Apple Response to Trojan Warning

Cap'n Hector · Apr 9, 2004

Based on my analysis of this:

Files it can delete without user interaction:

User files
Application files

Stuff it can do:

Run a server with a port over 1024+
Put itself in ~/Sites and e-mail links to itself. The links will be seen as MP3s by QT and treated as suchthe payload should not be executed in this case.
E-mail itself to other computers. If e-mailed to a Mac running Mac OS X the computer will ask if you want to execute the file, giving options of "Open", "Save", and "Cancel".
Create a startup item to run at boot.

Getting a password will enable wiping the drive

In short: This can cause damage, but it will be very hard to spread.

The first bit of info on this:

http://groups.google.com/groups?hl=...-5D750C.02150821032004@news.bahnhof.s e#link6

coolsoldier · Apr 9, 2004

The entire problem could be fixed if OS X would just ignore type/creator for files with extensions. If it ends in .mp3 it should open in iTunes. The OS should only look at type/creator if the file doesn't have an extension. No legitimate carbon apps have extensions so this wouldn't break any compatibility.

And if you want to talk about the "virus" spreading, try this scenario:
-Program opens, launches iTunes, and plays a song.
-Program works in the background, scanning the .mbox files in your Library folder for messages with "X-Mailer: Apple Mail" (thus getting a list of mac-using contacts).
-Program picks random song from your iTunes library, and creates a "virus" copy.
-Program mails newly infected song to mac-using friends via OS X's built-in "sendmail" program without you ever knowing (with a title like "check out this song").

This could be particularly believable because the person on the other end would recognize the song as music you listen to. And it could do it all without asking for a password.

Yes, this one is harmless. But it has the potential to be very, very bad.

Fortunately, it seems like an easy fix (ignore type and creator for files with extensions). Let's hope Apple fixes it soon

Cap'n Hector · Apr 9, 2004

coolsoldier said:
And if you want to talk about the "virus" spreading, try this scenario:
-Program opens, launches iTunes, and plays a song.
-Program works in the background, scanning the .mbox files in your Library folder for messages with "X-Mailer: Apple Mail" (thus getting a list of mac-using contacts).
-Program picks random song from your iTunes library, and creates a "virus" copy.
-Program mails newly infected song to mac-using friends via OS X's built-in "sendmail" program without you ever knowing (with a title like "check out this song").

You forgot the last step (assuming the recipient is using Apple Mail):

User clicks on the message and gets this dialogue:

This message may give pause to most users

KC9AIC · Apr 10, 2004

Cap'n Hector said:
You forgot the last step (assuming the recipient is using Apple Mail):

[image deleted]

This message may give pause to most users

Great image!! I think that having a warning would be enough to make this far less of a threat.

yamabushi · Apr 10, 2004

The default should be "Cancel" to protect users that click through dialog boxes without reading them carefully.

rdowns · Apr 10, 2004

0 and A ai said:
They have yet to say if anything malicious can come of this PROOF OF CONECEPT TROJAN.

And as symantec said its not out in the wild.

If its bad apple will fix it. If its nothing then intego has got problems coming there way.

I'm not much of a black helicopter kind of guy but this whole Intego thing is pretty suspicious. As a long time Mac user, I am pretty up on Macs and software but Intego has never made my radar screen. Never heard of them before this thread.

Reading the latest MacAddict, they have a blurb in their Get Info article on Mac OS X security and a full page ad. So I pick up my latest MacWorld and a full page ad. macHOME, full page ad. Hmmm.

Makosuke · Apr 10, 2004

Coolsoldier's scenereo is quite realistic. Problem is, it could just as well be executed by using a perfectly normal application with an iTunes logo on it. If you wanted it to be more believable, you could have it contain an MP3, copy it to disk, and play that. No "vulnerability" necessary, you could create an identical trojan on any OS, and the only difference would be that if you drug it into iTunes it wouldn't play because iTunes would realize it's an app.

I just don't see what the big deal is--although it is an interesting "feature" of old-style resource forks, it isn't functionally any different than any other trojan with a misleading title and icon--I can create one of those in about ten seconds using just the Finder (and the same on Windows).

I'm really annoyed by that CNN story, though; for one thing, since when does one proof-of-concept trojan horse on a minor OS make for TOP OF THE FRONT PAGE NEWS on CNN.com, when there are people dying, Japanese hostages waiting to be executed in a couple of days, and any number of other newsworthy things going on. I never minded CNN, but I've really got to wonder if there's some bias in there now--even if the trojan had been on Windows, would it have really warranted that kind of coverage?

(By the way, I like how OSX shows the ".app" for any non-CFM application that you add an extension to--Apple must've thought of this before. This obviously doesn't work on old resource-fork apps, enabling this hack, since those apps didn't have a .app extension.)

eSnow · Apr 10, 2004

Cap'n Hector said:
Based on my analysis of this:

Stuff it could do if it wasn't harmless:

- infect your library of .aac, .mov, .tiff-files...

- install a keylogger...

h'biki · Apr 10, 2004

jxyama said:
what you are saying is mostly true, but this is newsworthy just for the fact it's a confirmed vulnerbility in OS X/Finder that can be exploited by a trojan. it may seem like a hype to you, but it is definitely newsworthy.

being in the news doesn't make OS X any less "solid" and not being in the news doesn't make this problem go away.

Except, of course, the application still needs *access* to do anything nasty -- and that access, unless the user is really stupid, is not going to be easy to come by.

That's the advantage of UNIX.

Oh, looks like someone else has gone through exactly what it can do. There you go

Cap'n Hector · Apr 10, 2004

eSnow said:
Cap'n Hector said:

Based on my analysis of this:

Stuff it could do if it wasn't harmless:

- infect your library of .aac, .mov, .tiff-files...

- install a keylogger...

Click to expand...

Thanks for these points.

Infecting other files still bumps into the fact that it's not easy to get executed on another system.

Install a keyloggeryes, it can do that, or monitor most aspects of the computer and send data back to a host somewhere.

Still, it doesn't have the same explosive spread potential that Windows viruses do.

chriscorcoran · Apr 10, 2004

OK how many people actually give a rats ass?
I mean come on; this is the first Trojan for MacOS X or any Apple OS ever! And its not even in the wild! Its in a Lab some where!

I hope Apple starts collaborating with the Open Source community to fight Trojans and viruses... If they don't, we could be almost as bad off as Windows users.

Yeah not so much. Apple is already working with the Open Source community. If you have ever heard of this very obscure Apple product called MacOS X. I guess it was built on FreeBSD? What ever that it, I guess it runs a lot of important telecommunication systems and a lot of military systems. Its supposed to be UNIX based (what ever that is). Yeah I guess UNIX is wicked secure and amazingly stable. Yeah apparently Apple decided to move to this platform because there were like no virus or security wholes in it at all. Come on wake up people!

Oh yeah MacOS Users will never find them selfs in the security hell that Windows users currently inhabit. For the simple fact that MacOS is built off of FreeBSD which is Unix Based. And we all know that if there is ever a nuclear holocaust that the only things that will survive are cockroaches and UNIX mainframes.

So there is nothing to worry about. To all those people who freaked when they found out that there is a Mac Trojan calm down...its the first one ever and its in a lab. Do some yoga breathing....in...and out...in...and out... Dont worry Uncle Steve has everything under control he wont let Uncle Bill touch you that way.

To all those people who jumped for joy and said "yeah now macs sucks as much as windows!"...calm down and shut up. No its not, this is the first Trojan ever on Mac. Ever! Last time I checked there were like 60,000 virus and Trojans for Windows.

Funny Quote:

We think of vegetarian men as low-testosterone, peace-loving types. But give Pixar (Nasdaq: PIXR) CEO Steve Jobs a Taser (Nasdaq: TASR) and the chance to ambush Disney (NYSE: DIS) CEO Michael Eisner in a bathtub and you might make an exception.

By James Early
April 6, 2004
www.fool.com "Funding Nemo"

Rincewind42 · Apr 10, 2004

ClimbingTheLog said:
It looks like the problem is either in iTunes or Quicktime - I'm not sure how iTunes is coded, but whichever of them is responsible for validating the file type, it should confirm the validity of the media file. Being a CFM application should be a test of whether a file is a valid media file.

iTunes & QuickTime mean nothing in the context of this application. They could fail to play the file and you would still be owned. The exploit relies entirely on the user double-clicking the file itself, not on anything Quicktime or iTunes does with the file afterwards.

iMeowbot said:
Darwin executables don't have resource forks, can use any (or no) extension, aren't necessarily binaries, and don't even need to be handed to the OS as files. Programs exploiting these characteristics generally need to ride on the back of an existing vulnerable program on the target system. The type of malware that can exploit this would use programs other than the Finder or Mac OS mechanisms to be activated, and there have been countless Unix vulnerabiities of this kind.

You are correct, but that has always been an issue. This type of attack doesn't rely on such a mechanism, it is a pure user-ignorance exploit. It is considerably harder to attack based on this vector.

coolsoldier said:
The entire problem could be fixed if OS X would just ignore type/creator for files with extensions. If it ends in .mp3 it should open in iTunes. The OS should only look at type/creator if the file doesn't have an extension. No legitimate carbon apps have extensions so this wouldn't break any compatibility.

This would fix applications trying to do this, but break other usage scenarios. I have seen recommendations to warn users when an app with a recognized extension is opened, but there are likely to be false positives there as well (which may be acceptable). The reality is there is no simple solution to this.

eSnow said:
Stuff it could do if it wasn't harmless:
- install a keylogger...

Actually it can't install a key logger without getting authorization. And there is a secure user input mode in OS X that prevents key sniffing without you getting REALLY low level in the system (which of course requires that you got authorization to install whatever it is will be logging keys).

Really everyone, this thing is blown way out of proportion. All that we really need is 1) Warning to the user that whatever file they are getting in the mail is an application and not a file of some other type and 2) educating the user that a file that they downloaded isn't necessarily what it appears to be.

space2go · Apr 10, 2004

Cap'n Hector said:
You forgot the last step (assuming the recipient is using Apple Mail):
User clicks on the message and gets this dialogue:

This message may give pause to most users...

Just stuffit it. ;-)

Rincewind42 · Apr 10, 2004

Oh, and by the way...

You don't even need to be a CFM application to do something stupid like this. I just did it with a standard packaged application, and it took me less than a half an hour to do it. And as an even bigger advantage, it means that you don't even need to modify the file that you are pretending to be at all. Just drop it into your bundle and your set. And while the user is enjoying whatever file you happened to have opened for them, you are busy doing whatever it is you want to do.

So really, it's a nice proof of concept that they can do this with a single-file CFM app, but the same kind of trickery is possible (and easier!) using Mac OS X's native MachO bundled application. And in the end even harder to detect, because you don't even need an extension, type or creator.

Oh, and application itself is all of 2 lines of code.

MegaSignal · Apr 10, 2004

Good point...

Rincewind42 said:
You don't even need to be a CFM application to do something stupid like this. I just did it with a standard packaged application, and it took me less than a half an hour to do it. And as an even bigger advantage, it means that you don't even need to modify the file that you are pretending to be at all. Just drop it into your bundle and your set. And while the user is enjoying whatever file you happened to have opened for them, you are busy doing whatever it is you want to do.

So really, it's a nice proof of concept that they can do this with a single-file CFM app, but the same kind of trickery is possible (and easier!) using Mac OS X's native MachO bundled application. And in the end even harder to detect, because you don't even need an extension, type or creator.

Oh, and application itself is all of 2 lines of code.

Did you let Apple know about this?

Rincewind42 · Apr 10, 2004

MegaSignal said:
Did you let Apple know about this?

Huh? This isn't something for Apple to fix. It is just an every day absolutely valid application. Sure it may not do something the user wanted done, but there is nothing wrong with it, nothing out of the ordinary, and nothing that can be done to detect it. The point that I was hoping to make (and which was apparently lost) was that you can do this fairly easily without resorting to the level of hackery that the CFM/MP3 concept did.

The system STILL knows that the "file" is actually an application. It is the user that is confused. The Application specifically goes out of it's way to make sure the user is confused. But the system knows better.

The only thing (barely) news worthy about the CFM/MP3 hack is that it really is a valid MP3 and a valid CFM application. But the whole point is to get the user to do something that they normally wouldn't - run your application.

MegaSignal · Apr 10, 2004

Everything is...so clear now

So there really isn't a problem then...?

Or is there?

Can I still download apps from known sources off of the web and use them safely?

[Yes, yes, I know - I'm not as smart as a Unix programmer - CFM applications, resource forks, multiple extensions, root, user, admin, etc., etc. - but sooner or later, these questions regarding this latest "threat" will have to be delt with for the likes of me who merely use Apple computers for their perceived simplicity of use...]

Many apologies for my ignorance.

Snowy_River · Apr 10, 2004

coolsoldier said:
...And if you want to talk about the "virus" spreading, try this scenario:
...
-Program mails newly infected song to mac-using friends via OS X's built-in "sendmail" program without you ever knowing (with a title like "check out this song").
...

Well, there's one problem with this. In earlier versions of Mac OS X*, while sendmail is included, it is not, by default, enabled. So, inorder to enable sendmail, the virus would need to get the password to edit the hostconfig file, then restart the machine. I don't see this as being any more serious a weakness than other aspects of the trojan situation.

* In 10.3 sendmail is not included. Instead, Postfix Mail Transport Agent is standard. It, too, is not enabled by default.

Snowy_River · Apr 10, 2004

chriscorcoran said:
...I mean come on; this is the first Trojan for MacOS X or any Apple OS ever! And its not even in the wild! Its in a Lab some where! ....

Uh, check your history. There have been other trojans and viruses on Mac OS. A worm that immediately comes to mind is the rather ancient QT Autostart Worm from a decade or so ago. Just because Mac OS is more secure than Windows doesn't mean that there have been no attacks...

wdlove · Apr 10, 2004

Cap'n Hector said:
You forgot the last step (assuming the recipient is using Apple Mail):

User clicks on the message and gets this dialogue:

This message may give pause to most users

I was pleased to know that I picked the correct one, prior to the answer being given. How soon do you think that Apple will have a fix?

Snowy_River · Apr 10, 2004

Rincewind42 said:
...The system STILL knows that the "file" is actually an application. It is the user that is confused....

I still like the idea of the OS putting little mini-icons superimposed over the app/doc icon to identify what the system sees the file as being. That could save a fair bit of confusion...

Rincewind42 · Apr 10, 2004

MegaSignal said:
So there really isn't a problem then...?

Or is there?

Can I still download apps from known sources off of the web and use them safely?

If you trust your source, feel free. But be wary of things that just don't make sense. In generally just use common sense, never open something from someone you don't know, or weren't expecting a file from. Just standard precautions that come with using the net.

MegaSignal said:
[Yes, yes, I know - I'm not as smart as a Unix programmer - CFM applications, resource forks, multiple extensions, root, user, admin, etc., etc. - but sooner or later, these questions regarding this latest "threat" will have to be delt with for the likes of me who merely use Apple computers for their perceived simplicity of use...]

Many apologies for my ignorance.

No worries, no one is born knowing what they know now. And all this comes from living in a world where unfortunately not everyone is honest.

MegaSignal · Apr 10, 2004

Thanks! Info like this can only help me make the correct decision!

CIAO

Rincewind42 · Apr 10, 2004

Snowy_River said:
I still like the idea of the OS putting little mini-icons superimposed over the app/doc icon to identify what the system sees the file as being. That could save a fair bit of confusion...

I agree. It may spoil the aesthetics of some people's icons, but it is a small issue compared to clarifying what a file is to the user. Although this would have to be done a bit differently for documents (only superimpose the mini-icon on a document with a custom icon. After all, it'd be kinda strange to see an MP3 with a mini MP3 icon over the full sized one

.

7on · Apr 10, 2004

Or just have Apple warn the user if the resource fork is different than the extension. Or throw away resource forks. Something, I think, Apple is trying to do. Considering they built in zipping in 10.3, something that does not include resource forks. And I wouldn't be surprised if Apple made UFS the default File system in it's OS. Might be a while though, but it is imminent. Not an extremely hard problem for Apple to fix.

Apple Response to Trojan Warning

macrumors newbie

macrumors 6502

macrumors newbie

macrumors 6502

macrumors 65816

macrumors Penryn

macrumors 604

macrumors regular

macrumors regular

macrumors newbie

macrumors newbie

macrumors 6502a

macrumors regular

macrumors 6502a

macrumors 6502

macrumors 6502a

macrumors 6502

macrumors 68030

macrumors 68030

macrumors P6

macrumors 68030

macrumors 6502a

macrumors 6502

macrumors 6502a

macrumors 601

Our Staff