Professional Web Applications Themes

Mac OS X virus - Mac Networking

This is from the BugTraqMac list: As a harbinger of things to come, there now exists a Trojan on OS X; it exploits the ID3 tag in MP3 files to embed executable code in those files. Press release: <http://www.intego.com/news/pr40.html> Excerpt: Paris, France: 4:15pm, April 8, 2004 - Intego, the Macintosh security specialist, has just released updated virus definitions for Intego VirusBarrier to protect Mac users against the first Trojan horse that affects Mac OS X. This Trojan horse, MP3Concept (MP3Virus.Gen), exploits a weakness in Mac OS X where applications can appear to be other types of files. The Trojan horse's ...

  1. #1

    Default Mac OS X virus

    This is from the BugTraqMac list:

    As a harbinger of things to come, there now exists a Trojan on OS X; it
    exploits the ID3 tag in MP3 files to embed executable code in those
    files.

    Press release:

    <http://www.intego.com/news/pr40.html>

    Excerpt:

    Paris, France: 4:15pm, April 8, 2004 - Intego, the Macintosh
    security specialist, has just released updated virus definitions
    for Intego VirusBarrier to protect Mac users against the first
    Trojan horse that affects Mac OS X. This Trojan horse, MP3Concept
    (MP3Virus.Gen), exploits a weakness in Mac OS X where applications
    can appear to be other types of files. The Trojan horse's code is
    encapsulated in the ID3 tag of an MP3 (digital music) file. This
    code is in reality a hidden application that can run on any
    Macintosh computer running Mac OS X.

    Proof of Concept:

    <http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&fra
    me=right&th=631707378ffe9292&seekm=blgl-5D750C.02150821032004%40news.bahn
    hof.se#link6>

    Warning: There is a link in that message to a .sit archive containing
    a "proof of concept" of the ID3-tag-embedded virus. Though unlikely, it
    is possible that this file could contain an actual virus (as opposed to
    merely a proof of concept). Prudency suggests that you not 'test' the
    proof-of-concept file.

    --
    Never play strip tarot.
    Michelle Guest

  2. #2

    Default Re: Mac OS X virus

    Michelle Steiner <org> writes:
     

    Thaks for the heads-up. I never listen to MP3s on my computer nor do
    I download them, but it's good to know about these things. Of course,
    it was only a matter of time.
    Tim Guest

  3. #3

    Default Re: Mac OS X virus

    Michelle Steiner <org> wrote:
     

    I believe the press release to be in error. The code is in the resource
    fork, not the ID3 tags, at least from my cursory inspection. (Yes, that
    does mean that the "trojan-ness" will not survive any transfer process
    that does not preserve resource forks. It will also probably not survive
    a transfer method that does not preserve HFS+ metadata, because if the OS
    falls back to the file extension to determine the type, it will think it
    is a plain MP3 and treat it as such.)

    --
    Jeremy | com
    Jeremy Guest

  4. #4

    Default Re: Mac OS X virus

    In article <supernews.com>, Jeremy Nixon
    <com> wrote:
     

    I believe the press release to have been issued in an attempt to sell
    Intego product. Q1 sales must have been poor.

    I mean, I could write an app that carried a destructive payload using
    Applescript Studio fairly easily that did something similar to what the
    claim this thing has the "potential" to do.

    Nothing to see here, folks, keep on moving...

    djb

    --
    Okay, so this is my new sig line, eh?
    Dave Guest

  5. #5

    Default Re: Mac OS X virus

    This just goes to show:

    Never open any attachments whatsoever. I don't care how well you think
    you know the person sending it to you. Immediately delete all
    attachments you ever get, no matter who they're from.
    Keeper Guest

  6. #6

    Default Re: Mac OS X virus

    In article <TPodc.224$fS6.95okepread01>,
    Keeper of the Purple Twilight <invalid> wrote:
     

    Um, that's going overboard, I think. usually, the contents of the
    message should tell you whether it is a legitimate enclosure. There is
    also the fallback of emailing the sender and asking.

    --
    Never play strip tarot.
    Michelle Guest

  7. #7

    Default Re: Mac OS X virus

    Michelle Steiner wrote:

     
    >
    >
    > Um, that's going overboard, I think.[/ref]

    Yeah, well, I'll take my chances. Nobody I know will ever have a reason
    to send me an attachment; if it seems to happen, I'll know it's a virus
    spoofing their name.

    Why take the chance, anyway?

    usually, the contents of the 

    Viruses can spoof that too, I would think.
    Keeper Guest

  8. #8

    Default Re: Mac OS X virus

    Someone wrote: [/ref][/ref]

    And someone replied: [/ref]

    Way overboard! I'm a webmaster, and I receive and open legitimate
    attachments all the time. I advise Windows users who receive
    attachments from people they know to query those people as to the
    content of the attachment before they open it -- and if the "sender"
    isn't even aware of having sent the e-mail, delete promptly.

    Davoud

    --
    usenet *at* davidillig dawt com
    Davoud Guest

  9. #9

    Default Re: Mac OS X virus

    In article <supernews.com>,
    Jeremy Nixon <com> wrote:
     
    >
    > I believe the press release to be in error. The code is in the resource
    > fork, not the ID3 tags, at least from my cursory inspection.[/ref]

    They didn't say that the code is in the ID3 tag, they said that the ID3
    tag is exploited. The tag makes it like an MP3 file in the Finder, but
    if you double-click on it it will be executed as an application rather
    that launching an application like iTunes.

    --
    Barry Margolin, mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    Barry Guest

  10. #10

    Default Re: Mac OS X virus

    Barry Margolin <mit.edu> wrote: 
    >
    > They didn't say that the code is in the ID3 tag, they said that the ID3
    > tag is exploited. The tag makes it like an MP3 file in the Finder, but
    > if you double-click on it it will be executed as an application rather
    > that launching an application like iTunes.[/ref]

    Then I still believe it to be in error. Any file can be made to look just
    as much like an MP3 file using the filename and icon; the ID3 tags aren't
    at all necessary.

    --
    Jeremy | com
    Jeremy Guest

  11. #11

    Default Re: Mac OS X virus

    In article <tqpdc.227$fS6.127okepread01>,
    Keeper of the Purple Twilight <invalid> wrote:
     

    Well, I exchange files (photos and other doents) with quite a few
    friends and family members.

    --
    Never play strip tarot.
    Michelle Guest

  12. #12

    Default Re: Mac OS X virus


    "Jeremy Nixon" <com> wrote in message
    news:supernews.com... [/ref][/ref]
    resource 
    > >
    > > They didn't say that the code is in the ID3 tag, they said that the ID3
    > > tag is exploited. The tag makes it like an MP3 file in the Finder, but
    > > if you double-click on it it will be executed as an application rather
    > > that launching an application like iTunes.[/ref]
    >
    > Then I still believe it to be in error. Any file can be made to look just
    > as much like an MP3 file using the filename and icon; the ID3 tags aren't
    > at all necessary.
    >[/ref]

    But it still is an MP3 file and will play in a sound app so it looks a WHOLE
    lot more legitimate than just changing the extension and icon. You have to
    double-click on it for it to run the application code in the resource fork
    if the resource fork is still there.

    Greg


    G.T. Guest

  13. #13

    Default Re: Mac OS X virus

    In article <west.cox.net>,
    Michelle Steiner <org> wrote:
     

    I think that Intego are being *rather proactive* with their marketing
    here!

    The proof of concept has been grabbed from a Usenet posting made at the
    end of March [comp.sys.mac.programming.misc - thread title: Subject: Re:
    Sorta-RFC-ish: Virus in MP3? (was Re: mp3 flood uploads]

    And they have turned this POC into a full-n virus alert.

    --
    Martin
    Martin Guest

  14. #14

    Default Re: Mac OS X virus

    In article <west.cox.net>,
    Michelle Steiner <org> wrote:
     

    [snip]

    I posted this to CSMA last night:

    This is definitely not malware. It doesn't self-te. It doesn't do
    any damage. It doesn't even misrepresent itself, on the download page.
    What it is, is simply an interesting example of how an application can
    make itself appear to be a valid doent to a program which only looks
    at the data fork, such as iTunes. This is not at all dangerous, as it
    doesn't lead to code being executed in cases where code would not
    normally be executed. Code only gets executed when you double-click the
    application. Code is *supposed* to be executed when you double-click an
    application.

    For some reason, the guy demonstrating this principle decided to give
    his demo app an icon and file name that might make some unobservant
    users believe it actually is a doent. I suppose by using this trick
    along with the trick mentioned above, he's trying to demonstrate that
    when all of these are combined they can make for a fairly effective
    deception. Except, I don't really see how the new trick contributes
    anything much. A perfectly normal application could duplicate the same
    behavior, by simply creating an MP3 file in some obscure location and
    telling iTunes to play that file, instead of telling it to play the
    application's data fork.

    It's really funny to see people trying to blame the evils of file name
    extensions, or talking about this as if it's only possible because of
    some OS X flaw resulting from the fact that it inherits from both Mac OS
    and *nix. In fact the same deception is perfectly possible under OS 9.
    This very app runs under OS 9, exhibiting exactly the same behavior.

    So, there is no malware, and there is no actual OS flaw. All this hype
    seems to have been manufactured by Intego as a way to sell their
    software. They've got an "OS X virus alert" on their site, which you can
    click on to go to their "buy now" page. I'd love to know what their
    software actually does about this supposed threat. Does it simply detect
    and remove this harmless demonstration app (which is just silly), or do
    they actually have a solution which could protect from all such similar
    attacks? The only such solution I can imagine is the one Sandman
    suggested: not allowing application names to contain things that users
    might interpret as doent file name extensions. That would be a rather
    odd kind of behavior for an antivirus program to try to enforce, and I
    doubt they do that.

    --
    "In my judgment, when the United States says there will be serious consequences,
    and if there isn't serious consequences, it creates adverse consequences."
    -- George W. Bush on Meet the Press, Feb. 8, 2004
    ZnU Guest

  15. #15

    Default Re: Mac OS X virus

    If this virus is so harmless, then why does MacCentral have this bit of
    info:

    "Intego told MacCentral today that the code is hidden in the ID3 tag of
    the MP3 file. The code will only activate when clicked, but once it is,
    Intego warns the Trojan horse has the potential to delete all of a
    user's personal files; send an e-mail message containing a copy of
    itself to other users; and infect other MP3, JPEG, GIF or QuickTime files."

    Deleting all of a user's personal files and spreading the virus to other
    users, definitely does not sound harmless.
    Keeper Guest

  16. #16

    Default Re: Mac OS X virus

    In article <e7Adc.245$fS6.88okepread01>,
    Keeper of the Purple Twilight <invalid> wrote:
     

    Well, I've got no idea what Intego is talking about. Maybe someone has
    taken the proof-of-concept that everyone has been talking about, and has
    already turned it into a real live trojan. I haven't seen that claimed
    by anyone except Intego, however, and they're trying to sell something.

    --
    "In my judgment, when the United States says there will be serious consequences,
    and if there isn't serious consequences, it creates adverse consequences."
    -- George W. Bush on Meet the Press, Feb. 8, 2004
    ZnU Guest

  17. #17

    Default Re: Mac OS X virus

    ZnU wrote:
     

    I didn't see the OP, but Wired has a piece that may or may not further
    flesh out the issue.

    The Intego sales manager uses the words 'virus' and 'trojan'
    interchangeably and then goes on to explain that the trojan is
    'benign', but a possible harbinger of how something like this could be
    used as genuine malware.

    Anyway, you can read and draw your own conclusions. Me, I've got a
    long drive ahead tonight and I won't be putting on the Bell crash
    helmet, Nomex underwear or installing the roll cage.

    <http://www.wired.com/news/mac/0,2125,63000,00.html>

    --
    -John Steinberg
    email: invalid
    John Guest

  18. #18

    Default Re: Mac OS X virus

    In article <acecape.com>,
    ZnU <com> wrote:
     
    >
    > Well, I've got no idea what Intego is talking about. Maybe someone has
    > taken the proof-of-concept that everyone has been talking about, and has
    > already turned it into a real live trojan. I haven't seen that claimed
    > by anyone except Intego, however, and they're trying to sell something.[/ref]

    What they're saying is that if a bad guy makes use of this technique,
    they could send out a file that performs those dangerous types of
    actions. Since it's an executable program, it can do *anything* when
    you double click on it.

    They're not saying that anyone has done this, but that someone *could*,
    and users need to be aware of the danger.

    --
    Barry Margolin, mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    Barry Guest

  19. #19

    Default Re: Mac OS X virus

    In article <acecape.com>,
    ZnU <com> wrote:
     

    The problem is that it doesn't look like an application, it looks like a
    data file, unless you use Get Info to check. When you double-click on a
    data file, it's *supposed* to execute the associated application, not
    code in the data file itself. How is this not a case where "code would
    not normally be executed"?

    Do you not understand the notion of a Trojan Horse? It's a file or
    program that looks like it will do something useful, but actually does
    something dangerous. While the proof-of-concept example isn't actually
    dangerous, that's just because it's an example. Now that the bad guys
    know about the technique, they can easily replace the benign code with
    something serious.

    --
    Barry Margolin, mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    Barry Guest

  20. #20

    Default Re: Mac OS X virus

    In article <e7Adc.245$fS6.88okepread01>,
    Keeper of the Purple Twilight <invalid> wrote:
     

    It says this because Intego is going well out of their way to exaggerate
    things. The file that they're talking about does not do any of the
    things described above. However, at some point in the future, somebody
    might try to do one of those things. It "has the potential" in the
    sense that this might happen someday, but isn't happening now. This
    isn't news; it's always been true.

    --
    Tom "Tom" Harrington
    Macaroni, Automated System Maintenance for Mac OS X.
    Version 2.0: Delocalize, Repair Permissions, lots more.
    See http://www.atomicbird.com/
    Tom Guest

Page 1 of 14 12311 ... LastLast

Similar Threads

  1. Virus alert (no, this is not a virus)
    By Aaron Bertrand - MVP in forum ASP Components
    Replies: 1
    Last Post: January 27th, 09:21 PM
  2. possible virus?
    By steve in forum Windows Setup, Administration & Security
    Replies: 2
    Last Post: August 12th, 05:38 PM
  3. Is virus gone?
    By Jayne in forum Windows Setup, Administration & Security
    Replies: 1
    Last Post: July 19th, 06:05 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139