Mac OS X Trojan Horse Infects MP3s 621
frequnkn writes "The Mac News Network reports that Intego has anounced an update to their anti-virus app for snagging the first Mac OS X Trojan horse, MP3Concept (MP3Virus.Gen), which exploits a weakness in Mac OS X where applications can appear to be other types of files."
Ironic the Intego released a solution fast enough (Score:5, Interesting)
I always wonder where the sources are for the majority of viruses. It is quite ironic that a company selling you a fix happens to find the problem and releases the solution for the low price of 59.95. Yet a goggle and Symantec Security [sarc.com] search didn't yield anything about MP3Virus.Gen. Hmmm - it's awfully nice they fixed this virus so fast.
Re:Ironic the Intego released a solution fast enou (Score:5, Informative)
Re:Ironic the Intego released a solution fast enou (Score:3, Insightful)
A.) Apple didn't do it - NeXT did.
B.) How is this cumbersome?
C.) Resource intensive? Bollocks.
D.) Glaring security hazard? Bollocks again. Double bollocks.
Re:Ironic the Intego released a solution fast enou (Score:5, Informative)
NeXTSTEP ran on four different hardware platforms and had fat binaries. Within the foo.app directory, there'd be foo-moto, foo-386, foo-sparc, and foo-hpux binaries. The OS would then attempt to execute the appropriate binary for the hardware platform the OS was running on.
OS X uses the
Re:Ironic the Intego released a solution fast enou (Score:4, Informative)
In NeXTStep V1.0( and I think 2.0), the entire application was stored in a Mach-O format file. Ultimately, there were resource issues involved in trying to keep the entire application and it's resources in a single Mach-O file, which resulted in this being splitup into a diretcory containing the resources, and the Mach-O file retaining the executable data required by the system loader.
That's not all that different from how classic Mac OS apps were stored in different resource areas of a file.
Re:Ironic the Intego released a solution fast enou (Score:4, Interesting)
Re:Ironic the Intego released a solution fast enou (Score:3, Interesting)
And they never used 'fat binaries'. Apple did, NeXT did not. The whole idea of subdirectories under 'Contents' such as 'MacOS' contravenes this - they had different directories for different binaries at best, but remember, NeXTSTEP did not use HFS+, they used UFS, so there was no way they could have made a fat binary anyway.
The directory as an app only means you have a different model for application development. They
Re:Ironic the Intego released a solution fast enou (Score:5, Informative)
Re:Ironic the Intego released a solution fast enou (Score:5, Informative)
I've got an OSX install on purely UFS, and sure enough, it allows you to pack x86 and PPC binaries (or multiple PPC/X86 binaries, for optimization/bitness) into the same *.app so you can have one application file that executes on multiple architectures. It might not be Apple's hacked-up old kludgy way to get a 'fat binary' but it's effectively the same result but done MUCH cleaner and capable of living on many diverse file-systems.
Imagine how cool it would be to have ONE shared 'applications' folder mounted read-only on all your clients, the x86 clients execute the x86 code from camino.app and the PPC machines execute the PPC code from the same place. It would be an administrator's utopia!
Re:Ironic the Intego released a solution fast enou (Score:4, Interesting)
Re:Ironic the Intego released a solution fast enou (Score:5, Informative)
Proof (jpg) [alpcepinay93.free.fr]
Can you say "crappy" ? I'm sure you could.
Re:Ironic the Intego released a solution fast enou (Score:4, Funny)
Re:Ironic the Intego released a solution fast enou (Score:3, Insightful)
[ Inigo Montoya ]
I don't think that word means what you think it means.
[
That's not ironic. It may be, to tinfoil-hat-wearers, SUSPICIOUS, but it's not ironic at all.
Re:Ironic the Intego released a solution fast enou (Score:5, Insightful)
You find it ironic that a problem is found by people who make their living looking for such problems???
Re:Ironic the Intego released a solution fast enou (Score:4, Insightful)
Re:Ironic the Intego released a solution fast enou (Score:3, Insightful)
Statistics (Score:4, Insightful)
I can stand that.
Re:Statistics (Score:4, Funny)
Re:Statistics (Score:4, Insightful)
Re:Statistics (Score:5, Informative)
Vaguely reminds me of extension masquerading (Score:5, Funny)
One April Fools Day I installed a completely juvenile little extension called "Mouseturds" on my roommate's computer. But inside of "Mouseturds" I inserted an extension that reversed all of the text in the system. Inside of another file in the system (I believe it was directly in the Finder), I installed a second instance of the text-flipping extension.
When he first started using his computer, all of the text looked normal, but his mouse kept doing this terribly juvenile thing. "Cute, really cute." He said, removing that extension. You can't imagine his befuddlement when upon rebooting all of his text was sdrawkcab, simply for having cleaned his system. In the next few hours he drew up all sorts of crazy theories about dependencies, mounting extensions from the trash can, automatically installing programs when something is removed, and a mythical hidden second system folder. I didn't have the heart to tell him to watch the extensions list on the startup screen more carefully, but I didn't have the jaw if he decided to start swinging. He was not at all amused.
Moral of the story: No one thing is ever one thing on an apple system.
Other moral of the story: Never take a smart-alec joker as a roommate.
Re:Statistics (Score:4, Insightful)
now, the number of these holes that are exploited might depend on the number of people using the product. but tend to believe that the reason more holes are found in microsoft products is because more holes exist in it, and they are easier to find. not because it has more users.
Exactly right (Score:5, Informative)
Re:Exactly right (Score:4, Insightful)
Re:Statistics (Score:5, Insightful)
The other popular view may also be true: that there are more windows viruses because it is a juicier target. And by juicier I mean larger userbase so a successful virus will have a greater impact, which means more "karma" for the virus creator.
I suspect the truth is somewhere in the middle (as it usually is).
HOWEVER, we MUST clearly differentiate trojans and viruses. Trojans are usually just a program that gets blasted out with the knowledge that some percentage of idiots will run it. Once the user runs something on any OS the jig is up. Trojans do not necessarily indicate security flaws, although some trojans on Windows have exploited the OS/products to make themselves appear more tempting to the target users.
Re:Statistics (Score:5, Insightful)
Oh wait, it is. And it doesn't.
Re:Statistics (Score:3, Informative)
The problem with Apache vs. IIS comparisons is that they are hardly fair. IIS comes with tons of dangerous examples and extensions. Bugs in widespread Apache modules are usually not attributed to Apache itself. There's nothing wrong with that, but it doesn't give you much information which web server, when configured properly, is more secure.
Re:This is only the beginning, get used to that (Score:5, Insightful)
Can you understand that past performance does not indicate future performance?
Also your sample size is questionable. Classic Mac OS' history is irrelevant to Mac OS X. Mac OS X is a far more interesting and potentially lucrative target. It combines a highly capable Unix environment (home turf/holy grail for hackers) with a usually unsophisticated (wrt security) users who have no admin to watch over them. This is only the beginning, get used to that.
OS X has been out for three years. This is the first trojan/virus (giving this the benefit of the doubt). Ergo, 1 every 3 years.
Yeah, there's no admin to watch over them/us. What's your point? The system will protect the user as much as it can (have to authenticate to install/write to system areas, or create sockets on privileged ports). It's a bit more secure than Windows where a user needs a nanny standing over her slapping her wrist and saying "don't do that" or "don't open that". If it does become a target, it's more hardened. It's not like Windows saying "take me, big boy."
WHAT??? (Score:5, Insightful)
The average Windows user doesn't know how to map a network drive; doesn't know how to properly unmount a USB Storage Device in Win2k; doesn't know how to CANCEL PRINT JOBS if there isn't an annoying window from the bullshit software that pops up when you print.
The average Windows user doesn't know how to format a disk; doesn't know how to look at a full mail header, doesn't know how to Mail Merge.
The average Windows user doesn't differentiate between hard disk and "memory"; doesn't know how to clear the Recent Documents; doesn't know how to change their password.
The average Windows user hasn't used net send, ping, or even winipcfg. They don't know where to change the resolution on their monitor; they only change the Background from a right-click menu in Internet Explorer.
They have never intentionally used an F-Key that wasn't modded to do something special on their multimedia keyboard. They have no idea that Ctrl-F6 will switch between panes, so you don't need to click back and forth when designing a table in Access.
They don't know that Print Screen copies their screen to the Clipboard. Hell, they don't know what the Clipboard is.
The average Windows user doesn't know what Temp files are; has no concept of file permissions, can't make a Pivot Table; doesn't know how to uninstall programs; Has at least two things in their system tray they can't identify; has never performed a full backup of their data; and certainly has never touched their Registry.
Even tech support often doesn't know enough about the command line, like using "~1" doesn't mean you don't need the extension, or that Program Folder 8.1.1 becomes Progra~1.1 or that you can type the whole damn thing in quotes.
Maybe ten years ago the average Windows user knew something about the command line, but not anymore.
Re:This is only the beginning, get used to that (Score:5, Interesting)
I understand there's a fear factor, I work face to face with the average windows user every day, in their home. Not knowing how to mount a drive is one thing, very forgivable. Not even eyeroll-worthy. It's when they get in a panic because their sound card 'stopped working' only to discover that they had been turning the TONE control rather than VOLUME on their speakers. Now that's sad. I don't say *most* average users are like this (well, not without data to support me), but they do certainly abound.
I hate OS wars too. But the fact is, the average Linux user (oh, I should mention, I'm not one) is a Linux user partly because they are comfortable with having to know some things about their machine in order to use it. You know, Old School, like back in the day when you simply didn't HAVE a computer if you weren't interested in delving into it. They would tend to be the sort of person that enjoys having to learn something in order to make good use of it. I believe that the majority of people do *not* want to keep filling their heads. To many people that's what school was for and that part of their life is done. It's sad, but it's a choice made for the sake of comfort. I can respect it that way, there's a lot of other things they know perhaps.
I did an install once for a Lawyer (an intelligent man, one must presume), who became upset when he discovered that our high-speed access advertized as "One click and you're there" (or something) wasn't true. Because you have to double-click a desktop icon (to open a browser or whatever) he was almost going to cancel the service. He was getting installed purely on the pressure of friends, as he had gone years without email. And he was mad as hell about the whole thing. He got really mad when I didn't have paper documentation for Internet Explorer to leave with him. I pointed out where the Help was, and that just seemed to piss him off more. He *resented* being forced to learn something new, and I tried to tell him that anything worthwhile requires some learning. I asked him if he had ALWAYS known how to drive a car. No of course not, at some point he had to do a bit of reading, get some experience, do some practice. From the look in his eye at this point I realized I was traipsing into sass-mouth territory and just dropped it. The computer was given to him by a friend, and thank every god that it wasn't running Linux.
There's no fixing them, but at least they pay us to fix their stuff for them.
Can't we all just get along?
Re:Statistics (Score:4, Funny)
Re:Statistics (Score:3, Funny)
I used to have one of those too, but the BSOD's got too much to deal with, even for gaming. So, I stick to RTCW and get my aggressions out that way (same nick there as well)
Re:Statistics (Score:5, Funny)
Wait, we have games now? Shit, there goes my productivity.
Conspiracy? (Score:5, Funny)
Re:Conspiracy? (Score:3, Informative)
No. The RIAA had a widely publicized program where they hired programers/crackers to create bots to find MP3s (and report them -- there was a slashdot story about a guy with a name similar to some artist who got an automatically generated cease and desist letter, asking him to stop distributing MP3s he made). The WSJ also had an article about "experiments" the RIAA was doing to break into users computers and delete MP3 files that were pirated. (Nevermind that pirated MP3 files would be indistinguishable
Re:Conspiracy? (Score:4, Funny)
Sounds kinda wrathful. Remember, you don't marry just her, you marry the whole family!
Re:Conspiracy? (Score:3, Funny)
Be afraid...
Re:Conspiracy? (Score:5, Interesting)
Actually, my bets on on the Mac AntiVirus camp. They've been hurting a lot more recently.
Nothing to see here. Move along. (Score:4, Informative)
Mac OS X can have trojans. Mac OS X can have viruses. Mac OS X can have security issues.
It's just a lot harder to exploit all of these things on Mac OS X for numerous logistical, technical, and statistical reasons.
It is a real concept. There is an example of the trojan, or "virus" (sic), here: http://www.scoop.se/~blgl/virus.mp3.sit
However, it seems that this may be at best questionable, as the "proof of concept" is nothing more than a standalone CFM application that has been given a creator type of 'APPL' (recognized by Mac OS X as a Carbon application), but with the file extension '.mp3', the standard mp3 icon, and the contents of an mp3 (which Mac OS X displays to the user an mp3). While the file does indeed appear at first glance to be an ordinary mp3, what can admittedly be potentially dangerous, it is in fact an application.
Additionally, as a CFM application, the file needs to be transported in such a way as to keep the resource fork intact, massively reducing its utility.
I predict a future security update with disallow this behavior...
This does not change the fact that Mac OS X is fundamentally and philosophically far more secure than alternatives.
Re:Nothing to see here. Move along. (Score:3, Funny)
They get viruses when you ship them? Maybe sealing the box a little better could help?
---
Antonym, n.:
Re:Nothing to see here. Move along. (Score:5, Insightful)
Yes, of course we all know that OS X can have viruses, the point is that until now it basically hasn't had any. At least nothing that I've heard of or had to worry about. Now I will have to think twice about opening random mp3 files which somehow appear on my hard drive (?).
Re:Nothing to see here. Move along. (Score:4, Funny)
Re:Nothing to see here. Move along. (Score:3, Insightful)
Re:Nothing to see here. Move along. (Score:5, Insightful)
Re:Nothing to see here. Move along. (Score:5, Insightful)
Re:need more explanation (Score:5, Informative)
Also, if you knew the first thing about Mac OS X, you'd readily admit that the design philosophy and fundamentals of the OS do make it far, far more secure than, say, Windows.
Re:need more explanation (Score:5, Informative)
fork nor the data fork. You could think of them
as a third, fixed-size fork. At least, that's what
Siracusa of Ars Technica wrote.
Re:need more explanation (corrections) (Score:3, Informative)
A resource fork is used for extra data. Pre-OS X applications store dialogs, sounds, pictures, icons, strings, and even program code in the resource fork. All files on Mac OS X are capable of having resource forks, this is used by programs like BBEdit which store cursor & window position
Re:need more explanation (Score:3, Informative)
Re:need more explanation (Score:3, Informative)
You're basically correct, but in this instance, the executable code isn't in the resource fork, it's in one of the ID3 tags. However, the *offset* of that executable data is in the resource fork (in the 'cfrg' resource).
Re:Nothing to see here. Move along. (Score:3, Insightful)
Re:Nothing to see here. Move along. (Score:5, Informative)
Strictly speaking, you could say the same thing about the various SSH exploits that have been around as well, but I don't think I've ever owned a Linux box that would be useable without it. And you can't have it both ways. If Linux is a useable operating system, then it *isn't* just a kernel any more. It's the whole ball of wax.
This Mac OSX worm is a very different animal.
It's different in the sense that nobody has ever actually been infected by it. However, the existence of this particular design flaw has been known to pretty well everyone familiar with OSX since OSX was in beta. The decision to remove the old-style resource fork metadata and use Windows style file typing was actually the subject of enormously heated opposition for this very reason.
Re:Nothing to see here. Move along. (Score:5, Insightful)
Re:Nothing to see here. Move along. (Score:5, Insightful)
How exactly is dragging it into the trash to remove it hard?
it's not open source
Yeah, like that matters, when you consider the massive numbers of WMA and Real viruses.
it autoplays content on the web
Easy to turn off in preferences.
it's a big black box waiting to be exploited.
It's been around for what, a decade? I guess we'll have to wait some more for this particular exploit to happen.
Thanks for playing, please try again...
Re:Nothing to see here. Move along. (Score:3, Interesting)
While I tend to agree that Quicktime is not a "big black box waiting to be exploited" You will find that QuickTime is much more than the few applications you find in your applications folder. If you were to actually delete all of quick time you would have some serious issues with OS X. It is possibel to run Darwin sans Quicktime and it MAY be possible to run OS X sans it but I have ne
Re:Nothing to see here. Move along. (Score:3, Insightful)
No but if the houses of people in your town were broken into 50% less than in another town it'd mean that your town is more secure (at least for the time being).
Statistics take no role in making Macs more secure, but they can be surely used as an index to decide if they are more secure nowadays.
Diego Rey.
Damn, viruses on OS X (Score:5, Funny)
That's it, I'm selling this, maybe I'll get one of those Sparc laptops instead..
- Cowboy
but, but, but.... (Score:3, Funny)
Nothing to see here, move along... (Score:5, Informative)
Re:Nothing to see here, move along... (Score:5, Informative)
Well, (Score:5, Insightful)
That's it! (Score:5, Funny)
Mac? MP3? (Score:5, Funny)
It's bad enough that they'll be shunned by all their iPod-wearing, dual-CPU-owning, Mac cabal member friends, but now their computer get pwned? Talk about kicking them while they're down.
Re:Mac? MP3? (Score:5, Funny)
How does this work? (Score:5, Insightful)
Besides, this isn't a virus so much as a security flaw. Why pay $60 for software when Apple will surely release a patch soon?
Oh, and for all the PC assholes who are currently saying "In your face, mac zealots" or whatnot--nobody claims that OS X is bulletproof--no computer system is. Nevertheless, it seems to be a lot more secure than, say, Windows, which has security problems all of the time.
Re:How does this work? (Score:3, Informative)
Re:How does this work? (Score:5, Funny)
you must not have met the users on my network.
Comment removed (Score:5, Insightful)
Comment removed (Score:4, Insightful)
Re:How does this work? (Score:5, Insightful)
Re:How does this work? (Score:3, Insightful)
Don't brush this off, this thing is real and dangerous. Ignorance is a bad reason to lose all of your files. Sure, it won't damage your OS if you have reasonable security but it certainly can propogate to other machines.
This thing is both an MP3 file and an full blown CFM application. If you drag and drop the file on iTunes it plays (safely since iTunes won't run the code). But
I knew this was going to happen... (Score:3, Insightful)
It was just a matter of time before someone used it maliciously to confuse the line between instructions and data.
Re:I knew this was going to happen... (Score:3, Insightful)
The trojan is an application with its icon set to the default MP3 icon, with a
Re:I knew this was going to happen... (Score:4, Informative)
file.mp3.APPL.VND
And this is precisely how the exact same "information hiding" works in windows with
Extensions really have been the best solution, though there is room for improvement.
Ahh.. Classic catches up to us :P (Score:5, Insightful)
The basic gist of this trojan from what I've read so far (there is very little information aside from what Intego has on their own web site) is that it is a file with type AAPL (executable application) but with an
What this basically comes down to, then, is the Finder making the wrong decision as to how to present the file to the user. Specifically that it presents it in one way, but acts upon it (when double-clicked) in the other. Whether it should first obey the deprecated file type metadata or the file extension is left to be argued about... what's certain is that it should always behave with the file the same way it presents it. I predict a bug fix for this will be in OS X shortly.
Hoax or response to proof of concept? (Score:5, Interesting)
At Google Groups [google.com]
I opened the file in BBEdit, and it appears that there is in fact executable code in the file, but it doesn't appear evident to me how the binary code would be executed if the audio file is opened inside of a music player.
Hopefully this ends up being a hoax, or at least some more details come out soon.
Re:Hoax or response to proof of concept? (Score:5, Informative)
I haven't looked at this trojan, but I participated in a theoretical discussion of the possibility on usenet a couple of weeks ago (interesting timing, that) and the theory isn't that strange anyway.
The way it works is that it's actually a full-blown application. It's a Carbon CFM application, which is stored as a single file. There's a resource in the resource fork of the file which tells the OS where the actual executable code can be found; this allows the application's code to be embedded inside a larger chunk of data. The whole thing is then typed APPL with the HFS+ metadata filetype, but given a
If you open the file from your music player, it's a real MP3 that just happens to have a bunch of junk (trojan code) in an ID3 tag. It plays, nothing else happens. If you double-click it in the Finder, though, the Finder sees that it's an application and launches it, and then you're doomed. The app can do whatever it wants at that point. Presumably one of the very first things it does is open itself with your MP3 player so as to give the appearance of functioning like a regular MP3 file, and then it can go around infecting or deleting files at will.
This isn't a particularly dangerous trojan. Because of the dependence on HFS+ metadata and resource forks, the app can't be transported raw, it has to be encoded. So you absolutely cannot be infected by double-clicking an MP3 you got from Kazaa. You have to download an archive file, like a Stuffit archive, a disk image, a
For a successful internet worm to result from this, the recipients have to do two steps. First they would have to decompress the file that was sent to them, then they'd have to find the results and open it. Of course, we know from the example of Windows worms that enough users will go through the trouble of opening an encrypted
Re:Hoax or response to proof of concept? (Score:4, Informative)
It only opens files once. It doesn't then open what the files produce. There are two exceptions to this; one is that anything that's gzipped is un-gzipped and then opened or not based on the contents, the other is that stuffit will automatically mount a disk image contained in a
One thing to keep in mind is that this trick only tricks the user. If the Finder knows it's an executable application, any other app on the system can find out too.
This is not an exploit of anything, it's just a cleverly designed application that looks like a music file to a human being. It can't be run without active participation by the user.
Re:Hoax or response to proof of concept? (Score:3, Informative)
Re:Hoax or response to proof of concept? (Score:4, Informative)
Apple response time (Score:3, Insightful)
What's relevant here is now that this has exposure (and we all know that /. == exposure to those who matter), how quickly will Apple respond and rectify this by issuing a patch?
Here's wagering that they don't sit on it like M$ has been known to do, if not for any other reason that M$ has a far greater volume of virsus/trojan horses/etc. to deal with!
-Nanter
Re:Apple response time (Score:3, Insightful)
How do you expect Apple to stop people from clicking on unknown or untrusted files?
The only "patch" that will help is one that delivers common sense through the skin (like nicotine or birth-control). Until then, trojans are here to stay.
Nothing new here... (Score:3, Informative)
It would take me about 15 minutes to write my own "trojan horse" of this nature... Don't make a big fuss over nothing.
From the MacNN article:
The company says that Mac OS X displays the icon of the MP3 file, with an
Ogg? (Score:5, Funny)
Time to Stop Complacency (Score:5, Interesting)
The method in which this trojan infects isn't new: Windows viruses often hide their true extension in the same way as this empty-payload Mac OS X trojan.
What is significant is what a payload-laden trojan could do the today's Mac OS world. As a tech, I get to see a fair audience of Macs in use and what software they use. The very concerning part is that very few (my estimate: less than 1 in 50) Macs use ANY kind of antivirus software.
Not that you can't find any: Aside from Intego (who make a fine firewall as well as their virus products), you can get Norton AntiVirus from Symantec and Virex from Network Associates. Yet, most of us don't own any AV software.
That's bad for two reasons. One: While most Windows malware we Mac users may receive by mail are harmless to our Mac OS X systems, we remain Typhoid Mary-esque carriers to other PCs. Two: Our complacency in saying that "Macs don't get viruses" does not ensure that we will not experience one later.
That "later" is now.
Further, the "security through obscurity" protection is gone with the move to OS X. It's just a UNIX OS now, no longer a relatively-closed OS, which means there are more people who are UNIX-savvy who can create malware than before. (Fortunately that also means there are plenty of Good Guys who can spot this stuff before Apple or AV vendors are made aware.)
While I doubt there will be lots of new Mac attacks soon, I would not wait until one shows up with a nasty payload. Buy some AV software and keep puttering along. I'm sure there's some ass out there with too much time on their hands who, like the guy who took the Word Macro "Concept" virus, added a payload and sent it on its way, who will love to make some pitiful Mac users suffer.
Also, consider creating a regular user account, which cannot install software. In the event that you do open something with a payload on that account, hopefully OS X's permissions will stop any attempts to change any file or program except those in that account's home folder. Thank God for the UNIX permissions system.
Re:Time to Stop Complacency (Score:3, Informative)
About freaking time!!! (Score:5, Funny)
Windows problem as well? (Score:3, Interesting)
1) Make a valid MP3 file
2) Make the beginning of the file a JMP instruction (assembly code) that tells it to jump to the point in the MP3 where the ID3 tag is stored.
3) Put a virus in the ID3 tag.
What's to prevent this from working on Windows? It's a brilliant, and scary plan... . It would be especially effective if linked on a website, as Windows accepts MIME-types first and extensions second now.
It's not integrity, it's Intego! (Score:4, Insightful)
From my read of their PR page [intego.com] about this, it sounds like something they entirely fabricated themselves to sell their software. There is nothing in the wild and no reports on respectable security sites, just Intego saying they "isolated" something and you should buy their FUD^H^H^Hproduct. As others have pointed out, a trojan is possible on any system if you can get the user to jump through elaborate enough hoops. So the next time you download an unknown MP3 (or whatever) file with an intact resource fork from an anonymous source and give it executable status so you can double-click it instead of just adding it to your iTunes library (or playing it in Finder with a single click in column view), be glad you also shelled out money to Intego so that you are protected from your own stupid and unnecessary actions! That it's come to this shows just how hard it is for anti-virus types to make money on the Mac.
Use the Forks, Luke! (Score:3, Informative)
If you throw virus.mp3 into your favorite p2p sharing system (or a web site, or most sharing methods other than AFP) the downloader will only get the data fork. That's why they had to put it in a .SIT archive first. Now you have to include code to rearchive the trojan before passing it on.
To do self-propagation right, go for pure data fork. Maybe AppleScript. A simple version would just read from AddressBook.app and spew to Mail.app. Bonus points if you detect/use other email clients too, including OS 8/9.
Don't Have Permission to Open (Score:5, Interesting)
How it works and why it isn't really an exploit (Score:5, Informative)
Its name ends in ".mp3", and the included icon is copied from an iTunes MP3 file, but its type code is APPL, an application. The data fork is a valid MP3 with PowerPC executable code inside the ID3 tags. When given to iTunes or another MP3 player, it simply plays the included sounds without executing code. When double-clicked on from the Finder, the surrounding bits of MP3 file appear to be ignored and the code is executed. The payload for the proof-of-concept displays a dialog box, then tells iTunes to play the file itself, presumably via AppleScript.
When double-clicked, it shows up in the dock as an application, though this could be suppressed in an actual hostile trojan just like many utility programs do. In the Finder, if one is using column view, it is identified as an Application instead of an MP3 File, and its icon is shown instead of a QuickTime-style playback bar for previewing the contents.
In terms of an actual exploit, the only thing going on that is even possibly questionable at an OS level is the presence of other stuff in the data fork before the Joy!peffpwpc tag. I am not certain if this is allowed in the definition of what a PEF executable is supposed to look like. Aside from that, there is nothing else that is tricking the OS into doing something it shouldn't do, only legally included information that is deceptive to a user who is not looking carefully at things.
BeOS had the exact same problem (Score:3, Informative)
BeOS virus ? Something to keep you awake at night... [google.com] BeOS could also set arbitrary icons for files to disguise their real types. This problem is nothing new.
LaserJet 1012 (Score:4, Insightful)
- Download file with a name like Yeah-Usher.mp3.sit with your favorite downloader.
- Decompress said StuffIt file. If you use Safari and have "Open "safe" files after download" or use Camino and have "Automatically open downloaded files" checked you can skip this step
- Open up the file in attempt to view/listen to it
- Suffer ill effects of worm
I'm not too worried even if a Security Update isn't released to fix the problem. I suppose a worm of this sort will affect the sort of people that open attachments from strangers and type in their administrators passwords despite warnings against such actions. For them there isn't much you can do except take their computer away.This is, like, 10 years behind (Score:4, Informative)
Read the Press Release! (Score:3, Informative)
The linked article (and most coverage of this trojan) is very misleading. This trojan does not delete files, propagate itself, or infect other files. The press release from Intego just says that a trojan like this could do those things. Read the press release for yourself.
Intego Press Release [intego.com]
The important thing to realize here is that Mac OS X, while very secure, is not perfect. And no matter what OS you are using, you should be very careful what you double click! Let's hope Apple nails this quickly!
Heh (Score:3, Insightful)
Parent not flamebait (Score:5, Insightful)
He *is* right in that what you have here is an honest-to-God architectural security problem with the Mac OS. It isn't a coding bug or a stupid user -- Apple clearly defines how to determine file type in their specs, which will now need to be revised.
And I think he's pretty accurate in claiming that this *does* embarass a lot of people that were making semi-bogus security claims about the Mac OS.
Had he said "Yes, now we can all tell that Mac OS X security sucks", then sure, he'd be flamebait. But he was spot-on accurate in his statement. Modding him down because you don't like the truth of something he's saying is just silly -- a religion, a text editor, or a computing platform that cannot stand up for itself on its own merits should not have you trying to suppress valid criticisms of it. If it can, it doesn't *need* you trying to suppress valid criticisms, because those are minor compared to the benefits of the platform.
Re:If there aren't any MacOSX virsuses.... (Score:4, Funny)
Re:If there aren't any MacOSX virsuses.... (Score:3, Informative)