Toggle sidebar Toggle sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Mac OS X Trojan Warning

jimthorn said:
It is a real mp3 file. The resource fork has a filetype of application. So when you double-click the file, the resource fork's filetype tells the Finder to execute the hidden code as an application. If you simply open the mp3 file using iTunes's "Add to Library", it will work as a normal mp3 file. Interesting bit of exploitation, eh?
Click to expand...

I see. That is interesting. It's basically two things at once, because at least one of the applications isn't doing sanity checking to make sure it's a file it really should be trying to open.

Um. Ignore the first paragraph of my above post. It really is exploiting a bug. 😱

But given that, how is an anti-virus program supposed to protect against this? There's no real signature you can use to detect a virus like this. You can catch each individual virus as it's created, but it sounds trivial to create this type of virus. Stopping this whole class of viruses will probably take a good amount of work on Apple's part.

I'm still personally not worried. It is exploiting a bug, but it still depends on tricking the user into running it. I'm no more (or less 😛 ) likely to be tricked now than I was before.
 
adzoox said:
Further, this is NOT a virus, it's not even a NEW expoloit.
Click to expand...

care to explain why the exploit this trojan (no, it's not a virus) takes advantage of is not new?
 
http://www.perl.com/language/misc/virus.html

Ah. Thanks for that info, mate.

I like the article quote: "Writers who, searching for a fancy plural to virus, incorrectly write *viri are doubtless blindly applying an overreaching -us => -i rule"

Also: "Anyway, Latin already had a word viri, but it was the nominative plural not of virus (slime, poison, or venom), but of vir (man), which as it turns out is also a 2nd declension noun. I do not believe that writers of English who write viri are intentionally speaking of men. And although there actually is a viri form for virus, it's the genitive singular[1], not the nominative plural. And we certainly don't grab for genitive singulars for the plurals when we've started out with a nominative. Such hanky panky would certainly get you talked about, and probably your hand slapped as well. "

One last thing: "This apparently invariant use of virus as a genitive singular may also imply that it's 4th declension, as some scholars believe."

Apologies for quoting at length.


*********

If it is a trojan, all I could see that it could be would be an Applescript file that runs "sudo rm -r /System" or maybe /Users. Even then it'd need a password.
Click to expand...

As mentioned - it'd need a password. It would also need to edit the sudoers file to give info on just what it can run while availing of root priviliges, I think. If the sudoers file is chmodded to allow only root access - it would have nowhere to begin. What do you reckon?

andy
 
jelloshotsrule said:
unfortunately, i think you've eaten your phonics book already.

my shoes aren't worth eating right now. perhaps i need a better marinade. any ideas?
Click to expand...

Try some dinasaur bbq sauce, that will spice them up haha.
 
lol

Thanks for that link UncleSteveO.

I was expecting barbed retribution, ktrout - well, the link restores my good(ish) name, I guess. 😉

andy
 
because

jxyama said:
care to explain why the exploit this trojan (no, it's not a virus) takes advantage of is not new?
Click to expand...

You've been able to do this pretty much since OSX has been out. MP3concept has been out for over a year and a half. It is not a trojan horse NOR a virus because it is written into a benign portion of ASCII information that is not executeable.

Don't get confused with what the actual exploit is and what people are analyzing that it is here.

It's plain and simple - this is a marketing ploy by Intego.
 
Awimoway said:
Here we go… 🙁
Click to expand...

Nope. I don't think so.

Intego's PR on this says:

Intego Web Site said:
Due to the use of this technique, users can no longer safely double-click MP3 files in Mac OS X. This same technique could be used with JPEG and GIF files, though no such cases of infected graphic files have yet been seen.


Intego VirusBarrier eradicates this Trojan horse, and Intego remains diligent to ensure that VirusBarrier will also eradicate any future viruses that may try to exploit this same technique. All Intego VirusBarrier users should make sure that their virus definitions are up to date by using the NetUpdate preference pane in the Mac OS X System Preferences.
Click to expand...

The is so much BS. I actually use a PC also and run no virus protection. I'm just careful about the source of everything that comes into my machine. For example, I would never download MP3, JPEG and GIF files from the Intego web site. 😉

Don't waste your money on this obvious promo by Intego. Use your Admin account only for doing admin things. This way if you do get a virus, it only has access to your user account files. This is not totally fool proof, but very close to it.
 
When you're downloading from P2P protocols, typically the entire file name comes up, with extension. it would be .mp3.app, not juts .mp3. Same things happens in Mail.

This is the WORST attempt at a virus written in the entire course of human history. Wow.
 
This is, admitedly, a little bit of a security glitch, in that the file can be two things at once (though it sounds like Intego doesn't know what it's talking about, on account of the whole tag thing).

That said, it's just as easy to rename any carbon application .whatever and paste a different icon on it--took me about 5 seconds. (Interestingly, if you try to stick a different extension on a cocoa app, OSX automatically shows the .app on the end, after whatever you added. Neat!)

But the real issue is that this isn't significantly different fom ANY OTHER TROJAN. Try this: write a program that asks for a user's admin password and erases their Applications folder. Or, just one that deletes their home Preferences folder (yes, easy to work around with a backup, but still destructive). Now, call it "Radeon9800 Enabler", put an interface on it that looks like it optimizes your graphics or something, and start talking about it on Mac sites.

Bingo, security exploit, and people are a lot more likely to give it a shot than an .mp3 encapsulated in a .sit. You can write a destructive trojan for any OS with little effort, and frankly I'm surprised there aren't more for OSX already. The specific security issue connected to this, though real, is so minor that it's barely worth talking about on its own.

Intego seems to be playing this for far more than its worth, and lots of know-nothing Windows fans will jump on it as an exposed vulnerability in OSX, when it's really not significantly different from any other trojan in existance (at least OSX needs to ask for an admin password to cause any system-level damage).

Incidentally, trojans are quite capable of infecting the computers of inexperienced people, but you generally have to work significantly harder at it--specifically download one from someone malicious or too stupid themselves to know it's a trojan--rather than a virus, which self propagates, and in the case of MS Outlook, often doesn't even require you to click on anything to infect your computer.

We can still proudly claim to be yet to see the first OSX virus, and this isn't the first trojan--I've heard of others floating around on filesharing networks.
 
Spades said:
But given that, how is an anti-virus program supposed to protect against this? There's no real signature you can use to detect a virus like this.
Click to expand...

Well there is a simple pattern to search for:
The files suffix is associated with a data format and the file has a ressource fork -> You must be kidding me!
 
Some one At MacCentral sugested a simple fix

They suggested that Apple makes a warning in the OS that the first time any application is run that the OS gives a warning asking a question like do you really want to run application ZZZZ? with a yes and cancel buttons.

Edit take a look at the mac Central story Mac Central link look for the posts by JDB8167 and the one by wings. The ones by JDB8167 seem to involve some looking at the code of the concept trojan.
 
corvus said:
Nope. I don't think so.
Click to expand...

Cut me a little slack. 🙂 The story was just breaking and it was not yet crystal clear that Intego was exploiting a proof of concept to stir up sales. I've already stood down to Defcon 5 (code green, if you're Tom Ridge). 😎
 
Earlier someone asked how it could infect JPEG and GIF files. I'm not sure if GIF has it, but many JPEG's include EXIF data, like an ID3 tag for pictures. I don't know if it could also include executable code, but that's were it would be. Of course, if you download a 4.4MB JPEG and it's 256 colors and 100x400 pixels... 😀
 
popularity finally!

Computer_Phreak said:
hopefully this will negate the myth that macs are not vulnerable to virii / trojans
Click to expand...

What would be funny is that Mac OS X & Apple computer products sales increase significantly because of this, giving the company a status of popularity amongs computer owners instead of notoriety - the other 95% of the market I mean.

Also could we see more unconfirmed, by the securities commissions or Apple themselves, virii news when the movie Troy nears its cinematic launch date?? 😉

still not seeing this as a serious threat
 
For all those users complaining about the lack of substance in MR rumors update, I hope this news keeps you busy for a bit. 😀 😛
 
from macbidoulle

attachment.php
 
Makosuke said:
Incidentally, trojans are quite capable of infecting the computers of inexperienced people, but you generally have to work significantly harder at it--specifically download one from someone malicious or too stupid themselves to know it's a trojan--rather than a virus, which self propagates, and in the case of MS Outlook, often doesn't even require you to click on anything to infect your computer.
Click to expand...

Just to be pedantic 😀

The Outlook stuff is a worm, because it actively self-propogates across networks.

This as coded is currently a trojan, because it claims to do one thing but really does another.

A virus attaches itself to other programs, and then is passively propogated with the distribution of the original program. On thinking about it, it seems to me this could quite easily become a virus -- on execution could it not quietly rewrite the resource forks of other files in your system, thus propogating itself inside your computer?

I haven't looked into how this works, but could it rewrite the resource fork of another application so that the virus code is run first, then it launches the initial app? Assuming of course you give it permission to write into those directories...
 
Lancetx said:
They actually had me going for a minute until I got down to this part of the statement... 🙄

"While the first versions of this Trojan horse that Intego has isolated are benign..."

Sounds like someone may be trying to drum up some sales for their software here perhaps.
Click to expand...

I was thinking the exact same thing.
 
NusuniAdmin said:
and you idiots did not beleive me when i said os x can get viruses or trojens, i think you all should eat ur shoes now!
Click to expand...

Idiots?

It's not that we didn't believe you... a Mac is a computer afterall. Your point is moot. The fact is that viruses weren't being written to exploit the weaknesses on the Mac platform, but that is changing now.

I'm confident Apple will have this issue addressed immediately.

Finally, my complimentary version of McAfee from .Mac will have some real value... 😉 Macs will continue to be more secure and less exploited that Windows machines.
 
Thanks, I was bored of rumors about new iB/PB/G25

This is so good because we will spend days talking about this, I will forget waiting for an updated iBook, CNET will write in big that Mac is not safe, everybody will sleep better ...
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back