Toggle sidebar Toggle sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Mac OS X Trojan Warning

I'm not too worried about this one - sounds like it would be only in very select cases that someone woud have an MP3 on their desktop. After all, if you rip CDs, or download AACs from the iTMS, they aren't going to be MP3s. So having an MP3 on your desktop is a rarity in itself the way I see it. Other than the odd tune you might grab from a website or something, the only way I see people having MP3s on their desktops are from illegally downloaded music files. And if people like that get their system fried, oh, gosh darnit, I'll just be so sad for them... 🙄 😉

I think this is a trojan developed by a Mac anti-virus software company. They're obviously sitting around with nothing to do and making no money, since there aren't any real virii/viruses for the Mac, so they decided to drum up some business for themslves! 😉 😎
 
did anyone actually read the Google page mentioned earlier?

Here's the proof-of-concept virus. It works. No password required. It doesn't harm your system. But it's obvious that it could.

http://www.scoop.se/~blgl/virus.mp3.sit


And apparently, it was not the security company who wrote it, or some mysterious Mac haters, but it came out of a theoretical discussion on the comp.sys.mac usenet news group
 
The "myth"?

The "myth" that Macs aren't susceptible to viruses and trojans? Who honestly ever suggested that. The truth that Windows fans don't like is that OS X is much SAFER from viruses than Windows--in large part by design. Nobody ever said ANY OS is perfect.

Having said that, a trojan horse is essentially something pretending to be something else. It could be nothing more than an image on the screen telling you to put your Documents folder in the trash! A trojan horse is human-driven, and no OS can prevent people from tricking other people.

Wake me up when OS X gets its first VIRUS. This ain't it.

Then we won't be able to say "OS X has no viruses." We'll have to settle for "OS X finally has 1 virus" 🙂
 
masquerader

MetallicPenguin said:
You know what's funny? I was just talking about making little scripts and stuff that will ask you for a domain and stuff and then oprn safari and bring you to them as a nifty little thing. But it did that and open Mail and email at the same time behind Safari. So I think it is a coincidence this comes up because it is pretty much what I was doing for fun. And then after that I made one that looked like a picture, so I'm surprised this isn't my doings.
Click to expand...

You are right, it is funny. This is obviously the work of someone determined on making Macs looks bad. Mac users wouldn't waste time creating something that would harm their favorite operating system. And if someone started learning about OS X just to create something harmful, there's a good chance they'd see just how great OS X was and not proceed.

Nonetheless, OS X tight integration and underlying framework of AppleScript is a HUGE potential for malicious activity.
 
Nothing to worry about

iJed said:
First its an application that you must run by yourself. Second its a CFM application so it needs its resource fork, creater fork and file type to run.

You'd have to download this thing encoded in a format such as a Stuffit archive and the double click it to run. Basically you'd need to be pretty stupid.
Click to expand...

iJed is the only person so far who's mentioned the most important point. This is a Carbon app with a Application (AAPL) filetype, but with a file extension of .mp3. But the filetype/creator code is stored in a resource fork. Transferring this file through a non-Mac system will lose the resource fork, thus neutralizing the threat. So if you download an "mp3" file that isn't contained inside a resource-fork-friendly archive file like a .sit or .dmg, you basically have nothing to worry about.
 
jimthorn said:
iJed is the only person so far who's mentioned the most important point. This is a Carbon app with a Application (AAPL) filetype, but with a file extension of .mp3. But the filetype/creator code is stored in a resource fork. Transferring this file through a non-Mac system will lose the resource fork, thus neutralizing the threat. So if you download an "mp3" file that isn't contained inside a resource-fork-friendly archive file like a .sit or .dmg, you basically have nothing to worry about.
Click to expand...

So if it needs a .sit or .dmg file type in order to "survive" it's fine... who downloads those kind of archive files from unknown sources anyway?
 
well, all the "this is benign because it won't survive..." or "who would be so stupid to do this and that..." is pure hypocracy. a lot of windows folks have the same idea, yet virus/trojan are problems in windows. ("who'd open an email attachment?" - but people do!)

there are people who will have mp3's on the desktop. there are people who will download .sit files from unknown sources. the potential of this trojan is not diminished at all.

the problem with this is the apparently mismatch between what Finder displays on the desktop and how it acts on it. in this case, a file is shown by Finder as an mp3 (based on the extension) but when double-clicked, Finder launches it as an app (based on the file type).

whatever the motive of the news source, i expect apple to patch the Finder discrepancy soon. hopefully no later than tomorrow.

we'll see...
 
google does not finding anythign with MP3Virus.Gen yet.

who would WANT to have a virus like that by the way?

the first answer i can think of is RIAA. scaring people away from pirating music ...

it'll be really curious to see once they will capture this troyan writer and / or the powers / money behind the trojan. RIAA is for sure one instance that will approfit from scaring the users of p2p-ing.
 
ebow said:
This sounds like outright b.s., though I could be wrong. Just look at this statement from the press release:

An application is embedded in an ID3 tag? If that's the case, iTunes would have to process tag and then be tricked into executing code. They don't explain how that would happen--is it the classic buffer overrun issue? Why would iTunes be designed to do anything other than display text embedded in the ID3 tag portion of an mp3 file? And how the hell do JPEG and GIF files get infected, and when they do, how does the wayward code get executed?

Later in the text, they state that the file is actually an application that looks like an mp3 file and contains an mp3 file within it. So... which is it, fellas? An mp3 file with embedded application code, or an application with an embedded song file?

Oh, I just read the Google Groups link. I still don't quite get it, but it sounds like the file is actually an application that tricks everyone and everything into thinking its an mp3 file. At the very least this is a poorly worded press release.
Click to expand...


My assessment is that these virus software vendors saw this little exploit talked about and decided it would be good for business to raise a huff about how MP3 files are vehicles for viruses but didn't understand the real issues enough to communicate them.

1) This is an issue with resource forks and OS X gladly executing code in resource forks. It has nothing to do with MP3, and certainly nothing to do with ID3 tags within the MP3 files. The dead giveaway there is that the virus vendors claim the same attack makes JPEG and GIF format files equally at risk: these obviously don't have ID3 tags.

2) The "fix" would seem to be fairly simple for Apple: adjust the Finder to call CFM/resource files "Apps" if indeed double-clicking on them would cause them to execute instead of being sent to another application. It's simply a matter of the left hand not knowing just what the right hand is doing, and that's emminently fixable.

3) For us "normal folks" there's really not much if anything to worry about. Why? Well let's start another list:

A) You need to download an MP3 (or other data) file with a resource fork attached to it for this to be a problem. When was the last time you downloaded a file with a resource fork that wasn't obviously Mac-specific (ie, an application)? When was the last time you saw an MP3 download wrapped in a .sitx or .dmg wrapper to preserve the resource forks (.zip of course loses resource forks as we all know, right?)

B) There is still, of course, very little likelihood of someone targetting Macs with this type of virus. Doesn't say anything about overall Mac security, of course, but the facts on the ground are the facts on the ground: you don't need to build the bomb shelter and stock up on vats of water just yet.

C) While the virus software writers obviously went to pains to cast as large a net as they could with this, to drum up as much fear as possible and to create as much business as possible in return, there is no specific file type which is a "new threat" here, and this particular threat has been viable for many years (when were resource forks introduced?) They may just as easily have said that this is the latest Word .DOC virus, which this time targets Macs!
 
Mac fanatics cause iVirus

This isn't a shameless plug [fingers crossed behind my back] but I wrote an article on my website a few weeks back called,

http://adzoox.com/macfanaticvirus.html

"Mac Fanatics cause iVirus"


One of the points I make is that Mac users were actually hit by the Sobig and Modoom virus(s) because they were email propogation worms - Macs get email .... so.... email was FAR exceeding normal SPAM the few days of propogation.

Another point I raise is that Mac virus scans don't make much if any money - I wonder when the day will be when Norton progogates a virus (internally) to "achieve sales" - I already think they do this on the PC side.

I also said that mac lovers bragging about no mac viruses may be asking for it to happen ... even prompting it.
 

Attachments

  • virus.gif
    virus.gif
    7.4 KB · Views: 1,458
I think I have this file

7on said:
bah, has anyone used of opened this offending file?
Click to expand...


Holy cow! I believe I have this file. I downloaded it using Poisoned about a month ago (it was titled something that I was looking for) and when I opened it up I remember it royally hosing iTunes. Not realizing that the mp3 was the cause, I tried it again when I rebooted my computer to the same result. My computer has run just fine ever since (no noticable lasting effects).

I believe I still have the file tucked away in some misc. folder on my computer...I'll check that out after my exam tonight and post the name of that mp3. Hell, I might even fire it up again just to make sure I'm thinking of the right thing (right after I back up my files 🙂 )
 
calm down. this is not a virus, its just an application with a filename and icon of an mp3. ie. my virus.mp3 w/ an itunes mp3 icon... big deal, go to list view for your mp3s and have the "Kind" column visible... now you can tell if its an mp3 (music file) or a virus (application).

Its nothing to worry about, it could have been done ages ago and i realized this on my own! Its not a virus in an id3 tag lmao... this is sad.
 
jxyama said:
well, all the "this is benign because it won't survive..." or "who would be so stupid to do this and that..." is pure hypocracy. a lot of windows folks have the same idea, yet virus/trojan are problems in windows. ("who'd open an email attachment?" - but people do!)
Click to expand...

Actually, it is benign, because it isn't a real "virus" yet, it's merely a "proof of concept" for a security problem in OS X. There is at this time no malevolent version of this file. Until Apple patches the OS, simply don't download a .sit file containing an .mp3 and then double-click it.

As far as the "who would be stupid enough to do that" part of your post, you're right -- if there was currently a threat, some people might be affected. But again, this type of virus cannot survive passing through P2P systems, most web servers, or email without being stored in a container that preserves the resource fork. This minimizes the threat significantly.
 
Its a god damn marketing ploy

Move along, nothing to see here.
 

Attachments

  • barre_sup_2004_osxvirus.jpg
    barre_sup_2004_osxvirus.jpg
    30.4 KB · Views: 175
jimthorn said:
Actually, it is benign, because it isn't a real "virus" yet, it's merely a "proof of concept" for a security problem in OS X. There is at this time no malevolent version of this file. Until Apple patches the OS, simply don't download a .sit file containing an .mp3 and then double-click it.

As far as the "who would be stupid enough to do that" part of your post, you're right -- if there was currently a threat, some people might be affected. But again, this type of virus cannot survive passing through P2P systems, most web servers, or email without being stored in a container that preserves the resource fork. This minimizes the threat significantly.
Click to expand...

i absolutely agree, i just wanted to throw a little caution to a bunch here who seem to apply different standards, depending on the OS. i just have to say, it's lucky to have this kind of explorable discrepancy in the OS being uncovered by a benign proof of concept trojan rather than a malicious one.

fix it up, apple!
 
It actually exists

Chealion said:
Does anyone have any proof this actually exists and isn't just a ploy?
Click to expand...

Yes, it exists, but not as an actual virus yet, hence the "Benign". It is a proof of concept. Doesn't do anything malicious.

It started initially a virus hoax that started about 1 1/2 years ago, I think (Not my info)
http://members.tripod.com/helpcity/mp3virus.html

However, Bo Lindburgh recently (20 March 2004) created a Carbon CFM application that was a proof of concept, and it WORKS! Plays as an MP3 in iTunes, but it really is an application. A damn good Trojan horse if you ask me. Damn good!
http://groups.google.com/groups?hl=...l-5D750C.02150821032004@news.bahnhof.se#link6

So, the thing is, there is not an actual virus in existance, but Intego has obviously noted the proof of concept working, and taken precautions should it actually happen. The easiest way to identify it, simple, Select the MP3,JPEG,TIFF,PNG,DOC etc etc file, and get info. You'll know it's an app immediately. For those of you concerned of the potential of being fooled, post a comment here, and if I get enough requests, I'll build you a little app to drop any file that should not be an app onto it, and it'll notify you and isolate any dangerous ones.

Someone made the comment in another forum about ID3 tags not existing in GIF,TIFF,JPEG etc, but they do contain tags that are not necessary for the display of the image, and there's where the data can be hidden. Being that it is a Carbon CFM app, it is identifiable. Doing this with a Mac OS X .app package or Carbon Mach-O app may be damn near impossible, but I can't be sure about that.

As with anything on the internet, check before you double-click. 😉
 
How it works and why it isn't really an exploit

The file is a CFM application. As others have pointed out, this means that it has a resource fork which it needs in order to be able to run. Thus, it must be downloaded as a compressed file. If the resource fork is stripped, it is harmless, as the payload will never be executed.

Its name ends in ".mp3", and the included icon is copied from an iTunes MP3 file, but its type code is APPL, an application. The data fork is a valid MP3 with PowerPC executable code inside the ID3 tags. When given to iTunes or another MP3 player, it simply plays the included sounds without executing code. When double-clicked on from the Finder, the surrounding bits of MP3 file appear to be ignored and the code is executed. The payload for the proof-of-concept displays a dialog box, then tells iTunes to play the file itself, presumably via AppleScript.

When double-clicked, it shows up in the dock as an application, though this could be suppressed in an actual hostile trojan just like many utility programs do. In the Finder, if one is using column view, it is identified as an Application instead of an MP3 File, and its icon is shown instead of a QuickTime-style playback bar for previewing the contents.

In terms of an actual exploit, the only thing going on that is even possibly questionable at an OS level is the presence of other stuff in the data fork before the Joy!peffpwpc tag. I am not certain if this is allowed in the definition of what a PEF executable is supposed to look like. Aside from that, there is nothing else that is tricking the OS into doing something it shouldn't do, only legally included information that is deceptive to a user who is not looking carefully at things.
 
very good detective work

varmit said:
Move along, nothing to see here.
Click to expand...


Good detective work ... and wouldn't you know the intego site is slashdotted too. I sure hope these message boards continue to expose Intego for being so shameful.
 
Just to sell

The real purpose of this "virus"? Read the end of the page at Intego:
As the dangers of the Internet grow, Intego is hard at work, developing new software to protect users and their Macs from the latest security and privacy threats. We protect your world.
Click to expand...
and it should be clear to you.
What really hurts me is that now many windows users will come with a big smile in their faces and saying: "oh, now even a Mac can get a virus!"
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back