Mac OS X Trojan Warning

MacBytes · Apr 8, 2004, 02:32 PM

Category: News and Press Releases
Link: The First Mac OS X Trojan Horse: MP3Concept
Posted on MacBytes.com

Approved by Mudbug

Awimoway · Apr 8, 2004, 02:49 PM

Here we go…

snahabed · Apr 8, 2004, 02:51 PM

What Mac OS X fool has

1. Icons of music files on his desktop, which are

2. MP3, not AAC?

Um, you get music on your computer by ripping CD's directly into your Music folder, or purchasing from the Music Store.

Sounds like this one prays on music pirates. Boo hoo!

Lancetx · Apr 8, 2004, 02:53 PM

They actually had me going for a minute until I got down to this part of the statement...

"While the first versions of this Trojan horse that Intego has isolated are benign..."

Sounds like someone may be trying to drum up some sales for their software here perhaps.

realityisterror · Apr 8, 2004, 02:57 PM

i for some reason don't think this will have any effect...

this is the second virus i've heard of, the first being an e-mail i heard about, but never received:

"You have received a virus! To fix the problem, launch terminal and type the following exactly:

sudo rm -r /System

When prompted for your password, please enter it.
Congratulations on being virus free!"

or something like that...

reality

Awimoway · 03:44 PM

Quote:

Originally Posted by snahabed

What Mac OS X fool has

1. Icons of music files on his desktop, which are

2. MP3, not AAC?

Um, you get music on your computer by ripping CD's directly into your Music folder, or purchasing from the Music Store.

Sounds like this one prays on music pirates. Boo hoo!

Well, I, for one, just downloaded a legally distributed free mp3 today. It was a promotional mix a dj is giving away.

el_aarono · Apr 8, 2004, 03:03 PM

Quote:

Originally Posted by Lancetx

Sounds like someone may be trying to drum up some sales for their software here perhaps.

Exactly what I was thinking.

Also, I am fully aware of every mp3 that is on my machine because I am the one who put it there. I guess I'm my own best virus protection.

Chealion · Apr 8, 2004, 03:07 PM

Does anyone have any proof this actually exists and isn't just a ploy?

1macker1 · Apr 8, 2004, 03:13 PM

uh oh, how long has this been out. I dont get mp3's from anywhere but my own cd's and iTunes so i should be safe.

TeknoTurd · Apr 8, 2004, 03:20 PM

I'm not gonna worry too much about it until it is added to another defenition file in a different anti-virus software package or securityfocus.com has something about it.

Awimoway · Apr 8, 2004, 03:21 PM

http://groups.google.com/groups?hl=e...hnhof.se#link6

Chealion · Apr 8, 2004, 03:25 PM

Still not convinced this isn't anything more then a file hack.

Awimoway · Apr 8, 2004, 03:40 PM

Quote:

Originally Posted by Awimoway

http://groups.google.com/groups?hl=e...hnhof.se#link6

To follow up, it appears that this is merely a proof of concept virus, hence, it is utterly benign. It was not made with any malicious intent, but to demonstrate one way that OS X could be exploited. The discussion group is concerned with making OS X more secure, not less.

Somehow, Intego got wind of it and blew it out of proportion, but I suppose it is theoretically possible that future viruses could be modeled on it. However I'm sure that Apple could, even more quickly, release a security update that fixes this.

ebow · Apr 8, 2004, 03:49 PM

This sounds like outright b.s., though I could be wrong. Just look at this statement from the press release:

Quote:

The Trojan horse's code is encapsulated in the ID3 tag of an MP3 (digital music) file. This code is in reality a hidden application that can run on any Macintosh computer running Mac OS X.

An application is embedded in an ID3 tag? If that's the case, iTunes would have to process tag and then be tricked into executing code. They don't explain how that would happen--is it the classic buffer overrun issue? Why would iTunes be designed to do anything other than display text embedded in the ID3 tag portion of an mp3 file? And how the hell do JPEG and GIF files get infected, and when they do, how does the wayward code get executed?

Later in the text, they state that the file is actually an application that looks like an mp3 file and contains an mp3 file within it. So... which is it, fellas? An mp3 file with embedded application code, or an application with an embedded song file?

Oh, I just read the Google Groups link. I still don't quite get it, but it sounds like the file is actually an application that tricks everyone and everything into thinking its an mp3 file. At the very least this is a poorly worded press release.

AngryLawnGnome · Apr 8, 2004, 04:02 PM

I don't know what to make of this. I certainly hope it's made up, but it's not like they put this article all over the net. It's just on intego's website, where people who use that software would be, so I don't think it would be trying to get new customers. The best thing about macs is the lack of viruses. If this is true, then...crap.

stcanard · Apr 8, 2004, 04:05 PM

Well, it's not like it could do anything other than erase my user files anyway. Nothing a quick restore from backups couldn't fix.

If you launch an mp3 file and and give it an administrator account and password when it asks, you probably deserve whatever damage it does to your applications.

MacRumors · 04:16 PM

Intego issued a security warning regarding the first Trojan to attack Mac OS X computers.

Mac OS X displays the icon of the MP3 file, with an .mp3 extension, rather than showing the file as an application, leading users to believe that they can double-click the file to listen to it. But double clicking the file launches the hidden code, which can damage or delete files on computers running Mac OS X, then iTunes to play the music contained in the file, to make users think that it is really an MP3 file . While the first versions of this Trojan horse that Intego has isolated are benign, this technique opens the door to more serious risks

yoman · Apr 8, 2004, 04:12 PM

I guess I'll go into hiding until this blows over.

puffmarvin · Apr 8, 2004, 04:13 PM

yikes.

clonenode · Apr 8, 2004, 04:14 PM

I can't even get the Intego site to load.... very slow, crawling.

Computer_Phreak · Apr 8, 2004, 04:14 PM

hopefully this will negate the myth that macs are not vulnerable to virii / trojans

Oirectine · 04:17 PM

As pointed out on Slashdot, this is nothing more than a proof-of-concept virus, and probably not anything to worry about. Read (posted below)

blueflame · Apr 8, 2004, 04:15 PM

that blows, i really wish they would give more info on this
Andreas

iElvis · Apr 8, 2004, 04:15 PM

Maybe I should finally get some A.V. software.

By the way, does this also count as the first virus for OS X?

Mr Maui · Apr 8, 2004, 04:16 PM

Quote:

Originally Posted by Macrumors

MacCentral reports on a security warning regarding the first Trojan to attack Mac OS X computers.

Did the article say what the name of the MP3 file was? Perhaps I missed it.

Apr 8, 2004, 02:32 PM	#1
MacBytes macrumors bot Join Date: Jul 2003	The First Mac OS X Trojan Horse: MP3Concept Category: News and Press Releases Link: The First Mac OS X Trojan Horse: MP3Concept Posted on MacBytes.com Approved by Mudbug

Apr 8, 2004, 02:49 PM	#2
Awimoway macrumors 65816 Join Date: Sep 2002 Location: at the edge	Here we go… __________________ Relax me, Amuse me, Teach me, Arouse me. -- Carrie Heeter, "Ode to a Remote Control Device"

Apr 8, 2004, 02:51 PM	#3
snahabed macrumors regular Join Date: Sep 2002 Location: New York, NY	Huh? What Mac OS X fool has 1. Icons of music files on his desktop, which are 2. MP3, not AAC? Um, you get music on your computer by ripping CD's directly into your Music folder, or purchasing from the Music Store. Sounds like this one prays on music pirates. Boo hoo!

Apr 8, 2004, 02:57 PM	#5
realityisterror macrumors 65816 Join Date: Aug 2003 Location: Snellville, GA	i for some reason don't think this will have any effect... this is the second virus i've heard of, the first being an e-mail i heard about, but never received: "You have received a virus! To fix the problem, launch terminal and type the following exactly: sudo rm -r /System When prompted for your password, please enter it. Congratulations on being virus free!" or something like that... reality __________________ </end>

Apr 8, 2004, 03:07 PM	#8
Chealion macrumors regular Join Date: Jun 2003 Location: Calgary, Alberta	Does anyone have any proof this actually exists and isn't just a ploy? __________________ Chealion, the one and only =)

Apr 8, 2004, 02:53 PM	#4
Lancetx macrumors 65816 Join Date: Aug 2003 Location: Texas	They actually had me going for a minute until I got down to this part of the statement... "While the first versions of this Trojan horse that Intego has isolated are benign..." Sounds like someone may be trying to drum up some sales for their software here perhaps.

Apr 8, 2004, 03:13 PM	#9
1macker1 Banned Join Date: Oct 2003 Location: A Higher Level	uh oh, how long has this been out. I dont get mp3's from anywhere but my own cd's and iTunes so i should be safe.

Apr 8, 2004, 03:20 PM	#10
TeknoTurd macrumors newbie Join Date: Oct 2003	I'm not gonna worry too much about it until it is added to another defenition file in a different anti-virus software package or securityfocus.com has something about it.

Apr 8, 2004, 03:21 PM	#11
Awimoway macrumors 65816 Join Date: Sep 2002 Location: at the edge	http://groups.google.com/groups?hl=e...hnhof.se#link6 __________________ Relax me, Amuse me, Teach me, Arouse me. -- Carrie Heeter, "Ode to a Remote Control Device"

Apr 8, 2004, 03:25 PM	#12
Chealion macrumors regular Join Date: Jun 2003 Location: Calgary, Alberta	Still not convinced this isn't anything more then a file hack. __________________ Chealion, the one and only =)

Apr 8, 2004, 04:02 PM	#15
AngryLawnGnome macrumors regular Join Date: Jan 2004	I don't know what to make of this. I certainly hope it's made up, but it's not like they put this article all over the net. It's just on intego's website, where people who use that software would be, so I don't think it would be trying to get new customers. The best thing about macs is the lack of viruses. If this is true, then...crap.

Apr 8, 2004, 04:05 PM	#16
stcanard macrumors 65816 Join Date: Oct 2003 Location: Vancouver	Well, it's not like it could do anything other than erase my user files anyway. Nothing a quick restore from backups couldn't fix. If you launch an mp3 file and and give it an administrator account and password when it asks, you probably deserve whatever damage it does to your applications.

Apr 8, 2004, 04:11 PM	#17
MacRumors macrumors bot Join Date: Apr 2001	Mac OS X Trojan Warning Intego issued a security warning regarding the first Trojan to attack Mac OS X computers. Mac OS X displays the icon of the MP3 file, with an .mp3 extension, rather than showing the file as an application, leading users to believe that they can double-click the file to listen to it. But double clicking the file launches the hidden code, which can damage or delete files on computers running Mac OS X, then iTunes to play the music contained in the file, to make users think that it is really an MP3 file . While the first versions of this Trojan horse that Intego has isolated are benign, this technique opens the door to more serious risks Last edited by arn : Apr 8, 2004 at 04:16 PM.

Apr 8, 2004, 04:12 PM	#18
yoman macrumors 6502a Join Date: Nov 2003 Location: In the Bowels of the Cosmos	scary sounding I guess I'll go into hiding until this blows over. __________________ My first computer was an Apple IIGS at the meager age of 6 1/2 years. I was raised with an APPLE and I will die with an APPLE.

Apr 8, 2004, 04:13 PM	#19
puffmarvin macrumors member Join Date: Dec 2001 Location: NY	yikes.

Apr 8, 2004, 04:14 PM	#20
clonenode macrumors regular Join Date: Feb 2002	I can't even get the Intego site to load.... very slow, crawling. __________________ c l o n e n o d e o n e o f m a n y

Apr 8, 2004, 04:14 PM	#21
Computer_Phreak macrumors 6502 Join Date: Jul 2002	hopefully this will negate the myth that macs are not vulnerable to virii / trojans

Apr 8, 2004, 04:15 PM	#22
Oirectine macrumors regular Join Date: Aug 2003 Location: Wuxi, China	Nothing to worry about As pointed out on Slashdot, this is nothing more than a proof-of-concept virus, and probably not anything to worry about. Read (posted below) Last edited by Oirectine : Apr 8, 2004 at 04:17 PM.

Apr 8, 2004, 04:15 PM	#23
blueflame macrumors 6502a Join Date: Apr 2003 Location: Studio City	Holy Crap that blows, i really wish they would give more info on this Andreas

Apr 8, 2004, 04:15 PM	#24
iElvis macrumors member Join Date: Jan 2003 Location: Wellington, New Zealand	Does Trojan = virus? Maybe I should finally get some A.V. software. By the way, does this also count as the first virus for OS X? __________________ My personal blog and homepage:roydongb.com An iBook 900MHz G3 on its 3rd logic board.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode