Mac OS X Trojan Warning

[curmi]

(Interestingly, if you try to stick a different extension on a cocoa app, OSX automatically shows the .app on the end, after whatever you added. Neat!)

You can trick the user here though - just enough to make them think it is a different extension.

For example, if the file is SexyGirl.app, and you want to make it look like a jpeg, you can change the name to 'SexyGirl.jpg'.app and hide the extension. The file will look like 'SexyGirl.jpg' in the finder. Yes, it has quotes around it, which may be obvious only to a more seasoned user. Similarly, you can change it to SexyGirl.jpg..app, hide the extension, and it looks like SexyGirl.jpg. in the Finder - which to the casual observer looks like a jpeg.

This is in Panther. In previous versions of OS X (not sure about 10.2, definitely in 10.1) you could actually just change the name to SexyGirl.jpg .app (ie put a space at the end of the jpg), and the Finder would display it as SexyGirl.jpg. Apple at least now ignore spaces, as that was a very obvious exploit.

 

[mabino]

Does it still execute its code if you change the file's UNIX permissions?

Maybe the OS needs a visual indicator for --x--x--x.

find / -name '\*.mp3' | xargs 'chmod 644' after every mp3 download.

 

[space2go]

Earlier someone asked how it could infect JPEG and GIF files. I'm not sure if GIF has it, but many JPEG's include EXIF data, like an ID3 tag for pictures. I don't know if it could also include executable code, but that's were it would be. Of course, if you download a 4.4MB JPEG and it's 256 colors and 100x400 pixels... 😀

Well as long as you want to keep only the double-click feature alive every format can be abused that way because the program can simply open a partly view of itselft in the real app (e.g. by copying the "good" parts into another file and opening that).
But if you want to be able to open the thing by hand in that app you'd need a format that takes being filled with garbage like mp3 does. 😉

Now something I learned from toying around with this:
There is a big misconception running around with this little program. The actual runnable code is NOT in the ID3 tag. It's in the resource fork.
What is in the ID3 tag is mostly just the meta information needed for the OS to recognize the program as such and a jump command to reach the actual code in the resource fork. The most simple way to show this is cutting off the resource fork with a tool like GrimRipper [1] and then trying to start the prog. It will bounce and die without doing anything simply because the code is gone but the meta-data claiming this to be an app is still there.

Actually some code is still there. The data fork starts with a jump into the resource fork. That one will be executed, all of the massive amount of zero instructions in that fork (it's empty) will be executed as well and the app simply runs out. 😉
​

On the other hand when you manually open the thing in iTunes you'll hear the same demented laughter as before while starting the complete file so the mp3 data is obviously still there.
If the author had really done what he claimed (namely putting the code into the id3 tag) there would have been no need for a data fork as carbon apps that need no resources don't have one either.
You can see this yourself when opening the app with the resource fork cut off. It runs without an error message which surely would come if carbon apps would need to have a resource fork.

As for noticing something wrong with the filesize for the given picture quality + size (for pics) / encoding + length (for audio):
sorry dude no chance. A 100k virus is already hopelessly bloated and putting it into a 3 MB .mp3 or .jpeg would not change the size enough to cause people to wonder what's going on.

[1] - http://www.versiontracker.com/dyn/moreinfo/macosx/16168

 

[gunnmjk]

Retarded

This Trojan horse has the potential to do any of the following:
- Delete all of a user's personal files
- Send an e-mail message containing a copy of itself to other users
- Infect other MP3, JPEG, GIF or QuickTime files

Uhh... What a virus has a potential to do, and what it actually does are two different thigngs. Intego does not even say what the virus actually does! I think they are just trying to get some headlines so that windows users can go: SEE! Which is pretty retarded.

The Article is also pretty unclear:

MP3Concept (MP3Virus.Gen), exploits a weakness in Mac OS X where applications can appear to be other types of files.

But then:

The Trojan horse's code is encapsulated in the ID3 tag of an MP3 (digital music) file.

So which is it, an application hidden in an MP3 file, or an Application that looks like an MP3 file?

 

[123]

What is in the ID3 tag is mostly just the meta information needed for the OS to recognize the program as such and a jump command to reach the actual code in the resource fork.

Are you sure there's anything at all in the ID3 tags?

edit: indeed, seems to be the case.

 

[rdowns]

Indeed, hopefully it will. Although makes one wonder if someone just wrote this to prove this very point...

Steve Jobs will stop at nothing to deflect attention away from no new PMs, no new PBs, no new iMacs.

 

[space2go]

Are you sure there's anything at all in the ID3 tags?

Yes. The file starts with ID3 followed by the meta info needed for the app and after that garbage comes the track/album information as seen in iTunes. Shortly after that comes truly binary data that is the actual mp3 audio. Although i haven't read up on the ID3 "format" It sure looks to me like the auther used the tag to store the carbon app meta info. If that meta info were inside the proper audio part the track couldn't have the track/album info in iTunes plus you should hear a short strange noise at the start which one should be able to see in an audio editor like Audacity as well. And it simply sounds and looks like a normal recording of stupid lauther.

 

[cb911]

hhmmm... this is very interesting. and MP3Concept has been out for over a year? i'd have thought that someone would have been giving it publicity long before this.

and removing 'sudo' from the system? that's just plain crazy talk...

and even if this did develop into a new technique for making OS X trojans... surely Apple would include something in the OS X update to scan for those type of things.

 

[Fukui]

So, can we just get rid of resource forks already or what?

 

[msconvert]

The fact is that viruses weren't being written to exploit the weaknesses on the Mac platform, but that is changing now.

I'm confident Apple will have this issue addressed immediately.

The issue that most people are missing is that OSX is compatible with both MacOS file throught metadata and resource forks and with PC's with . extenstions. This trojan, by mixing the two, makes the finder show the file as one file type and its execution behavior another. Some much to the fact that when the application file virus.mp3 file is dropped onto iTunes it still plays the contents of the file as if it were just music. This virus has exploited the very feature that makes OSX significant. I don't see Apple 'having this addressed immediately' as the exploit is a necesity to the OS.

Even though this trojan must have both forks to work and would have to be packaged in a .sit or .hqx, It would be very easy to put the file on a web page with a link that has the html code show that the files was just an .mp3 where as the file path included the full .sit extention. Inocent people would click on the mp3 link and Safari, with its auto extraction feature, would extract the file for the user and the "expected file" would be where they wanted it. Double clicking on the trojan, would complete the deal.

Anyone who things this is no-big-deal should recognize that people are easily duped whether it is through web pages or simple deliver through email. Just because some are smart enought not to click on unknown files, we just have to look to the windows users to see that people are generally dumb.

 

[coolsoldier]

This is a system flaw. Two things need to change in OS X to fix it:

--If a file has an extension, the system should always use the extension to figure out what to do with it. It's confusing and a security hazard to have two different ways of determining file types for the same file, and AFAIK there are no legitimate carbon apps with extensions on their names. (Of course it could still use type/creator for files without extensions)

--The system should automatically throw up a flag if the executable data doesn't start at the beginning of the file. Allowing extraneous headers at the beginning of an application file is not a good thing.

 

[space2go]

Why the resource fork?

One other thing.
I looked at the ID3v2 specs a bit and the author encoded the meta info (almost) correctly as a "General encapsulated Object". As every frame has a four byte size descriptor the complete payload would have easily fit inside that frame. Has anybody an idea why he did use the resource fork at all?
[Edited for insight]
I just got it! He used the resource fork for a resource! Clever trick huh?
No seriously the app needs to bring along its mp3 icon itself because an app won't get that just by calling itself .mp3. The proper place for that is the resource fork and looking at the .icns file of some applications 48k (the size of the resource fork) seems a plausible value for that.

And to be honest far more plausible than assuming such a simple program would need 48k.​

Of course my old theory why the app simply dies without its resource fork is void. It does so not because it lacks program code but because it can't get initialized properly as a resource is missing and OS X does not deem that worthy of an error message.

I hope I can sleep now and in a few hours I'll try to extract the icon to proof my theory.

 

[yamabushi]

File Hacks

Seems like a problem with keeping data and executable code separated. Some kind of visual cue to demonstrate the difference regardless of file type could be helpful. That way a user could easily see the difference without carefully examining the full file extension and file info. Since icons are easily modified perhaps some kind of default graphical overlay by the system on top of all icons attached to any file recognized as executable or a modification of the text of applications to display in a different font or color might help. The key is to have the system perform the modification to the appearance rather than rely upon the creator of the file to supply the appropriate appearance and file extension for the file.

 

[thejazzman10]

i for some reason don't think this will have any effect...

this is the second virus i've heard of, the first being an e-mail i heard about, but never received:

"You have received a virus! To fix the problem, launch terminal and type the following exactly:

sudo rm -r /System

When prompted for your password, please enter it.
Congratulations on being virus free!"


or something like that...

reality

lol....this is the most primitive one that i have heard of....talk about gullible!! (that code erases the hard drive for all of you that dont know)

 

[Doctor Q]

Apple could change Mac OS X to lessen the chances of this problem. Suggestions have been given for ways this could be done. Before I think about which of the solutions seems best, I would like to know how likely it is that Apple will actually decide to make any such change. Will they consider making changes to the Finder either because they want to help avoid disguised applications, or simply because of this type of publicity?

 

[SiliconAddict]

They actually had me going for a minute until I got down to this part of the statement... 🙄

"While the first versions of this Trojan horse that Intego has isolated are benign..."

Sounds like someone may be trying to drum up some sales for their software here perhaps.

Keep in mind that first generation of viruses and worms on the PC are typically benign its usually a proof of concept thing.

Sorry folks. A computer system can be as secure as fort Knox but if someone falls for a social engineering scheme or simply gets tricked....game over man game over!


Look at this as a good thing guys. 😉 The Mac must be becoming popular enough to get the attention of virus writers. 😉 J/K guys.

 

[nightcap965]

Trojans and Virus and Worms, Oh My!

Gang, there is No Such Animal as an uncrackable computer. I know there are no extant viruses for MacOS X. I still run Virex. I know there are virtually no extant viruses for Linux. I still run ClamAV. And as for my Windows machines - I got antivirus and firewalls and rubber gloves!

That said, any virus for Macs is not going to propagate very well. Yes, Unix-based computers are built with greater security in mind, but also people who run Unix-based computers tend to be a little smarter than the average bear. But there are no guarantees, so don't click on that file promising nekkid pictures of Russian tennis players.

Nope. I don't think so.

Intego's PR on this says:



The is so much BS. I actually use a PC also and run no virus protection. I'm just careful about the source of everything that comes into my machine. For example, I would never download MP3, JPEG and GIF files from the Intego web site. 😉

Don't waste your money on this obvious promo by Intego. Use your Admin account only for doing admin things. This way if you do get a virus, it only has access to your user account files. This is not totally fool proof, but very close to it.

 

[SiliconAddict]

lol....this is the most primitive one that i have heard of....talk about gullible!! (that code erases the hard drive for all of you that dont know)

Sometimes primitive ones are usually the best. One of the more interesting hoaxes I've run across in windows is a hoax propagated by well meaning individuals.

It goes like this:

found the little bear in my machine because of that I am sending this message in order for you to find it in your machine. The procedure is very simple:

The objective of this e-mail is to warn all Hotmail users about a new virus that is spreading by MSN Messenger. The name of this virus is jdbgmgr.exe and it is sent automatically by the Messenger and by the address book too. The virus is not detected by McAfee or Norton and it stays quiet for 14 days before damaging the system.

The virus can be cleaned before it deletes the files from your system. In order to eliminate it, it is just necessary to do the following steps:
1. Go to Start, click "Search"
2.- In the "Files or Folders option" write the name jdbgmgr.exe
3.- Be sure that you are searching in the drive "C"
4.- Click "find now"
5.- If the virus is there (it has a little bear-like icon with the name of jdbgmgr.exe DO NOT OPEN IT FOR ANY REASON
6.- Right click and delete it (it will go to the Recycle bin)
7.- Go to the recycle bin and delete it or empty the recycle bin.

IF YOU FIND THE VIRUS IN ALL OF YOUR SYSTEMS SEND THIS MESSAGE TO ALL OF YOUR CONTACTS LOCATED IN YOUR ADDRESS BOOK BEFORE IT CAN CAUSE ANY DAMAGE.

Here the kicker. The file is a Windows file for MS Visual J++ runtime debugger. It won't cripple windows if you delete it but its a beautiful example of social engineering the crap out of gullible people and like it or not there are gullible people on Windows and on Mac.

 

[Analog Kid]

Yeah, Integro may have been feeling a little bit like the Maytag repairman, but I think people are coming down on them way too hard.

A proof of concept that could potentially exploit social engineering to run an arbitrary app on your machine has been distributed. The one they found isn't harmful. They proactively added protection against it before anyone got hurt. Now they're getting slammed for promoting their product.

If you ask me, the question should be why the other vendors haven't implemented similar measures?! Are they waiting for an event to prove it necessary?

This kind of protection before the problem is what you pay for with a virus scanner.

Sure we all want to believe we wouldn't click something before we knew what it was. Windows users think that too. I'm sure someone would open it though-- they always do.

Imagine an emailed file from an infected friend saying "Hey, check out my latest GarageBand creation!", or a spoofed email from MoveOn.org saying "Proof Bush knew there were no WMDs".

I, for one, always assumed data files to be safe. Clearly they're not. Forget about whether you'd open an MP3 or not. This isn't about your favorite music codec! Have you ever thought a jpeg could bring down your machine? Do you assume that word docs are safe if you disable macros?

At least I now know that OS X doesn't do a very good job of distinguishing between data and code. Regardless of how this information got out there, it really is important to know.

This is a warning shot across the bow. Hopefully it can be and will be patched by Apple before things get bad.

 

[aarond12]

Not a virus; Windows can be affected by the same issue

This is NOT a virus. A "trojan horse" is malicious code that does something bad when executed, then terminates (just like any other application). A "virus" is code that stays resident, embedding itself into the system -- something Mac OS X will not allow unless the administrator password is entered.

This "proof of concept" is complete crap. Why? First, Mac OS X applications are composed of many files, not just a single file like an MP3. (Control-click on an application, select "Show Contents" and see what I mean.) You would have to download a compressed archive with the MP3 trojan inside.

Additionally, this same spoof can happen MORE EASILY on Windows systems. Create a trojan horse application and give it an icon file of an MP3 file (very easy using Microsoft Visual Basic). Then name the application "trojan.mp3.exe". Windows 2000 and XP, by default, hide the extension of applications, so what would the user see? "trojan.mp3".

Hello! That is the exact same issue they're making a big deal about on OS X, except it's even easier on Windows because they can download the .exe file directly, not putting the file into an archive.

Unlike Mac OS X, Windows applications *can* be composed of a single file. Although someone downloading "trojan.mp3.exe" is about as likely as a Mac OS X user downloading "trojan.mp3.app.sit".

This is another Windows lover's attempt to make Mac OS X look bad.

-Aaron-

 

[SiliconAddict]

The big question I have is when will the more biased new sources get wind of this. cnet.com \ zdnet.com and make an over the top fuss over this. Is it a big deal? Kinda. Will they blow it out of proportion? Definitely.

 

[iMeowbot]

Yes, but what if it was just programed to delete everything in ~/Library/Preferences? To many, that would be a nightmare, and it wouldn't need authentication. Or it could delete your address book, or mail folders - all these things are unprotected.

Yeah see, this is a common block that gets into people's heads when they think of malware. You have to (rather literally) think outside the box to appreciate why trojans can be a genuine problem.

Deleting a user's files would be a pretty lame attack. Fishing through a user's address book and other files, then sending out spam (perhaps containing a Windows virus just for kicks, or perhaps mail out a nice offensive tirade to your employers or customers) could have more serious consequences. It can also be used to execute a networked attack on some other machine, so that you get the blame for someone else's antics. It can quietly add a few lines to $HOME/Library/Prfeferences/loginwindow.plist to do its thing long after you forgot about that little file you downloaded. It can be written to present dialogs that spoof Software Update or the wake-from sleep password dialog after it's waited for a few days, gaining root access for itself after the download has been forgotten. And from there a program can do whatever it wants. And so on. Even the smartest people can be distracted or have bad days, and fall for a convincing cover story.

 

[ionas]

the solution

apple has to accept that the world isnt that easy as mac os x suggest it to be.

there are many types of "data", archives, documents, applications.. and so on.

as long as you cant "script" applications via files so that they damage the operating system yo can SAVE the the whole situation.

just add an icon that is overlayed over each application and marks that as an application, do that with files too, and things are differnt than those both types get extra markup icons.

no problem left imho.

 

[musicpyrite]

Sorry if I'm offending anybody, but even one little hit of a virus, and you guys get your panties all in a wad. I swear, what happens when OS X becomes mainstream and has 80,000+ viruses,trojans,etc.


🙄 🙄 🙄

 

[Steven1621]

They actually had me going for a minute until I got down to this part of the statement... 🙄

"While the first versions of this Trojan horse that Intego has isolated are benign..."

Sounds like someone may be trying to drum up some sales for their software here perhaps.

possibly taking a small threat and making a big deal out of it?