a bit over the top... okay, wrong. They don't deny anything or they wouldn't have a daily patch. And they have only given excuses when the patch fails. They're on the threats as they are reported, and respond quite well, I might add. They just hope their users DO the patch, which they don't, which ruins their life or at least a weekend of it.
Bottom line is you can hate MS (which I do as well), but use just the facts. There's enough of those for everyone.

Les Kern
Apr 9, 2004, 09:52 PM
I was just about to post this. That's awful. Now people who don't know any better will think that there is actually a harmful virus out there that attacks macs.

You bet. After YEARS of trying to tell folks not to worry, I STILL get letters from my users asking about the latest threats, which they are immune to. I was forced (actually my own choice) to purchase Kerio Mailserver with the MacAfee scanner and spam control. If you're not familiar with it, got to their site. Looks like a splendid solution. KERIO SITE (http://www.kerio.com)

Apple Hobo
Apr 9, 2004, 10:11 PM
And here we go... :rolleyes: Fresh off of CNN's homepage:

http://www.cnn.com/2004/TECH/internet/04/09/apple.trojan/index.html

Ya know, I was worried about the ignorant jagoffs in the media blowing this out of proportion. The media is worse than the actual exploit! I just freakin' knew this was going to happen! :rolleyes: :mad: The author of that tripe needs to figure out what viruses and a trojans are before spewing BS.

ClimbingTheLog
Apr 9, 2004, 11:21 PM
This is not a security problem with itunes. I'm as avid a mac user as any but people seem personally offended if a vulnerability of mac OS is revealed. This is a vulnerabilty of the OS itself

Well, it depends where you draw the line as to what the OS is and what's an add-on. The OS I call the demark seems to be doing its part - it runs the application and handles the appleevents requested of it. Seems OK.

It looks like the problem is either in iTunes or Quicktime - I'm not sure how iTunes is coded, but whichever of them is responsible for validating the file type, it should confirm the validity of the media file. Being a CFM application should be a test of whether a file is a valid media file.

I suspect this check will be Apple's fix as it will address the problem and probably not break anything else. It should be implemented in QuickTime as that fixes all apps that take advantage of QuickTime. iTunes may need to be modified to use it in an appropriate way.

A previous poster was right in that MIME types in the filesystem is a good answer but that's 10 years from being standard.

MegaSignal
Apr 9, 2004, 11:33 PM
How unfortunate of Mr. Sieberg to use such words as "virus", "attack", "prey", etc. Clearly, he has no idea, no clue...

Obviously, this entire publication is probably full of inaccuracies and half-truths...how am I to interpret the rest of the articles from cnn.com?

Sadly, from a PR point of view, the damage is done - even without any real threat existing now or several years ago!

iMeowbot
Apr 9, 2004, 11:38 PM
Fortunately this trojan is also extremely fragile, if the resource fork isn't preserved, the application can't even launch. They could try to do it with a standard bundled application, but they would also have to compress/encode it to send it to anyone, and couldn't use the normally invisible .app extension (because two extensions are always shown by OS X).

Darwin executables don't have resource forks, can use any (or no) extension, aren't necessarily binaries, and fdon't even need to be handed to the OS as files. Programs exploiting these characteristics generally need to ride on the back of an existing vulnerable program on the target system. The type of malware that can exploit this would use programs other than the Finder or Mac OS mechanisms to be activated, and there have been countless Unix vulnerabiities of this kind.

Cap'n Hector
Apr 9, 2004, 11:41 PM
Based on my analysis of this:

Files it can delete without user interaction:

User files
Application files

Stuff it can do:

Run a server with a port over 1024+
Put itself in ~/Sites and e-mail links to itself. The links will be seen as MP3s by QT and treated as such…the payload should not be executed in this case.
E-mail itself to other computers. If e-mailed to a Mac running Mac OS X the computer will ask if you want to execute the file, giving options of "Open", "Save", and "Cancel".
Create a startup item to run at boot.

Getting a password will enable wiping the drive…

In short: This can cause damage, but it will be very hard to spread.

The first bit of info on this:

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8%20&oe=UTF-8&safe=off&frame=right&th=631707378ffe9292%20&seekm=blgl-5D750C.02150821032004%40news.bahnhof.s%20e#link6

coolsoldier
Apr 9, 2004, 11:54 PM
The entire problem could be fixed if OS X would just ignore type/creator for files with extensions. If it ends in .mp3 it should open in iTunes. The OS should only look at type/creator if the file doesn't have an extension. No legitimate carbon apps have extensions so this wouldn't break any compatibility.

And if you want to talk about the "virus" spreading, try this scenario:
-Program opens, launches iTunes, and plays a song.
-Program works in the background, scanning the .mbox files in your Library folder for messages with "X-Mailer: Apple Mail" (thus getting a list of mac-using contacts).
-Program picks random song from your iTunes library, and creates a "virus" copy.
-Program mails newly infected song to mac-using friends via OS X's built-in "sendmail" program without you ever knowing (with a title like "check out this song").

This could be particularly believable because the person on the other end would recognize the song as music you listen to. And it could do it all without asking for a password.

Yes, this one is harmless. But it has the potential to be very, very bad.

Fortunately, it seems like an easy fix (ignore type and creator for files with extensions). Let's hope Apple fixes it soon :-)

Cap'n Hector
Apr 10, 2004, 12:19 AM
And if you want to talk about the "virus" spreading, try this scenario:
-Program opens, launches iTunes, and plays a song.
-Program works in the background, scanning the .mbox files in your Library folder for messages with "X-Mailer: Apple Mail" (thus getting a list of mac-using contacts).
-Program picks random song from your iTunes library, and creates a "virus" copy.
-Program mails newly infected song to mac-using friends via OS X's built-in "sendmail" program without you ever knowing (with a title like "check out this song").


You forgot the last step (assuming the recipient is using Apple Mail):

User clicks on the message and gets this dialogue:
http://caphector.com/Virus.jpg

This message may give pause to most users…

KC9AIC
Apr 10, 2004, 02:22 AM
You forgot the last step (assuming the recipient is using Apple Mail):

[image deleted]

This message may give pause to most users…

Great image!! I think that having a warning would be enough to make this far less of a threat.

yamabushi
Apr 10, 2004, 05:53 AM
The default should be "Cancel" to protect users that click through dialog boxes without reading them carefully.

rdowns
Apr 10, 2004, 06:35 AM
They have yet to say if anything malicious can come of this PROOF OF CONECEPT TROJAN.

And as symantec said its not out in the wild.

If its bad apple will fix it. If its nothing then intego has got problems coming there way.

I'm not much of a black helicopter kind of guy but this whole Intego thing is pretty suspicious. As a long time Mac user, I am pretty up on Macs and software but Intego has never made my radar screen. Never heard of them before this thread.

Reading the latest MacAddict, they have a blurb in their Get Info article on Mac OS X security and a full page ad. So I pick up my latest MacWorld and a full page ad. macHOME, full page ad. Hmmm.

Makosuke
Apr 10, 2004, 06:41 AM
Coolsoldier's scenereo is quite realistic. Problem is, it could just as well be executed by using a perfectly normal application with an iTunes logo on it. If you wanted it to be more believable, you could have it contain an MP3, copy it to disk, and play that. No "vulnerability" necessary, you could create an identical trojan on any OS, and the only difference would be that if you drug it into iTunes it wouldn't play because iTunes would realize it's an app.

I just don't see what the big deal is--although it is an interesting "feature" of old-style resource forks, it isn't functionally any different than any other trojan with a misleading title and icon--I can create one of those in about ten seconds using just the Finder (and the same on Windows).

I'm really annoyed by that CNN story, though; for one thing, since when does one proof-of-concept trojan horse on a minor OS make for TOP OF THE FRONT PAGE NEWS on CNN.com, when there are people dying, Japanese hostages waiting to be executed in a couple of days, and any number of other newsworthy things going on. I never minded CNN, but I've really got to wonder if there's some bias in there now--even if the trojan had been on Windows, would it have really warranted that kind of coverage?

(By the way, I like how OSX shows the ".app" for any non-CFM application that you add an extension to--Apple must've thought of this before. This obviously doesn't work on old resource-fork apps, enabling this hack, since those apps didn't have a .app extension.)

eSnow
Apr 10, 2004, 08:02 AM
[QUOTE=Cap'n Hector]Based on my analysis of this:


Stuff it could do if it wasn't harmless:

- infect your library of .aac, .mov, .tiff-files...

- install a keylogger...

h'biki
Apr 10, 2004, 10:16 AM
what you are saying is mostly true, but this is newsworthy just for the fact it's a confirmed vulnerbility in OS X/Finder that can be exploited by a trojan. it may seem like a hype to you, but it is definitely newsworthy.

being in the news doesn't make OS X any less "solid" and not being in the news doesn't make this problem go away.

Except, of course, the application still needs *access* to do anything nasty -- and that access, unless the user is really stupid, is not going to be easy to come by.

That's the advantage of UNIX.

Oh, looks like someone else has gone through exactly what it can do. There you go :)

Cap'n Hector
Apr 10, 2004, 10:48 AM
[QUOTE=Cap'n Hector]Based on my analysis of this:


Stuff it could do if it wasn't harmless:

- infect your library of .aac, .mov, .tiff-files...

- install a keylogger...

Thanks for these points.

Infecting other files still bumps into the fact that it's not easy to get executed on another system.

Install a keylogger…yes, it can do that, or monitor most aspects of the computer and send data back to a host somewhere.

Still, it doesn't have the same explosive spread potential that Windows viruses do.

chriscorcoran
Apr 10, 2004, 10:49 AM
OK how many people actually give a rat’s ass?
I mean come on; this is the first Trojan for MacOS X or any Apple OS ever! And it’s not even in the wild! It’s in a Lab some where!

I hope Apple starts collaborating with the Open Source community to fight Trojans and viruses... If they don't, we could be almost as bad off as Windows users.

Yeah not so much. Apple is already working with the Open Source community. If you have ever heard of this very obscure Apple product called MacOS X. I guess it was built on FreeBSD? What ever that it, I guess it runs a lot of important telecommunication systems and a lot of military systems. It’s supposed to be UNIX based (what ever that is). Yeah I guess UNIX is wicked secure and amazingly stable. Yeah apparently Apple decided to move to this platform because there were like no virus or security wholes in it at all. Come on wake up people!

Oh yeah MacOS Users will never find them self’s in the security hell that Windows users currently inhabit. For the simple fact that MacOS is built off of FreeBSD which is Unix Based. And we all know that if there is ever a nuclear holocaust that the only things that will survive are cockroaches and UNIX mainframes.

So there is nothing to worry about. To all those people who freaked when they found out that there is a Mac Trojan calm down...it’s the first one ever and it’s in a lab. Do some yoga breathing....in...and out...in...and out... Don’t worry Uncle Steve has everything under control he won’t let Uncle Bill touch you that way.

To all those people who jumped for joy and said "yeah now macs sucks as much as windows!"...calm down and shut up. No its not, this is the first Trojan ever on Mac. Ever! Last time I checked there were like 60,000 virus and Trojans for Windows.


Funny Quote:

We think of vegetarian men as low-testosterone, peace-loving types. But give Pixar (Nasdaq: PIXR) CEO Steve Jobs a Taser (Nasdaq: TASR) and the chance to ambush Disney (NYSE: DIS) CEO Michael Eisner in a bathtub and you might make an exception.

By James Early
April 6, 2004
www.fool.com "Funding Nemo"

Rincewind42
Apr 10, 2004, 11:00 AM
It looks like the problem is either in iTunes or Quicktime - I'm not sure how iTunes is coded, but whichever of them is responsible for validating the file type, it should confirm the validity of the media file. Being a CFM application should be a test of whether a file is a valid media file.

iTunes & QuickTime mean nothing in the context of this application. They could fail to play the file and you would still be owned. The exploit relies entirely on the user double-clicking the file itself, not on anything Quicktime or iTunes does with the file afterwards.

Darwin executables don't have resource forks, can use any (or no) extension, aren't necessarily binaries, and don't even need to be handed to the OS as files. Programs exploiting these characteristics generally need to ride on the back of an existing vulnerable program on the target system. The type of malware that can exploit this would use programs other than the Finder or Mac OS mechanisms to be activated, and there have been countless Unix vulnerabiities of this kind.

You are correct, but that has always been an issue. This type of attack doesn't rely on such a mechanism, it is a pure user-ignorance exploit. It is considerably harder to attack based on this vector.

The entire problem could be fixed if OS X would just ignore type/creator for files with extensions. If it ends in .mp3 it should open in iTunes. The OS should only look at type/creator if the file doesn't have an extension. No legitimate carbon apps have extensions so this wouldn't break any compatibility.

This would fix applications trying to do this, but break other usage scenarios. I have seen recommendations to warn users when an app with a recognized extension is opened, but there are likely to be false positives there as well (which may be acceptable). The reality is there is no simple solution to this.


Stuff it could do if it wasn't harmless:
- install a keylogger...


Actually it can't install a key logger without getting authorization. And there is a secure user input mode in OS X that prevents key sniffing without you getting REALLY low level in the system (which of course requires that you got authorization to install whatever it is will be logging keys).

Really everyone, this thing is blown way out of proportion. All that we really need is 1) Warning to the user that whatever file they are getting in the mail is an application and not a file of some other type and 2) educating the user that a file that they downloaded isn't necessarily what it appears to be.

space2go
Apr 10, 2004, 11:09 AM
You forgot the last step (assuming the recipient is using Apple Mail):
User clicks on the message and gets this dialogue:
http://caphector.com/Virus.jpg
This message may give pause to most users...

Just stuffit it. ;-)

Rincewind42
Apr 10, 2004, 11:51 AM
You don't even need to be a CFM application to do something stupid like this. I just did it with a standard packaged application, and it took me less than a half an hour to do it. And as an even bigger advantage, it means that you don't even need to modify the file that you are pretending to be at all. Just drop it into your bundle and your set. And while the user is enjoying whatever file you happened to have opened for them, you are busy doing whatever it is you want to do.

So really, it's a nice proof of concept that they can do this with a single-file CFM app, but the same kind of trickery is possible (and easier!) using Mac OS X's native MachO bundled application. And in the end even harder to detect, because you don't even need an extension, type or creator.

Oh, and application itself is all of 2 lines of code.

MegaSignal
Apr 10, 2004, 12:13 PM
You don't even need to be a CFM application to do something stupid like this. I just did it with a standard packaged application, and it took me less than a half an hour to do it. And as an even bigger advantage, it means that you don't even need to modify the file that you are pretending to be at all. Just drop it into your bundle and your set. And while the user is enjoying whatever file you happened to have opened for them, you are busy doing whatever it is you want to do.

So really, it's a nice proof of concept that they can do this with a single-file CFM app, but the same kind of trickery is possible (and easier!) using Mac OS X's native MachO bundled application. And in the end even harder to detect, because you don't even need an extension, type or creator.

Oh, and application itself is all of 2 lines of code.

Did you let Apple know about this?

Rincewind42
Apr 10, 2004, 12:45 PM
Did you let Apple know about this?

Huh? This isn't something for Apple to fix. It is just an every day absolutely valid application. Sure it may not do something the user wanted done, but there is nothing wrong with it, nothing out of the ordinary, and nothing that can be done to detect it. The point that I was hoping to make (and which was apparently lost) was that you can do this fairly easily without resorting to the level of hackery that the CFM/MP3 concept did.

The system STILL knows that the "file" is actually an application. It is the user that is confused. The Application specifically goes out of it's way to make sure the user is confused. But the system knows better.

The only thing (barely) news worthy about the CFM/MP3 hack is that it really is a valid MP3 and a valid CFM application. But the whole point is to get the user to do something that they normally wouldn't - run your application.

MegaSignal
Apr 10, 2004, 01:06 PM
So there really isn't a problem then...?

Or is there?

Can I still download apps from known sources off of the web and use them safely?

[Yes, yes, I know - I'm not as smart as a Unix programmer - CFM applications, resource forks, multiple extensions, root, user, admin, etc., etc. - but sooner or later, these questions regarding this latest "threat" will have to be delt with for the likes of me who merely use Apple computers for their perceived simplicity of use...]

Many apologies for my ignorance.

Snowy_River
Apr 10, 2004, 01:15 PM
...And if you want to talk about the "virus" spreading, try this scenario:
...
-Program mails newly infected song to mac-using friends via OS X's built-in "sendmail" program without you ever knowing (with a title like "check out this song").
...

Well, there's one problem with this. In earlier versions of Mac OS X*, while sendmail is included, it is not, by default, enabled. So, inorder to enable sendmail, the virus would need to get the password to edit the hostconfig file, then restart the machine. I don't see this as being any more serious a weakness than other aspects of the trojan situation.

* In 10.3 sendmail is not included. Instead, Postfix Mail Transport Agent is standard. It, too, is not enabled by default.

Snowy_River
Apr 10, 2004, 01:20 PM
...I mean come on; this is the first Trojan for MacOS X or any Apple OS ever! And it’s not even in the wild! It’s in a Lab some where! ....

Uh, check your history. There have been other trojans and viruses on Mac OS. A worm that immediately comes to mind is the rather ancient QT Autostart Worm from a decade or so ago. Just because Mac OS is more secure than Windows doesn't mean that there have been no attacks...

http://www.ghwphoto.com/smilies/rolleyes.jpg

wdlove
Apr 10, 2004, 01:23 PM
You forgot the last step (assuming the recipient is using Apple Mail):

User clicks on the message and gets this dialogue:
http://caphector.com/Virus.jpg

This message may give pause to most users…

I was pleased to know that I picked the correct one, prior to the answer being given. How soon do you think that Apple will have a fix?

Snowy_River
Apr 10, 2004, 01:24 PM
...The system STILL knows that the "file" is actually an application. It is the user that is confused....

I still like the idea of the OS putting little mini-icons superimposed over the app/doc icon to identify what the system sees the file as being. That could save a fair bit of confusion...

Rincewind42
Apr 10, 2004, 01:26 PM
So there really isn't a problem then...?

Or is there?

Can I still download apps from known sources off of the web and use them safely?

If you trust your source, feel free. But be wary of things that just don't make sense. In generally just use common sense, never open something from someone you don't know, or weren't expecting a file from. Just standard precautions that come with using the net.

[Yes, yes, I know - I'm not as smart as a Unix programmer - CFM applications, resource forks, multiple extensions, root, user, admin, etc., etc. - but sooner or later, these questions regarding this latest "threat" will have to be delt with for the likes of me who merely use Apple computers for their perceived simplicity of use...]

Many apologies for my ignorance.

No worries, no one is born knowing what they know now. And all this comes from living in a world where unfortunately not everyone is honest.

MegaSignal
Apr 10, 2004, 01:30 PM
Thanks! Info like this can only help me make the correct decision!

CIAO

Rincewind42
Apr 10, 2004, 01:32 PM
I still like the idea of the OS putting little mini-icons superimposed over the app/doc icon to identify what the system sees the file as being. That could save a fair bit of confusion...

I agree. It may spoil the aesthetics of some people's icons, but it is a small issue compared to clarifying what a file is to the user. Although this would have to be done a bit differently for documents (only superimpose the mini-icon on a document with a custom icon. After all, it'd be kinda strange to see an MP3 with a mini MP3 icon over the full sized one :) .

7on
Apr 10, 2004, 02:41 PM
Or just have Apple warn the user if the resource fork is different than the extension. Or throw away resource forks. Something, I think, Apple is trying to do. Considering they built in zipping in 10.3, something that does not include resource forks. And I wouldn't be surprised if Apple made UFS the default File system in it's OS. Might be a while though, but it is imminent. Not an extremely hard problem for Apple to fix.

Snowy_River
Apr 10, 2004, 03:00 PM
I agree. It may spoil the aesthetics of some people's icons, but it is a small issue compared to clarifying what a file is to the user. Although this would have to be done a bit differently for documents (only superimpose the mini-icon on a document with a custom icon. After all, it'd be kinda strange to see an MP3 with a mini MP3 icon over the full sized one :) .

Come to think of it, you'd only need to tag one of the two. If application icons all had a mini-icon superimposed, they'd clearly be distinguished from document files. For example, the MP3 icon would end up looking something like this (in the three different sizes):

http://www.ghwphoto.com/smilies/iTunes-mp3%20thumb.jpg http://www.ghwphoto.com/smilies/iTunes-mp3%20big.jpg http://www.ghwphoto.com/smilies/iTunes-mp3%20small.jpg

for this virus...

ClimbingTheLog
Apr 10, 2004, 03:10 PM
iTunes & QuickTime mean nothing in the context of this application. They could fail to play the file and you would still be owned. The exploit relies entirely on the user double-clicking the file itself, not on anything Quicktime or iTunes does with the file afterwards.


Baloney. That the file plays successfully is the stealthy aspect of the trojan's propogation vector. It's expected to be file-shared.

You can take any old carbon application and stick an .mp3 icon on it and have it install a back door, always have, but that's a different kind of trojan, not the one we're talking about here.

Rincewind42
Apr 10, 2004, 03:40 PM
Baloney. That the file plays successfully is the stealthy aspect of the trojan's propogation vector. It's expected to be file-shared.

So tell me this, if I give you an application that you think is an mp3 file, and you open it, and nothing happens why should I care? You just opened my application, which is what I wanted. The fact that nothing happened that you can see is meaningless to me because you already gave me the chance that I needed to do any damage that I wish to do.

Sure, it may take a little longer to propagate, but in case you hadn't noticed, in it's current form it can't actually travel over P2P networks without being encoded in some form. And most trojans/virii don't rely on P2P networks anyway, either because it is not what the virus writer is after, or because it is faster and more reliable to reach a large audience over e-mail than P2P.

If the application wants to propagate, it will not rely on the user to do that (aside from getting the user to launch it). It will send itself out.

You can take any old carbon application and stick an .mp3 icon on it and have it install a back door, always have, but that's a different kind of trojan, not the one we're talking about here.

Not it really isn't. The only thing novel about this trojan is that it is a valid MP3 file as well as a valid CFM application. As it is, it can't propagate itself (by design I might add). But the fact that it plays an mp3 is only of comfort to the user - they may hold onto it longer because it is a valid mp3. But once the user double-clicks the application, it really i all over.

ClimbingTheLog
Apr 10, 2004, 03:41 PM
So really, it's a nice proof of concept that they can do this with a single-file CFM app, but the same kind of trickery is possible (and easier!) using Mac OS X's native MachO bundled application. And in the end even harder to detect, because you don't even need an extension, type or creator.


Yeah, but it's harder to spread your application on file sharing networks.

Rincewind42
Apr 10, 2004, 03:45 PM
Or just have Apple warn the user if the resource fork is different than the extension. Or throw away resource forks. Something, I think, Apple is trying to do. Considering they built in zipping in 10.3, something that does not include resource forks. And I wouldn't be surprised if Apple made UFS the default File system in it's OS. Might be a while though, but it is imminent. Not an extremely hard problem for Apple to fix.

Resource forks and extensions have nothing to do with each other. *Type* and extension is probably what you are looking for. And Apple has pretty much gotten away from the "death to resource forks" stance, so don't look for them going away anytime soon (and they can't stop launching single-file applications without users of legitimate apps created this way complaining loudly). And Apple won't make UFS the default file system, too much doesn't work properly with it (and HFSX was built to replace UFS in those places for which UFS was the previous default). Finally, zipping in 10.3 does preserve resource forks so that isn't a fix either.

Oh, and as I said a few posts ago, you can do something very similar and for any particular file type using a bundled application, i.e. a MachO Carbon or Cocoa application [you can have bundled CFM apps too]. And in that form, you can even get a better user experience because you can use any file type you want. So you could create a trojan that hops file types seamlessly spreading at will, or waiting for the user to send it themselves.

7on
Apr 10, 2004, 03:45 PM
Because, if it is moved to anything but a HFS+ drive, the virus is ruined. Unless it is dmg compressed or sit compressed (the later would require Stuffit Deluxe to be installed).

Rincewind42
Apr 10, 2004, 03:55 PM
Yeah, but it's harder to spread your application on file sharing networks.

It's no harder to spread my version over P2P than it is to spread the trojan that is the subject of this thread. However, my application can 1) reference more files 2) access all of Mac OS X's APIs natively and easily 3) Can be stored on non-HFS type file systems and still work on a Mac 4) requires FAR less knowledge to create. Oh, and it is also quite harder for the system to detect as a possible security threat (because it looks exactly like any other application on the system.

The nice thing about CFM applications on Mac OS X is that they all channel through the same helper application, which can do some verifications on it to determine if the application might be a security threat.

Rincewind42
Apr 10, 2004, 04:03 PM
Because, if it is moved to anything but a HFS+ drive, the virus is ruined.

Not if it is done from a computer running Mac OS X . In that case, a file Foo is copied with the data fork in Foo and the resource fork in ._Foo.

Snowy_River
Apr 10, 2004, 06:09 PM
So tell me this, if I give you an application that you think is an mp3 file, and you open it, and nothing happens why should I care? You just opened my application, which is what I wanted. The fact that nothing happened that you can see is meaningless to me because you already gave me the chance that I needed to do any damage that I wish to do...

Yes, but the difference is if I double click on what appears to be an MP3, and nothing happens, I'll try to figure out what's wrong. I might choose to try to drag and drop it into QT or iTunes, at which point either I'd get an error message or nothing at all. Then I'd get really suspicious and maybe I'd look and see that the would-be MP3 is actually an application, realize that I just installed a virus (using 'install' rather loosely here), and immediately take steps to clean my system and protect my data.

On the other hand, if I double click on the would-be MP3 and it launches iTunes and plays a music file, as I expected it to do, I would be none the wiser that a virus had gotten into my system and it would then have free reign over my computer for some time to come...

That's the important difference.

Rincewind42
Apr 10, 2004, 06:20 PM
Yes, but the difference is if I double click on what appears to be an MP3, and nothing happens, I'll try to figure out what's wrong. I might choose to try to drag and drop it into QT or iTunes, at which point either I'd get an error message or nothing at all. Then I'd get really suspicious and maybe I'd look and see that the would-be MP3 is actually an application, realize that I just installed a virus (using 'install' rather loosely here), and immediately take steps to clean my system and protect my data.

On the other hand, if I double click on the would-be MP3 and it launches iTunes and plays a music file, as I expected it to do, I would be none the wiser that a virus had gotten into my system and it would then have free reign over my computer for some time to come...

That's the important difference.

That's all well and good, but unless the trojan is trying to do something long and complicated, it has likely already done whatever damage it is going to do. It has e-mailed itself to everyone in your address book, infected half a dozen files, and made itself at home. The fact that it's stay on your machine may be short is irrelevant because it has already sent itself to a new home.

I agree that the trojan is more likely to stay if it actually appears to be something that I want. But trojans and viruses are opportunistic by nature, they will use every opportunity they can find to do damage because they don't know when their next chance will be.

sushi
Apr 10, 2004, 06:36 PM
On the other hand, if I double click on the would-be MP3 and it launches iTunes and plays a music file, as I expected it to do, I would be none the wiser that a virus had gotten into my system and it would then have free reign over my computer for some time to come...

That's the important difference.
Exactly!

Sushi

manu chao
Apr 10, 2004, 07:00 PM
Hey, are we all so unnerved because somebody did, what everybody knew would happen anyway sooner or later?

Everybody boasting about the lack of viruses and so on for Mac OS X until a few days ago, perfectly well knew that it would be dead simple to write at least a trojan horse for OS X (taking a Carbon app and pasting a harmless icon on it).

But we all knew/thought/hoped it would never happen because:
a: OS X is so secure (and so rare) that it could not do much harm, therefore nobody would bother to write it (partly true, the harm is limited to the user's files, spreading is difficult) but somebody wrote a proof-of-concept one (without the spreading part) anyway
b: Nobody would dare to attack Macs, since they so wonderful computers (partly true, it's only a very benign proof-of-concept one)

Harm is done nevertheless, because of:
- bad press
- the great publicity is maybe giving the wrong people bad ideas (hey, why not write a real trojan horse, that ID tag thing is neat)

Cap'n Hector's laundry list could have been written last week by every knowledgeable person, answering the question what a trojan horse could do on a Mac.

Based on my analysis of this:

Files it can delete without user interaction:

User files
Application files

Stuff it can do:

Run a server with a port over 1024+
Put itself in ~/Sites and e-mail links to itself. The links will be seen as MP3s by QT and treated as such…the payload should not be executed in this case.
E-mail itself to other computers. If e-mailed to a Mac running Mac OS X the computer will ask if you want to execute the file, giving options of "Open", "Save", and "Cancel".
Create a startup item to run at boot.

Getting a password will enable wiping the drive…

In short: This can cause damage, but it will be very hard to spread.

Snowy_River
Apr 11, 2004, 04:56 AM
That's all well and good, but unless the trojan is trying to do something long and complicated, it has likely already done whatever damage it is going to do. It has e-mailed itself to everyone in your address book, infected half a dozen files, and made itself at home. The fact that it's stay on your machine may be short is irrelevant because it has already sent itself to a new home.

I agree that the trojan is more likely to stay if it actually appears to be something that I want. But trojans and viruses are opportunistic by nature, they will use every opportunity they can find to do damage because they don't know when their next chance will be.

You overlook a couple of things. First, not everyone has a full time connection to the 'net. If I double click a trojan when I'm not connected, and the trojan doesn't fool me into thinking that nothing's wrong, then I'll disinfect my machine before the next time I'm connected, and it'll never be able to spread.

Second, again, if I'm not fooled into thinking nothings wrong, even if I was connected to the 'net, simple suspicion of foul play could prompt me to isolate my machine (i.e. disconnect immediately), and, unless your trojan is tiny (I'll address that in a second) it'd could very easily not succeed in sending itself on to any more computers.

Now, why would I argue that your hypothetical trojan isn't going to be small? Well, it would have to have its own built in SMTP server. That right there could push it over 1MB. "But wait, what about the built in SMTP server in OS X?" you say. Ah, but as I already noted in an earlier post (http://forums.macrumors.com/showthread.php?p=788599#post788599), the mailserver in OS X is not enabled by default, and would require a password to enable it. For that matter, I'm not sure that it wouldn't need an admin password to use an internal mail server...

So, your hypothetical trojan that doesn't continue to try to fool me into thinking nothing is wrong is aimed at a fairly small target group. First, it has to be someone using OS X. Then, it has to be someone who has an active internet connection most, if not all the time. Further, that internet connection most likely has to be highspeed. So, I'd say that, while this trojan might work, it wouldn't be all that effective.

space2go
Apr 11, 2004, 06:58 AM
Now, why would I argue that your hypothetical trojan isn't going to be small? Well, it would have to have its own built in SMTP server. That right there could push it over 1MB. "But wait, what about the built in SMTP server in OS X?" you say. Ah, but as I already noted in an earlier post (http://forums.macrumors.com/showthread.php?p=788599#post788599), the mailserver in OS X is not enabled by default, and would require a password to enable it. For that matter, I'm not sure that it wouldn't need an admin password to use an internal mail server.

1. The worm would not need a full blown mail server. Just a smtp engine which can be extremely small as smtp is a simple protocol. For example it's perfectly possible to use telnet as mail client. And worms in the windoze world that bring along their own smtp engine to spread are actually way smaller than 1MB. W32.Bagle.A@mm for instance had a size of 15,872 bytes.

2. To run such a smtp engine you need no admin rights. It's only connecting to another host and exchanging data with it. If you can read this your browser did the same. Of course if it wants to act as mail server for other worms it would need to listen on a port. If the local firewall is active an admin name and password would be needed to open a hole in it to be able to accept requests over the network.

3. There isn't even a dire need to bring along a smtp engine. Mail.app is very forthcoming when scripts ask it to send a mail. This of course would not be as fast or reliable as using a bundled engine.

Rincewind42
Apr 11, 2004, 07:26 AM
3. There isn't even a dire need to bring along a smtp engine. Mail.app is very forthcoming when scripts ask it to send a mail. This of course would not be as fast or reliable as using a bundled engine.

Actually you couldn't use Mail.app, since it can't be scripted to sent attachments. But as you've already pointed out, bringing your own SMTP engine is simple, easy and painless.

This topic is starting to get a little scary though, as we've more or less put together a trojan in our minds. Probably the same thing that lead to the CFM/MP3 test case :).

space2go
Apr 11, 2004, 07:49 AM
Actually you couldn't use Mail.app, since it can't be scripted to sent attachments.

It does not acept a message body with the attachment already properly encoded in it?


This topic is starting to get a little scary though, as we've more or less put together a trojan in our minds.

But none that would do anything new. And anybody setting out to create a virus could get complete howtos on the net as opposed to some ideas in this thread. ;)

Rincewind42
Apr 11, 2004, 07:56 AM
It does not acept a message body with the attachment already properly encoded in it?

Haven't tried actually, but the issue has come up on developer lists I frequent before and the consensus was that Mail didn't support doing that. But I'd still assume that a trojan/virus would bring it's own SMTP implementation simply so that it wouldn't have to rely on any particular e-mail client being setup correctly.

But none that would do anything new. And anybody setting out to create a virus could get complete howtos on the net as opposed to some ideas in this thread. ;)

Yea, but all of those are for Windows :D . I'm just hoping some idiot hasn't gotten the idea in their heads to go make one for real so they can get their 15 minutes.

space2go
Apr 11, 2004, 08:15 AM
Haven't tried actually, but the issue has come up on developer lists I frequent before and the consensus was that Mail didn't support doing that.

I just visited macosxhints and at once found an applescript that works and from which all user interaction can be removed easily. :confused:

But I too think this line of thought should stop here. ;)

Rincewind42
Apr 11, 2004, 08:36 AM
I just visited macosxhints and at once found an applescript that works and from which all user interaction can be removed easily. :confused:

Hah! Figures :). (Either that or I'm misremembering the conclusion of that thread).

sushi
Apr 11, 2004, 08:46 AM
Now, why would I argue that your hypothetical trojan isn't going to be small? Well, it would have to have its own built in SMTP server. That right there could push it over 1MB.
Don't assume coding will be that big.

Go hack code can be written in assembly which is a whole lot smaller.

Sushi

Snowy_River
Apr 11, 2004, 12:14 PM
1. The worm would not need a full blown mail server. Just a smtp engine which can be extremely small as smtp is a simple protocol. For example it's perfectly possible to use telnet as mail client. And worms in the windoze world that bring along their own smtp engine to spread are actually way smaller than 1MB. W32.Bagle.A@mm for instance had a size of 15,872 bytes.

Ah. I was basing my estimate on how large other SMTP server software was that I've seen (typically >2MB). I've never looked at the code myself, so I didn't know how much could be stripped out of that.

2. To run such a smtp engine you need no admin rights. It's only connecting to another host and exchanging data with it. If you can read this your browser did the same. Of course if it wants to act as mail server for other worms it would need to listen on a port. If the local firewall is active an admin name and password would be needed to open a hole in it to be able to accept requests over the network.

That would explain my suspicions. I do work behind a firewall.

3. There isn't even a dire need to bring along a smtp engine. Mail.app is very forthcoming when scripts ask it to send a mail. This of course would not be as fast or reliable as using a bundled engine.

Of course, this would mean that Mail.app would launch when I double clicked the MP3 trojan, which would really freak me out. I'd know for sure that I had a virus then. Disconnect and disinfect.

I do agree that this seems to be becoming a Mac virus design meeting. Of course, all of this would be defeated if the Mac OS were to identify whether a file was a document or application in more than just list view, regardless of how it did it. (An alternative to the icon modification that I proposed earlier could be something as simple as making the file name italicized or bolded.)

Another scary though occurred to me, but maybe I shouldn't mention it...

Rincewind42
Apr 11, 2004, 12:33 PM
I do agree that this seems to be becoming a Mac virus design meeting. Of course, all of this would be defeated if the Mac OS were to identify whether a file was a document or application in more than just list view, regardless of how it did it. (An alternative to the icon modification that I proposed earlier could be something as simple as making the file name italicized or bolded.)

Actually it identifies it as an application in Column View also (showing Kind is optional in List View but Column view always shows the Preview). So we just need a fix for Icon view, and something that is always there for List view.

Snowy_River
Apr 11, 2004, 12:50 PM
Actually it identifies it as an application in Column View also (showing Kind is optional in List View but Column view always shows the Preview). So we just need a fix for Icon view, and something that is always there for List view.

True. So what do you think is the best way to flag applications? Modify the icon or the title? Or both?

Rincewind42
Apr 11, 2004, 12:55 PM
True. So what do you think is the best way to flag applications? Modify the icon or the title? Or both?

I would say that either is acceptable, and both is great. Of course, it is really only academic until someone actually files a bug with Apple :) .

wdlove
Apr 11, 2004, 02:53 PM
I agree that the trojan is more likely to stay if it actually appears to be something that I want. But trojans and viruses are opportunistic by nature, they will use every opportunity they can find to do damage because they don't know when their next chance will be.

I find that very interesting, the virus is aptly named. It acts like the virus that attacks our bodies.

Doctor Q
Apr 11, 2004, 05:14 PM
True. So what do you think is the best way to flag applications? Modify the icon or the title? Or both?Maybe the shape of the icon should indicate the type of item. Many applications use diamond-shaped icons, while documents are rectangles, often with the top right corner turned down. That's a nice convention.

Snowy_River
Apr 11, 2004, 08:32 PM
Maybe the shape of the icon should indicate the type of item. Many applications use diamond-shaped icons, while documents are rectangles, often with the top right corner turned down. That's a nice convention.

The only problem with this is that it would have to be a forced form constraint. Otherwise older applications would not conform to this convention, and it would therefore become useless. And how would the Finder handle a rectangular application icon? Hmm...

Doctor Q
Apr 11, 2004, 09:08 PM
The only problem with this is that it would have to be a forced form constraint. Otherwise older applications would not conform to this convention, and it would therefore become useless. And how would the Finder handle a rectangular application icon? Hmm...By putting it within a larger (or same-size but scaled) diamond-shaped border.

Snowy_River
Apr 11, 2004, 11:24 PM
By putting it within a larger (or same-size but scaled) diamond-shaped border.

Yeah, that could work. To place a square icon into a diamond icon that fits into the current 128x128 square icon, the scaled square icon in the diamond could only be 64x64. So, this would be less than ideal. I think that I still prefer the idea of placing a mini-icon superimposed over the application icon.

dontmakemehurtu
Apr 12, 2004, 09:36 AM
:(

Rincewind42
Apr 12, 2004, 09:58 AM
I got my first copy of the virus off of Acquisition last night. Actually, it was this morning 'cause I was up til 1. Anyway, it wasn't a .sit or .dmg. It was an MP3. Acqusition showed me the supposed download of 4MB of data. It didn't even have an obvious name. I was downloading what I thought was the Diva's aria from "The Fifth Element."

It it wasn't encoded in some way, then it was most likely rendered harmless. Gnutella networks don't know anything about resource forks, therefore all the information necessary for the application to actually launch should have been stripped of (and in fact, it probably should have looked exactly like an mp3 to the finder, except that it wouldn't play as if it were corrupt).

Still, to be on the safe side, I didn't double click to open them. I used Quicktime's open command. I got a message saying Quicktime couldn't open it because it was in a format Quicktime didn't understand. Delving into "Get Info" I found what I didn't expect to find. I found a "Get Info" panel that looked more like one for an app than one for an MP3. It wasn't even 4MB in size. I've attached example images.

I've dumped the file. No trojans on this Mac. Ran Norton, which now has the definition for MP3Concept, and no damage done.

Thank you, common sense.

P.S. The images do not apply to the file I downloaded due to the fact that I dumped it as soon as I suspected it.

It would have been much more useful if you had given us screen shots of the get info panel that you did see. Given the method that you obtained the file with, I find it hard to think that this trojan could have even been executable or identified as an application instead of as an mp3. The only way I can think of this, is if Acquisition can automatically decode mac-binary of binhexed files and does this transparently to the user.

Snowy_River
Apr 12, 2004, 10:30 AM
I got my first copy of the virus off of Acquisition last night. Actually, it was this morning 'cause I was up til 1. Anyway, it wasn't a .sit or .dmg. It was an MP3. Acqusition showed me the supposed download of 4MB of data. It didn't even have an obvious name. I was downloading what I thought was the Diva's aria from "The Fifth Element."

Still, to be on the safe side, I didn't double click to open them. I used Quicktime's open command. I got a message saying Quicktime couldn't open it because it was in a format Quicktime didn't understand. Delving into "Get Info" I found what I didn't expect to find. I found a "Get Info" panel that looked more like one for an app than one for an MP3. It wasn't even 4MB in size. I've attached example images.

I've dumped the file. No trojans on this Mac. Ran Norton, which now has the definition for MP3Concept, and no damage done.

Thank you, common sense.

P.S. The images do not apply to the file I downloaded due to the fact that I dumped it as soon as I suspected it.

This sounds like one of two things. Either a hoax, or a completely different situation.

Hoax:

1) I've never heard of gnutella networks misreporting file size.
2) These networks don't preserve resource forks, so if the file wasn't properly encoded it couldn't be a version of this trojan.
3) This trojan can be opened through the open dialog box in QT.

Something else:

1) If the file was not completely downloaded, this would explain why the file size was smaller than originally reported.
2) If the file was not completely downloaded, it could easily have been corrupted, and that would explain why QT couldn't open the file.
3) If the file was corrupted, then the Finder's attempt to provide all of the information that's shown in the Get Info pallet could have fallen short, resulting in a panel that "looked more like one for an app than one for an MP3"

Just my thoughts...

coolsoldier
Apr 12, 2004, 02:32 PM
Given the method that you obtained the file with, I find it hard to think that this trojan could have even been executable or identified as an application instead of as an mp3. The only way I can think of this, is if Acquisition can automatically decode mac-binary of binhexed files and does this transparently to the user.

But gnutella is a peer-to-peer network. If you download from another mac user, the file never passes through a computer that doesn't support resource forks. I don't know much about how gnutella works, but since the file could be transferred directly from another mac, I think it is possible that the file could get through with the resource fork intact.

Rincewind42
Apr 12, 2004, 03:02 PM
But gnutella is a peer-to-peer network. If you download from another mac user, the file never passes through a computer that doesn't support resource forks. I don't know much about how gnutella works, but since the file could be transferred directly from another mac, I think it is possible that the file could get through with the resource fork intact.

That is only true if the client on both machines supports resource forks, and has the same protocol in place for identifying Mac clients and send them resource forks when requested. AFAIK no p2p client does this. Specifically, almost all of the gnutella clients I know of are written in java at their core, and they do nothing special to preserve resource forks (because they are designed to be cross platform rather than to be mac savvy).

dontmakemehurtu
Apr 12, 2004, 08:19 PM
:(