Mac OS X Trojan Warning

[macnews]

Why do so many people want to deny this is a problem? It is a problem, one we knew would come about sometime (remember os9 had virus problems). Also, the average users may be either inexperienced or too cocky thinking "macs don't have virus!".

Sure, this may not be able to delete your whole file system or prevent your computer from running, but it can cause a pain in the ass! Not everyone backs up, yes they should. Hopefully, Apple will provide some sort of fix, but this can't be the first time this has happened. OS X also has the benefit of being Unix based. That has been around for a much longer time so perhaps there are other similar issues out there that have already been fixed on other *nix platforms.

Common sense will help but putting your heads in the sand and saying it isn't a big deal or down playing it does no one any good.

 

[voicegy]

Well, when I was much younger (14), i wrote a virus to spread in my schools cs classes. Why? Just because it was possible. It was entertaining, writing something like that in some 2-3KB (yes, KB). It was a nice secret, and I kept it close to my chest until 10 years later. It was unethical too, I agree.

However, everytime I see the complete fools here and in other Mac forums blasting Windows security and bragging about MacOS X and how bulletproof it is, it itches me a lot to show them...

Lot's of things are "possible" and may be considered "entertaining" by those with time on their hands and a sense of mischief - the mind reels at what has been done of a more destructive nature with such mindsets. I hope that was a passing phase and you now do more productive things with your time. At least you understood the unethical nature of your action. Please keep your talents on the side of "right," and don't scratch that itch. 🙂

 

[123]

There are only two forks on HFS(+): resource fork and data fork.

Plus file system meta data. Without that, the file would be recognized as mp3 file only, based on its suffix.

- The CFM-Launcher disregards the Unix executable bit (chmod -x and you still can launch it). I can't figure out why - exept for the notable disregard inside Apple of anything Carbon. Hell, the NeXTies are too lazy to even look after security-relevant problems.

Try setting the executable bits in OS 8.6 or something. So, if someone builds a carbon app it shouldn't run on X at all or what's your point? Besides, do you think the virus programmers would be too stupid to set the executable bit?

Besides the obvious "erase the home directory", a boosted version could employ AppleScript to read your contacts from the Adress book and send spam mails via Mail.app. This is the exact thing we have seen on windows for years now.

Mail.app will warn you if you want to launch the movie/mp3/whatever file if it was encoded as application. That and the small and clustered Mac user base (only Macs can pass it on) will probably be enough to stop such a virus from spreading quickly. Although... maybe not. We'll see soon enough.

 

[fsbilly]

Hang the DJ

Well, I, for one, just downloaded a legally distributed free mp3 today. It was a promotional mix a dj is giving away.

Good. Then you know the source of the MP3. This will only affect people who d/l MP3s from less reputable places.

 

[wdlove]

Plus file system meta data. Without that, the file would be recognized as mp3 file only, based on its suffix.

Mail.app will warn you if you want to launch the movie/mp3/whatever file if it was encoded as application. That and the small and clustered Mac user base (only Macs can pass it on) will probably be enough to stop such a virus from spreading quickly. Although... maybe not. We'll see soon enough.

Entourage gives me a warning also. So I only open up an application if it comes from someone that I know. As others mentioned, all would be much better if brilliant individuals would use their knowledge for good!

 

[NusuniAdmin]

then you deserve it. don't pirate music and you don't have to worry. I have no sympathy for anyone getting bitten by this trojan.

Um it comes in emails genious, i dont know about u but i get lots of emails from friends that have songs they have written as attachements, but i really doubt this trojan hacks your address book and sends the email via the emails (like many windows viruses and trojans do). So most likely the thing sends an email from like "your_wife_nude@yahoo.com" or something along those lines.

 

[0 and A ai]

Lot's of things are "possible" and may be considered "entertaining" by those with time on their hands and a sense of mischief - the mind reels at what has been done of a more destructive nature with such mindsets. I hope that was a passing phase and you now do more productive things with your time. At least you understood the unethical nature of your action. Please keep your talents on the side of "right," and don't scratch that itch. 🙂

I'd actally challenge him.

BRING IT ON. MAKE MONEY FOR ANTIVIRUS SOFTWARE VENDORS! YOU TOOL!

 

[form]

Here's my concern:

PCs are notorious for running into tons of trojans and spyware. The fact that mac has hardly ever had any significant virus/spyware scares is, in my opinion, a big selling point for them. Incidentally, the same fact is also probably the result of their numbers staying small, and pc numbers being so large.

If the mac platform becomes virus and spyware prone, like PCs, then there will not really be any major convenience-related reasons for me to stick to mac anymore...for the longest time, that has been one of the primary selling points to me, their convenience through safety from troublesome things like the PCs run into so often on the web. Disagree with me all you want, but, since I don't do audio/video editing, I just wouldn't buy a mac for performance, because mac isn't faster for what I'm interested in, both productivity and entertainment-wise.

 

[twixster]

Double Click

I downloaded the so called mp3 and my main question is who would double click on it anyway. The only time that i double click on a song is when i am in iTunes. However, i always look at my files in list mode which tells you that it is an application or what not so common cents should tell you that unless it is an app that you downloaded or made for your self don't open it. Also, we have been able to do things like this since os 9. I believe that they are just not having good sales and are trying to drum up some mac sales for being one of the only virus protection programs that catches it.

 

[space2go]

That and the small and clustered Mac user base (only Macs can pass it on) will probably be enough to stop such a virus from spreading quickly. Although... maybe not. We'll see soon enough.

The smaller user base would not slow down the propagation significantly.
The witty worm [1] had only a 12k target pop and managed to infect most of that in less than a single hour. By sending itself to random IPs no less.

A mail worm that needs user interaction is generally slower than those that exploite a remote vulnerability like witty did but if it were to send itself to all email adresses in a mac users adress book it would inevitably hit some other mac users just like windoze worms get addresses of other windoze users. Plus it simply could send itself to <random>@mac.com as well and get some guaranteed hits.

As in biology the spread of a computer virus that is transmitted through relationships of carriers is mostly a function of the "linked-ness" of the target population almost regardless of the relative size of vulnerable pop in the overall pop.

In other words: As long as the average mac user knows a few other mac users and the worm has a way (like random sending) to jump borders between (mostly) isolated groups it will spread fast even though we might only own ~5% of all computers.

[1] - http://www.caida.org/analysis/security/witty/

 

[Doctor Q]

Even if the Finder learns to give warnings, I've found that a lot of people will click OK in almost any dialog box, without reading it. If the Finder said "This is an unknown application from a suspicious source, disguised as a data file, with a misleading extension. OK to launch it?" they would click OK. Of course, if instead it said "This is an unknown application from a suspicious source, disguised as a data file, with a misleading extension. OK to not launch it?" they would also click OK.

 

[msconvert]

Um.

then you deserve it. don't pirate music and you don't have to worry. I have no sympathy for anyone getting bitten by this trojan.

This was just a proof of concept! It doesn't have to be a music file. It could be a jpg or a doc or a pdf. It was just written to show that it could be done. Thankfully, this trojan also was benign, but now that it is out, ANYONE can put in mallicious code. Yes, it takes human intervention, but that is what makes it a Trojan [horse]. (ever read greek mythology/history)

Take your crass attitude elsewhere. It isn't constructive.

 

[msconvert]

You are not true

That's not entirely true.
The executable is actually in the ID3 tag of the mp3 as the file is both a valid mp3 and a valid carbon app.

The mallicious executable is not in the ID3 tag. It is all in the resource fork. Wired got it wrong and so did Intego. Look at the source and see for yourself. I don't have to prove it to you.

EDIT:

There is nothing corrupt about the header. This is the only strange part of the ID3 tag and it is in the comments is the following:

00000A0C 00000000 000055AC 00000000 00000187 00000000 00007E8A 00000000 0000016D 00000000

Not sure, but even if it is binary, it isn't an application. Again, the executable code is in the resource fork not the ID3 tag. Kill the resource fork and the you kill the trojan.

 

[Fukui]

So, I'm guessing this is because there are two conflicting ideas of what makes an executable and executable. The type/creator codes if set to an exacutable, and contain the right resources, are taken before a check to the file extention because classic Mac OS ignored exentions as just part of the name. So, if resource forks are removed, or type/creator codes ignored and only the extention recognized, then this type of trojan would be alot less possible?

 

[Rower_CPU]

A couple of links people might not have seen:
Apple responds to Trojan horse advisory

"We are aware of the potential issue identified by Intego and are working proactively to investigate it," said Apple in a statement given to MacCentral. "While no operating system can be completely secure from all threats, Apple has an excellent track record of identifying and rapidly correcting potential vulnerabilities."

Intego Q&A re: Mac OS X Trojan

 

[msconvert]

This is the only text that is inteligible in the resource fork of the the file in question:

virus.mp3 version 1.0Kvirus.mp3 version 1.0, Copyright
2004 by E. Cracker. All rights reserved.
\<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist SYSTEM "file://localhost/System/Library/DTDs/PropertyList.dtd">
<plist version="0.9">
<dict>
<key>CFBundleIdentifier</key>
<string>mp3.virus</string>
<key>CFBundleName</key>
<string>virus.mp3</string>
<key>CFBundleGetInfoString</key>
<string>virus.mp3 version 1.0, Copyright
2004 by E. Cracker. All rights reserved.</string>
<key>CFBundleShortVersionString</key>
<string>virus.mp3 version 1.0</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleSignature</key>
<string>vMP3</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>CFBundleDevelopmentRegion</key>
<string>English</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>LSPrefersCarbon</key>
<true/>
<key>CFBundleIconFile</key>
<string>128</string>
</dict>
</plist>

 

[cl0r0x70]

Any unknown file, on any OS, can be dangerous

Executing any suspicious file on any OS, be it Windows/Mac/Linux/BSD, can be dangerous.

This has less to do with an actual threat, and more to do with simply being smart.

The dangers to be concerned about are those viruses that can attack your computer without user idiocy as part of their methods. This, on the other hand, is nothing to be concerned about.

 

[MacVault]

Can Apple do anything to fix this?

Is there anything Apple can do to fix this problem or would that break everything else in the system???

 

[Fukui]

Is there anything Apple can do to fix this problem or would that break everything else in the system???

Probably only carbon apps. They might have to ignore HFS Type Codes and just go with extentions, maybe they'll have to change all the carbon apps to have .app extentions or something... Maybe the finder could be changed not to open carbon applications if they have an extension...that might not break anything...only apple knows for sure I guess...

 

[eSnow]

The mallicious executable is not in the ID3 tag. It is all in the resource fork. Wired got it wrong and so did Intego. Look at the source and see for yourself. I don't have to prove it to you.

Actually you should, because you are utterly wrong. There is no executable code in the resource fork, it is in the data fork, embedded in an ID3-tag. Go back one page - I have disected the thing.

 

[eSnow]

Try setting the executable bits in OS 8.6 or something. So, if someone builds a carbon app it shouldn't run on X at all or what's your point? Besides, do you think the virus programmers would be too stupid to set the executable bit?

You can't because 8.6 has no Unix underpinnings and detects executables by a different mechanism. The point is that the x-bit is an important security mechanism in Unix and disregarding it is a bad thing[tm].
Apple needs to look at it's state before launching a CFM-application like it looks at it before launching a MachO-app (not that it would have prevented this specific trojan, but maybe the next).

 

[eSnow]

Lot's of things are "possible" and may be considered "entertaining" by those with time on their hands and a sense of mischief - the mind reels at what has been done of a more destructive nature with such mindsets. I hope that was a passing phase and you now do more productive things with your time. At least you understood the unethical nature of your action. Please keep your talents on the side of "right," and don't scratch that itch. 🙂

Oh absolutely - that little experience told me a lot about the interconnection of power and responsibility. Especially seing people desperate because their work kept vanishing made me sorry for them.

So, my ethical stance has evolved quite a bit since then - I have found other sources of feeling powerful than letting loose evil programs.
But I still cannot help admiring those who are able to think different and work around security measures (Hackers, Virus writers, phone phreaks, the "PlayFair"-writers...) to show who's the one with the higher skills 😀

 

[jettredmont]

In the Finder, if one is using column view, it is identified as an Application instead of an MP3 File, and its icon is shown instead of a QuickTime-style playback bar for previewing the contents.

So, it's less damaging than even I thought.

This is no more malicious than any executable (be it an .app bundle or a single-file "Unix tool" app) being labeled ".mp3" except that it will "work" for those of use who open it through iTunes or drag onto iTunes instead of double-clicking to execute.

IMHO, if you're just blindly double-clicking on something you downloaded, no matter what you think it is, you are yourself a security risk to be dealt with. If OS X is properly identifying this as an application, then when you double-click the application is run ... well, that's not OS X's fault now is it?

Gee, some day maybe we'll get the alert that if someone drops an applescript file into your mail titled "Anna Kournikova Pics.jpg" we've got the first real live OS X JPG virus!

"Stupidity-borne" trojans are not platform-dependant at all. Stupid people are everywhere, and will always double-click things never understanding that since double-click means different things for different kinds of things they should really know what kind of thing they're double-clicking before doing it. Apple can't stop that particular bit any more than Microsoft can, which is why things like the aforementioned "Kournikova" "virus" of several years back doesn't really count as a ding against Microsoft.

 

[msconvert]

Actually you should, because you are utterly wrong. There is no executable code in the resource fork, it is in the data fork, embedded in an ID3-tag. Go back one page - I have disected the thing.

OK so you dissected it. then what is in the resource fork and why does it break when you 'cp virus.mp3 clean.mp3' (cp doesn't know what to do with the resource fork). This is how I made my deduction - maybe I am wrong. but the resource fork cannot contain just the icon. It is an integral part to the function of the Trojan.

If it is at all dependent on information contained in the ID3 tag, then this exploit cannot be potentially mutated as others suggested, no ID3 tag in the PDF spec or the JPG spec or ...

 

[eSnow]

OK so you dissected it. then what is in the resource fork and why does it break when you 'cp virus.mp3 clean.mp3'

The res-fork contains a 'cfrg' (short for configuration) resource that tells the system that one code chunk is contained in the data fork starting at offset 64 into the data and having a length of 3215 bytes. The system reads this information and then opens the data fork and executes the code there. If the description in the 'cfrf' resource is not available, the trojan cannot be launched.

If it is at all dependent on information contained in the ID3 tag, then this exploit cannot be potentially mutated as others suggested, no ID3 tag in the PDF spec or the JPG spec or ...

jpg might be fine, jpeg2000 is likely not. AAC and TIFF are likely also at risk, as is .mov. It is nothing special to .mp3, could happen with any file format that is structured and tagged.