Mac OS X Trojan Warning

[guifa]

This could have been done even easier

Take any existing application on your computer.

Look in its resources folder and copy an MP3 file icon to be its icon.icns file. Then set its display name to be "listenToMe.mp3"

When Finder opens a folder with it, it'll display "listenToMe.mp3" as the file name and an MP3 label as its icon.

Wow, I editted one plist file and copied one image file and I made Fire be hidden in an MP3 file.

I suppose on the one hand this means its not JUST a carbon problem with the resource fork, BUT, it still requires it to be downloaded in an archive form because an application package contains multiple files and directories.

 

[bousozoku]

I wanna negate the myth that virii is the correct plural of virus 😛 Its Latin roots dictate the correct ending to be "viruses" - as in "buses", for example. Rather than "busii" (buses), or "sinii" (sinuses) 🙂

Ah well - people argue and argue over this one. It's in the Latin 🙂

As Slashdot mentions, its a proof of concept - but, the proof of concept is all it takes to make people follow suit, improvise, and, ultimately, refine their technique. Maybe we can rely on the fact a proportionately higher number of Mac users are intelligent 😉 jk 🙂

andy

Considering that your English is less than perfect, I seriously doubt that we should trust your Latin. 😉

 

[jxyama]

ok...

but dont you have to be stupid enough TO OPEN IT IN THE FIRST PLACE!? 😕

that kind of "defense" would apply to any virus or trojan, regardless of the OS.

i don't think Mac users are any more immune from being "stupid" than windows/PC users, on average. (MR members are probably more immune. 😉 ) (but i'd argue Mac users may be a bit more susceptible because many have been using Macs without ever having to worry about virus or trojans.)

 

[Giaguara]

Sooo .. keep the type of file visible always, and you will see it is a something.mp3.somethingelse .. 🙄

 

[Spades]

Unless there's an actual exploit involved, this trojan is a non-issue. Displaying an mp3 icon and giving it a .mp3 extension is not an exploit. This is exactly how viruses used to work. It has to trick the user into actually launching the program, and programs can of course do whatever they want. If it exploited a bug, or worked without user interaction, then there would be something to talk about.

Reading the press release, this Intego company is definitely trying to drum up business. They should just be ignored. If you really want virus protection, there's several options. One of my favorites is getting .Mac and having Virex come with it, because you're actually getting something of value for the cost. The other idea I like is getting clamav, because it's free. You could always get Norton AntiVirus too, but if it's just for personal use, why not get a .Mac subscription for the same price, get the virus program, and get the extra features of .Mac?

Now if you'll excuse me, I need to go update my backups...

 

[guifa]

Sooo .. keep the type of file visible always, and you will see it is a something.mp3.somethingelse .. 🙄

Unfortunately that doesn't work quite as well with applications. In their packages they have options for display names which are used instead -- hence people on a Spanish system can see "Agenda" instead of "Address Book." Neither display ".app" on my system if I have the option to always show extensions turned on.

 

[stcanard]

well, all the "this is benign because it won't survive..." or "who would be so stupid to do this and that..." is pure hypocracy. a lot of windows folks have the same idea, yet virus/trojan are problems in windows. ("who'd open an email attachment?" - but people do!)

The big difference is in culture and design.

The majority of Window users run accounts that by default have write access to the system32 directories. That's because it is too much of a pain to do otherwise (I wrote a long post in another security thread about why, I'm not going to go into it here)

In OSX, even if you are an admin account you still need to type a password to give it access to /System, /bin /lib, etc. So there is a warning system in place.

That makes a huge difference -- if windows users were presented with a dialog saying "Your MP3 file is about to modify system libraries", (which is what the password dialog in OSX means) you bet they would be suspicious.

As for modification of ~/Library/Preferences, you do take regular backups right? So it's not much of a pain to replace it.

If you're running untrusted binaries in an account with important data that is not backed up, again I fall back on ... maybe next time you'll learn, and at least unlike the average Windows user at least you can be confident that you don't need to reinstall your OS because it's still clean thanks to sudo.

 

[jxyama]

Unless there's an actual exploit involved, this trojan is a non-issue. Displaying an mp3 icon and giving it a .mp3 extension is not an exploit. This is exactly how viruses used to work. It has to trick the user into actually launching the program, and programs can of course do whatever they want. If it exploited a bug, or worked without user interaction, then there would be something to talk about.

when you double click on an ordinary mp3 file, you expect the Finder to launch iTunes or any other default mp3 player and play the file.

what this trojan does is instead of the file being played as an mp3, it is launched by Finder as an application, even though it looks like an mp3 file to the user.

that's a bug and there's potential for it to be exploited. the problem is, Finder shows one thing but acts on it differently.

like others wrote, because of the way applications are packaged, it's hard to propagate. it's a bug and an exploit, nonetheless.

 

[Kalomir]

Please check Macbidouille latest news on that matter on hardmac.com (English version of MB)

 

[varmit]

Now that I think about it

Can't I sue them for creating a virus. I mean, law enforcement is tracking down virus writers for the PC, what about my Mac. I'm not worthy of having my attackers captured. LOL....but really, I'm sick of this being a ploy for that damn company. They write a virus and then make a program to stop it, isn't that extortion. Pay up or you could get this virus we made.

If I made a virus for the PC, and said pay me or you COULD get this, I would be in jail quicker than I could say my IP address.

 

[stcanard]

Personally sudo has never settled right with me. Apple should rid the system of the command and only allow root access by logging in as root. Sure it'd be time consuming to delete an undeletable file, but it'd be worth it for the security.

It's just the opposite actually.

If you have a root shell open for administration, it's too easy to accidentally type the command in the wrong window, and before you know it you've done something stupid to your system.

Ever accidentally shut down your remote server when you meant to reboot your home computer, because you picked the wrong window? It's the same idea (and trust me, doing that is really embarassing, and quite a pain if you end up having to do go into the office to restart it so other people can get in...)

By requiring you to type sudo before the command, there is far less chance of accidentally executing something at root privilige because the focus wasn't where you thought it was.

The administration by sudo is one of the smarter things Apple has done security wise, and the linux distros would be wise to take a page from their book.

 

[jxyama]

The big difference is in culture and design.

The majority of Window users run accounts that by default have write access to the system32 directories. That's because it is too much of a pain to do otherwise (I wrote a long post in another security thread about why, I'm not going to go into it here)

In OSX, even if you are an admin account you still need to type a password to give it access to /System, /bin /lib, etc. So there is a warning system in place.

That makes a huge difference -- if windows users were presented with a dialog saying "Your MP3 file is about to modify system libraries", (which is what the password dialog in OSX means) you bet they would be suspicious.

As for modification of ~/Library/Preferences, you do take regular backups right? So it's not much of a pain to replace it.

If you're running untrusted binaries in an account with important data that is not backed up, again I fall back on ... maybe next time you'll learn, and at least unlike the average Windows user at least you can be confident that you don't need to reinstall your OS because it's still clean thanks to sudo.

i don't disagree with you. i too believe OS X to be more secure by design.

that's not the issue for me. i posted what i did because many of the posts that appear (to me) hypocritical in nature do not mention any of the design or inherent differences - many of them simply state why this trojan is stupid or not dangerous using reasons that are just as applicable to any windows trojans/viruses. ("who'd open this? it would be so stupid, so this isn't harmful.")

 

[ktrout]

I wanna negate the myth that virii is the correct plural of virus Its Latin roots dictate the correct ending to be "viruses" - as in "buses", for example. Rather than "busii" (buses), or "sinii" (sinuses)

Ah well - people argue and argue over this one. It's in the Latin

As Slashdot mentions, its a proof of concept - but, the proof of concept is all it takes to make people follow suit, improvise, and, ultimately, refine their technique. Maybe we can rely on the fact a proportionately higher number of Mac users are intelligent jk

andy

Considering that your English is less than perfect, I seriously doubt that we should trust your Latin. 😉

A wise conclusion. My Latin dictionary gives:

Vir/us -i n. slime; poison; offensive smell; salt taste.​

So the Latin plural of "virus" is indeed "viri" (not "virii") like any other 2nd declension noun. Certian words ending in "-ius" do end in "-ii" for the plural, though.

Generally, the rule in English is to permit either the Latin or anglicized plural. For example, both "indexes" and "indices" are correct. "Bus" isn't a Latin word. "Sinus" (in the sense in which I think the original poster means it) is, but is not a 2nd declension noun (4th, I think) and the plural is "sinus" except with a long "u." If you are still awake at this point, "sinus" means, among other things, "curve, fold." There is another Latin word, also spelled "sinus" (except with a long "i") meaning "large cup." The plural is "sini."

So much for pointless pedantry.

 

[jimthorn]

Unless there's an actual exploit involved, this trojan is a non-issue. Displaying an mp3 icon and giving it a .mp3 extension is not an exploit. This is exactly how viruses used to work. It has to trick the user into actually launching the program, and programs can of course do whatever they want. If it exploited a bug, or worked without user interaction, then there would be something to talk about.

Actually, it's a bit more sophisticated than "displaying an mp3 icon and giving it a .mp3 extension". It's a bit of code stored within the id3 header information on the mp3 file. It is a real mp3 file. The resource fork has a filetype of application. So when you double-click the file, the resource fork's filetype tells the Finder to execute the hidden code as an application. If you simply open the mp3 file using iTunes's "Add to Library", it will work as a normal mp3 file. Interesting bit of exploitation, eh?

 

[fixyourthinking]

Do you know why MacBidoulle knows??

Please check Macbidouille latest news on that matter on hardmac.com (English version of MB)

Intego is a French company or at least that's what their who is records says.

Macbiduoille is French too ... maybe there's a connection .... maybe there is some sort of marketing ploy between the two. This really smells of fraud.

INTEGO
10 rue Say
PARIS 75009
FR

Domain Name: INTEGO.COM

Administrative Contact:
WHITE, MARYCLARE (3167502I) mcwhite@intego.com
10 rue Say
PARIS 75009
FR
33 1 55 07 27 27 fax: 123 123 1234

Technical Contact:
White, Maryclare (MW5519) mcwhite@TRANSEO.COM
Transeo
10 rue Say
Paris 75009
FR
33-1-55 07 27 00 fax: 33-1-55 07 27 01

 

[jimthorn]

Intego is a French company or at least that's what their who is records says. Macbiduoille is French too ... maybe there's a connection .... maybe there is some sort of marketing ploy between the two. This really smells of fraud.

Is the French-bashing starting all over again..? *sigh*

 

[Kalomir]

Actually you're mistaken.
It's just that we're in the same time zone, yet if I'd known I'd get suspected that way, I just would have gone to sleep without translating...

 

[jxyama]

Intego is a French company or at least that's what their who is records says.

Macbiduoille is French too ... maybe there's a connection .... maybe there is some sort of marketing ploy between the two. This really smells of fraud.

geez, it's not a fraud. there's a genuine exploitable flaw. perhaps the anti-virus company may have had some ulterior motives, but that doesn't make it a fraud. the flaw is in the OS X already, they didn't make the flaw and exploited it.

 

[NusuniAdmin]

and you idiots did not beleive me when i said os x can get viruses or trojens, i think you all should eat ur shoes now!

 

[jelloshotsrule]

Intego is a French company or at least that's what their who is records says.

Macbiduoille is French too ... maybe there's a connection .... maybe there is some sort of marketing ploy between the two. This really smells of fraud.

NTEGO
10 rue Say
PARIS 75009
FR

Domain Name: INTEGO.COM

Administrative Contact:
WHITE, MARYCLARE (3167502I) mcwhite@intego.com
10 rue Say
PARIS 75009
FR
33 1 55 07 27 27 fax: 123 123 1234

Technical Contact:
White, Maryclare (MW5519) mcwhite@TRANSEO.COM
Transeo
10 rue Say
Paris 75009
FR
33-1-55 07 27 00 fax: 33-1-55 07 27 01

a boring life you lead, eh?

 

[Giaguara]

while basahing the french ... http://groups.google.com/groups?hl=...-5D750C.02150821032004@news.bahnhof.s e#link6

what about this Bo Lindbergh? Start to bash the Swedish as well.

 

[stcanard]

i don't disagree with you. i too believe OS X to be more secure by design ... [snip about misinformation in the thread]

Okay good in that case I agree 🙂

I see way too much confusion about the difference between "a virus cannot be made", and "the system architecture means that it is very difficult for a virus/trojan to have widespread effects on a properly maintained system".

That and the apparent belief I see so regularly on this site (and in the newspapers) that a security update that patches a local privilege escalation is somehow as big a problem as a Windows remote root vulnerability kind of puts me on a hair trigger when security is discussed.

 

[jelloshotsrule]

and you idiots did not beleive me when i said os x can get viruses or trojens, i think you all should eat ur shoes now!

unfortunately, i think you've eaten your phonics book already.

my shoes aren't worth eating right now. perhaps i need a better marinade. any ideas?

 

[B!nej]

It's a Carbonized classic style app (not a bundle) with an .mp3 extension. Get info on it and it shows "Application" not mp3 audio, and if you ctrl-click/right click the icon, it doesn't have an "Open With" menu.

I think this would probably catch people if you put a payload in it, so it's worth being aware of, but given people download applications and click on them without thinking, it seems a bit pointless to bother hiding it. 🙄

 

[fixyourthinking]

Rubber & glue... okay your turn

a boring life you lead, eh?

Rubber & glue... okay it's your turn.

I was pointing out a quick whois search yielded a french company and that MacBidouille was also the first to report this.

Further, this is NOT a virus, it's not even a NEW exploit. It will have people scared in their boots tomorrow morning because the majority of people don't read boards like this (even if they read the main pages of websites)

Point is I want people to know who this company is and that this is embarassing for them to do this.

It's almost like this is a 7 day too late April Fool's joke.

and now who has the boring life? (jelloshotsrule public profile):
Join Date: 02-07-2002

Posts

Total Posts: 6,985 (8.83 posts per day) <--- doubletake!

Find all posts by jelloshotsrule

Find all threads started by jelloshotsrule