Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Mac OS X Trojan Warning
- Thread starter MacBytes
- Start date
- Sort by reaction score
What kind of fool thinks that the only way to "get music on your computer" is by ripping CD's or the ITMS?snahabed said:
Ok guys listen up - you have been spared viruses worms and trojans on OSX so far, and so you are forgiven for being inexperienced in this area. The trojan mentioned is what's known as a "proof of concept" and is what security researchers do - they produce proof of concept code to prove their theories. They then (usually) contact the vendor (in this case Apple) with their proof of concept, and point out the problem. The hope is that the vendor will issue a patch to fix the issue.Lancetx said:
Do not be lured into the myth that OSX is immune to any security threats. Trojans are particularly nasty to the often inexperienced computer users that the Mac attracts. Simply by clicking an icon CAN cause you problems.
The recent Netsky Windows virus was only successful because users were stupid enough to click on an attachment because the message told them to. OSX is not immune to this attack. If Netsky had, say, two attachments and said "OSX users click on the OSX attachment" then it would have spread via Mac users too.
You don't get it. The exact "trojan" discovered is nothing to worry about in itself, however the exploit has now been published. The thing to worry about is that there are people out there right now who will be coding up nasty things using that proof of concept. It like saying that someone has found a way to make a new weapon using easy to obtain household objects - like that guy who made his own cruise missile for example. The problem is not the inventor, but the people who will misuse the technology.Oirectine said:
As the Mac gets more prevailent, we will see more of this sort of thing. If everyone used Mac's, then it would be very easy to have an incident on the scale of Netsky et al using this exploit.
For example: Here is an MP3 - please click on it
Whats wrong? Lost your feeling of security?
snahabed said:
A few months ago I imported nearly all of my cd's. A few of the 12-15 year old ones were so scratched up that I couldn't get all the files to copy. So, I downloaded them from p2p networks. I still have the cd's here in my drawer. Am I a pirate? No, really, not trying to start a bitchfest. I am allowed to do this, if I already own it, right?
But, if I find any more cd's in this condition, I'll probably just do without those songs until I hear more about this. I'll bet the RIAA is loving this!
More details on slashdot
Please note that an MP3 file without a resource fork cannot carry this trojan - so it can't spread via most P2P networks which will throw away the resource fork. Also, importing/opening the file with itunes won't do you any harm (if there is valid MP3 data to read you'll get the MP3). The trojan carries a resource fork with instructions for the code offset - the code itself is carried in an MP3 Tag I think, personally I haven't looked at it.
The problem comes when you double click on it in the finder - the finder looks at the resource fork, decides it's an application and executes the code, which can then do what it likes. I imagine we'll have a fix from Apple fairly soon as it would be easy to thwart - comes down to the rules for interpreting the type of a file from the extension/file && type/creator used by the Finder.
If you want to find out more go look at the slashdot discussion.
http://apple.slashdot.org/article.pl?sid=04/04/08/1922237&mode=thread&tid=126&tid=172
TimDaddy said:
Please note that an MP3 file without a resource fork cannot carry this trojan - so it can't spread via most P2P networks which will throw away the resource fork. Also, importing/opening the file with itunes won't do you any harm (if there is valid MP3 data to read you'll get the MP3). The trojan carries a resource fork with instructions for the code offset - the code itself is carried in an MP3 Tag I think, personally I haven't looked at it.
The problem comes when you double click on it in the finder - the finder looks at the resource fork, decides it's an application and executes the code, which can then do what it likes. I imagine we'll have a fix from Apple fairly soon as it would be easy to thwart - comes down to the rules for interpreting the type of a file from the extension/file && type/creator used by the Finder.
If you want to find out more go look at the slashdot discussion.
http://apple.slashdot.org/article.pl?sid=04/04/08/1922237&mode=thread&tid=126&tid=172
guet said:
That's not entirely true.
The executable is actually in the ID3 tag of the mp3 as the file is both a valid mp3 and a valid carbon app.
The resource fork contains the icon and a plist. Without the resource fork the file is still recognized (by the system) as an app and started on double-click. As stated above it no longer can be properly initialized without the resources and simply dies. This should no longer be true if it were rewritten to not expect resources anyway.
Of course without the resource fork the thing gets the generic app icon which hopefully keeps at least some people from double-clicking it. 😉
I remember that...
The same problem arised on XP last year - minor difference was that you didn't even need to click on the file. It was sufficent to open the Folder.
Anyway, the problem is not trivial, but a conceptional problem with the Finder. I think Apple will need to come up with a solution that discovers more or less obvious resource fork misuse.
An obvious misuse would be an .mp3 file beeing a carbon App. Some alert dialog informing of the fact that the file is not was a normal user would think it is, would be one first neccessary step to security.
The same problem arised on XP last year - minor difference was that you didn't even need to click on the file. It was sufficent to open the Folder.
Anyway, the problem is not trivial, but a conceptional problem with the Finder. I think Apple will need to come up with a solution that discovers more or less obvious resource fork misuse.
An obvious misuse would be an .mp3 file beeing a carbon App. Some alert dialog informing of the fact that the file is not was a normal user would think it is, would be one first neccessary step to security.
Proof of concept is a bad thing
I think that nobody should be posting any of these "proof of concept" viruses on any board. If you would find out a new way to create a virus or some Trojan that could exploit flaws in a system, you should contact the vendor of that particular OS/system. By giving away the concept of a virus or Trojan, you lend a hand to *evil* programmers to make a real virus/Trojan out of it. They might not have come up with the idea in the first place if nobody would have mentioned the possible exploit/weakness of that system.
So only when someone discovers a real virus / Trojan they should warn people about it.
I think that nobody should be posting any of these "proof of concept" viruses on any board. If you would find out a new way to create a virus or some Trojan that could exploit flaws in a system, you should contact the vendor of that particular OS/system. By giving away the concept of a virus or Trojan, you lend a hand to *evil* programmers to make a real virus/Trojan out of it. They might not have come up with the idea in the first place if nobody would have mentioned the possible exploit/weakness of that system.
So only when someone discovers a real virus / Trojan they should warn people about it.
No it would not. Virus simply has no latin plural; similiar to english "milk". Just as milk does today the original meaning of virus simply described something that could not be counted. So every language using virus to mean a computer virus must come up with a plural according to its own rules. In german it's "Viren" and the english version seems to be "viruses".reflex said:
Additionally if you wanted to know a definite answer on wether and how to create a "proper" latin plural for that word you would have to ask the only latin speaking country in the world - the vatican. 😉
_pb_boi said:
Close, but not exactly. The Latin word virus (which means "blight") doesn't occur in the plural in any of our texts, and it's hard to imagine how one could come up with a plural given the usage we see; but if there were a Latin plural, that plural would have been "viri" - ONE "i" - because "virus" is a second declension noun. (Yes, it would be a homonym of the plural of the word for man, "vir, viri"). It's not like apparatus, then.
Anyway, on the subject of this "trojan" - this is the Mac equivalent of a Windows double-extension. In Windows, by default file extensions that are recognized by the operating system are hidden from the user. Windows exclusively uses the file extension - the part of the file name after the last period - to determine which application should be used to open the file. If Windows has a file association available in its registry, it will access the file with the appropriate application. What virus writers do is to write VB scripts and executables and give them file names like this: KoolNewSong.mp3.exe . If Windows (as it does by default) has file extensions shut off, the file will look like an MP3 file, though the icon will actually be determined by either an embedded icon in the executable or the default Windows icon for the file type (.exe, in this case), rather than the default Windows icon for the file type it's masquerading as.
This Mac "trojan" is analogous, though of course the Mac file system handles things much differently. I haven't found complete explanations, but (unless I'm misunderstanding the information I'm reading about this case) basically the "trojan" is a real MP3 file - in the data fork. But the application fork includes "malicious code" linked to the ID3 tags. The metadata for the file is set to indicate that it is an application, not a file, but the icon and "file extension" say it's an MP3. If you get both forks of the file and you double-click it in the finder, the "malicious code" will launch. If you only get the data fork, it won't work. If you bring it into iTunes and try to play it, you'll get music.
The thing I don't know is whether the malicious code is capable of disrupting the system as thoroughly as the average Windows virus is without requesting an administrator password. The issue with Windows is that there's a scripting host (similar to AppleScript's, but using VisualBasic) that has the same system privileges as the user; Apple's permissions are a little bit more granular than this. But my knowledge and understanding of the Apple with regard to security isn't strong enough (I know Windows security pretty well), so I may be misunderstanding these issues, and welcome correction.
Anyway, the point is that this is a proof-of-concept, and the payload doesn't actually do anything malicious. The fact is that even if the security model for Mac were no different from that for Windows, I wouldn't expect as many viruses for Mac as for Windows. Not because Mac is a smaller target: but because virus writers have access to far fewer Macs to test their code on! After all, a Windows box is cheap to build . . .
[didn't see the above messages. correct "application fork" to "resource fork," and note the comment above that one could create a resource-fork-less version if one didn't mind the wrong icon showing up.]
fixyourthinking
macrumors 6502a
How can this be a warning or a "wake up call"?
You don't get it. The exact "trojan" discovered is nothing to worry about in itself, however the exploit has now been published. The thing to worry about is that there are people out there right now who will be coding up nasty things using that proof of concept.
No, you have been able to change the icons on files in OS 9 & X and change extension names for years. You get the appearance of a different file.
Further, the MP3Concept virus theory has been around pretty much since the end of Napster 1.0 - the reason - the RIAA had considered doing this. Since Mac/Linux/Windows users all downloaded (illegally according to them) - they had to come up with an exploit that would be system wide. That said, MP3 concept ONLY was completed for the Windows platform - but still benign. It was never integrated and IT NEVER COULD BE - it is in a benign piece of ASCII text (the ID3 tag of the Mp3) - you cannot execute code from here - you cannot gain root access from here - and even if you could you would need a password. If you clicked on an MP3 (not an AAC file) but an MP3 - wouldn't you be cautious if you're asked for your password?
Now, here's where one COULD get a virus from this on ANY platform:
1) One could download a song from Kazaa that has the Mp3 concept code in it. (Mp3 concept has been around for MORE than 18 months!!!)
2) One could also download ANOTHER VIRUS or "parent app" that could find the code from the ID3 tag, combine it, compile it, run it. But take into account someone would STILL have to write a virus into the ID3 tag which HAS NOT BEEN DONE (for Macs)!!!
3)Then there is a possibility you you could be infected - this is NOT an exploit, it is NOT a trojan. The reason -
A) I could send you a text file right now called, "this is a virus"
B) In the text I could say, "Go into this guy's computer and mail me all his passwords, credit card numbers, and while you're at it; send me a naked picture of his wife"
C) Just because I've said that doesn't mean it will happen. This is essentially what MP3Concept is - it is just theorizing that code COULD be typed into the ID3 tags and LATER combined with other code. IT IS NOT EMBEDDING ANY KIND OF APP - at least directly.
I get .pif files (PC virus) all the time on my Mac in mail.app. These were most commonly the MoDoom/MyDoom virus. I have even opened them on the Mac - since the MoDoom/MyDoom virus doesn't work on Macs - it does nothing. Same here - since MP3concept doesn't even WORK - it can't do anything.
Point is - the "exploit" has been around for a while. Should people be concerned? Yes. Should they buy Intego Virus barrier to fix it - no! No! NO!
The dead giveaway there is that the virus vendors claim the same attack makes JPEG and GIF format files equally at risk: these obviously don't have ID3 tags.
Please read the rest of the board - we have already covered this - jpegs and movie files even have exif data - this is SIMILAR to ID3 tags for Music - the exif data contains date/cropping/thumbnail/editing data.
You are correct in saying that this COULD happen from there too - but read above - exif data has been around for YEARS! NO ONE HAS BEEN ABLE TO SPREAD A VIRUS THIS WAY! NO ONE HAS YET WRITTEN A VIRUS FOR THE MAC PLATFORM.
Intego's scare into buying their software is simply based on the fact that someone could! I could win a million dollars tomorrow. In fact, it's likely it will happen. There could be a mac virus tomorrow - in fact - it's likely it will happen.
Likely = 1 chance in 1 million!
If a virus DOES spread by this method in the near future - Intego should be investigated as suspect #1!
You don't get it. The exact "trojan" discovered is nothing to worry about in itself, however the exploit has now been published. The thing to worry about is that there are people out there right now who will be coding up nasty things using that proof of concept.
No, you have been able to change the icons on files in OS 9 & X and change extension names for years. You get the appearance of a different file.
Further, the MP3Concept virus theory has been around pretty much since the end of Napster 1.0 - the reason - the RIAA had considered doing this. Since Mac/Linux/Windows users all downloaded (illegally according to them) - they had to come up with an exploit that would be system wide. That said, MP3 concept ONLY was completed for the Windows platform - but still benign. It was never integrated and IT NEVER COULD BE - it is in a benign piece of ASCII text (the ID3 tag of the Mp3) - you cannot execute code from here - you cannot gain root access from here - and even if you could you would need a password. If you clicked on an MP3 (not an AAC file) but an MP3 - wouldn't you be cautious if you're asked for your password?
Now, here's where one COULD get a virus from this on ANY platform:
1) One could download a song from Kazaa that has the Mp3 concept code in it. (Mp3 concept has been around for MORE than 18 months!!!)
2) One could also download ANOTHER VIRUS or "parent app" that could find the code from the ID3 tag, combine it, compile it, run it. But take into account someone would STILL have to write a virus into the ID3 tag which HAS NOT BEEN DONE (for Macs)!!!
3)Then there is a possibility you you could be infected - this is NOT an exploit, it is NOT a trojan. The reason -
A) I could send you a text file right now called, "this is a virus"
B) In the text I could say, "Go into this guy's computer and mail me all his passwords, credit card numbers, and while you're at it; send me a naked picture of his wife"
C) Just because I've said that doesn't mean it will happen. This is essentially what MP3Concept is - it is just theorizing that code COULD be typed into the ID3 tags and LATER combined with other code. IT IS NOT EMBEDDING ANY KIND OF APP - at least directly.
I get .pif files (PC virus) all the time on my Mac in mail.app. These were most commonly the MoDoom/MyDoom virus. I have even opened them on the Mac - since the MoDoom/MyDoom virus doesn't work on Macs - it does nothing. Same here - since MP3concept doesn't even WORK - it can't do anything.
Point is - the "exploit" has been around for a while. Should people be concerned? Yes. Should they buy Intego Virus barrier to fix it - no! No! NO!
The dead giveaway there is that the virus vendors claim the same attack makes JPEG and GIF format files equally at risk: these obviously don't have ID3 tags.
Please read the rest of the board - we have already covered this - jpegs and movie files even have exif data - this is SIMILAR to ID3 tags for Music - the exif data contains date/cropping/thumbnail/editing data.
You are correct in saying that this COULD happen from there too - but read above - exif data has been around for YEARS! NO ONE HAS BEEN ABLE TO SPREAD A VIRUS THIS WAY! NO ONE HAS YET WRITTEN A VIRUS FOR THE MAC PLATFORM.
Intego's scare into buying their software is simply based on the fact that someone could! I could win a million dollars tomorrow. In fact, it's likely it will happen. There could be a mac virus tomorrow - in fact - it's likely it will happen.
Likely = 1 chance in 1 million!
If a virus DOES spread by this method in the near future - Intego should be investigated as suspect #1!
jettredmont said:
I just looked into the thing and there is no code in ressource forks. The executable is in the data fork - only the custom item is stored in the resource fork.
Is this really a virus
I'm betting:
(1) Intego (whoever the hell they are) have employed an idiot who knows how to write a press release, and this happens to co-incide with poor sales.
(2) If it is real, then it's really just an app that does what it is supposed to do, and has no ability to delete any system files unless you are logged on as an administrator
Probably best if you are not logged on as an Administrator when you are generally using your computer.
Most Unix admins will tell you the same thing.
If you want to do something as an admin, login as an admin. If you want to do something as a user, login as a user.
In any case if you don't have a backup of *everything* including your music, emails, files etc. then you are an idiot. There is much more chance of your hard drive dying than there is of getting a virus on OS X.
I'm betting:
(1) Intego (whoever the hell they are) have employed an idiot who knows how to write a press release, and this happens to co-incide with poor sales.
(2) If it is real, then it's really just an app that does what it is supposed to do, and has no ability to delete any system files unless you are logged on as an administrator
Probably best if you are not logged on as an Administrator when you are generally using your computer.
Most Unix admins will tell you the same thing.
If you want to do something as an admin, login as an admin. If you want to do something as a user, login as a user.
In any case if you don't have a backup of *everything* including your music, emails, files etc. then you are an idiot. There is much more chance of your hard drive dying than there is of getting a virus on OS X.
You're right in saying it's not virii. And correct that the Latin plural WOULD BE, rather than is - since there is no Latin plural for virus. But:
"Writers who, searching for a fancy plural to virus, incorrectly write *viri are doubtless blindly applying an overreaching -us => -i rule." [source]
"So what we have here is something of a mixed or invariant declension. Trying to find a plural for something that didn't take a plural (possibly because it was not a count but a mass noun), or at least, one for which no plural is classically attested, is a fruitless endeavour. Best to stick with English and use viruses. "
Presumably the author is trying to say that, because there is no real Latin plural for the word, we should refrain from justifying exotic endings and use plain English. Who knows 🙂
andy
Yup the resource fork contains the icon that takes 44k which is most of the fork, the plist file giving OS X all the info it ever might need about the app plus some mostly empty text files that seem normal for carbon apps.eSnow said:
If you want to look more closely, ResPloder [1] is a nice little app that "explodes" the resource fork of a file into a directory structury and places the contents into the data fork of files it creates there.
This mp3 really is nicely done I have to say.
[1] - http://www.versiontracker.com/dyn/moreinfo/macosx/14523
tny said:
Well, on a Mac it's not quite as capable of destroying the whole system. To me that doens't matter to much, since it can destry at least the whole user space, and anything the user has write access to.
If you are a non superuser, you can destroy your home folder. If you are logged in with admin rights, which is the typical setup for a single user mac, it can destroy the users home, and everything that he has write acces to, basically the whole Applications folder.
As such, it has the capability of infecting shared applications which can then be used by other users, which in turn infect their home directories...
All but the very basic System Folders can be infected this way. If it's a smart trojan, it infects everything for a time, and starts destructive work after a defined time of incubation.
OK, now this is the worst case scenario, It's not true yet, but I just mean to say that the thing has capabilites most people here choose to ignore, which is not very smart.
tny said:
There are only two forks on HFS(+): resource fork and data fork. This thing is basically an application masquerading as an mp3-file. The executable code is in the data fork (like it always has been since the introduction of PPC), the icon shown by the finder is in the resource fork.
The "high-concept"-trick with this trojan is that the data fork starts off with a valid mp3-header, followed by a PEFF-code segment starting off at position 64 in the data fork which in turn is followed by the mp3 data.
The mp3 file format contains information as different chunks. PEFF also allows code in segements. If you are clever, you can interleave code and mp3. This allows the file to be played as an mp3 without any noise to reveal the true identity.
It works obecause the 'cfrg'-Resource allows executable chunks to start at an offset in the byte stream. The first member in this resource is located at 64 bytes - this is where the system jumps into if you launch it.
This kind of virus could have been engineered years ago - since the advent of Carbon 1.1 (not because Carbon is insecure, but because it introduced the 'cfrg'-resources) on MacOS 8.6.
id3info shows how the datafork is structured:
*** Tag information for virus.mp3
=== GEO (General encapsulated object): (virus)[virus.mp3]: application/octet-stream, 3221 bytes
=== TEN (Encoded by): iTunes v4.2
=== COM (Comments): (iTunNORM)[eng]: 00000A0C 00000000 000055AC 00000000 00000187 00000000 00007E8A 00000000 0000016D 00000000
=== TT2 (Title/songname/content description): Wild Laugh
=== TAL (Album/Movie/Show title): iMovie
*** mp3 info
MPEG1/layer III
Bitrate: 64KBps
Frequency: 44KHz
The application code is in the General encapsulated object (lines starting with === denote ID3-tags, so it is in a tag). Conveniently, iTunes does not show the existance of GEO-tags...
Yeah, it's a trojan all right. A friendly one, but a valid one nonetheless.
The blame lies squarely at Apple.
- iTunes should - under no circumstances - play anything that identifies itself as an applications. But it does and this is wrong, because it allows users to play this from the web, then store it and double click it one day. This would not be the case if it did not play in the first place.
- The Finder should mark each and every piece of software it would launch. Including AppleScripts, shell scripts, Carbon and Cocoa apps.
- The CFM-Launcher disregards the Unix executable bit (chmod -x and you still can launch it). I can't figure out why - exept for the notable disregard inside Apple of anything Carbon. Hell, the NeXTies are too lazy to even look after security-relevant problems.
Outlook:
the same trick could be employed with every "chunky" file format. TIFF comes to mind, as well as QuickTime (we all never double click QuickTime .movs, right?), and... AAC. Apple better move fast to do something about it.
A further version could contain code that doctors existing mp3-files to become infected, thus spreading on your disk.
Besides the obvious "erase the home directory", a boosted version could employ AppleScript to read your contacts from the Adress book and send spam mails via Mail.app. This is the exact thing we have seen on windows for years now.
k2k koos
macrumors 6502a
not funny
True or not, I really do not see what someone would gain by writing virus and other anoying cr**.
True, it is useful to explore the weak points so that computer companies can make their software even more secure, but don't anoy the rest of the world with it, go work for a software developer or something, and get a real life, find a girlfriend or whatever, this is just childish behaviour.
😡
True or not, I really do not see what someone would gain by writing virus and other anoying cr**.
True, it is useful to explore the weak points so that computer companies can make their software even more secure, but don't anoy the rest of the world with it, go work for a software developer or something, and get a real life, find a girlfriend or whatever, this is just childish behaviour.
😡
k2k koos said:
Well, when I was much younger (14), i wrote a virus to spread in my schools cs classes. This was in '87, when the concept of viruses was brand new and the computers in question were Apple II's. It caused total mayhem, because people did not know what was going on.
Why? Just because it was possible. It was entertaining, writing something like that in some 2-3KB (yes, KB). It was a nice secret, and I kept it close to my chest until 10 years later. It was unethical too, I agree.
However, everytime I see the complete fools here and in other Mac forums blasting Windows security and bragging about MacOS X and how bulletproof it is, it itches me a lot to show them...
Actually, looking at this trojan was fun for me. I like the cleverness with which it is built. Kudos to whoever did this.
If you get hit with this...
then you deserve it. don't pirate music and you don't have to worry. I have no sympathy for anyone getting bitten by this trojan.
then you deserve it. don't pirate music and you don't have to worry. I have no sympathy for anyone getting bitten by this trojan.