Could it be? Mac OS X's first "virus?"

in macOS edited January 2014
Ok, really a trojan horse. Here's the blurb:

Intego is saying that this trojan horse is an application hidden in an .mp3 file's ID3 tags. I wasn't aware that this was possible, but I guess those tags, being extensible, can accept all sort of content including executables. I wonder if other anti-virus makers will confirm this finding.


  • Reply 1 of 65
    ebbyebby Posts: 3,110member
    With my luck lately I probably have it already. I would also like to see what anti-virus companies have to say about it. I may finally have a reason to buy antivirus software now.
  • Reply 2 of 65
    curiousuburbcuriousuburb Posts: 3,325member
    could it be a company crying "fire" to sell its new "extinguisher"?

    independent confirmation from a source without a vested interest or potential bias would be nice

    and while smuggling a trojan inside extensible tags might be possible,

    it would still face a robust unix permissions and propagation deterrent.
  • Reply 3 of 65
    staphbabystaphbaby Posts: 353member
    Whether or not the virus exists, Intego have given a really crap description of what it actually is.

    -Apparently, it affects files with .mp3 extensions visible (or gifs, or jpegs)... but they don't bother saying whether this is actually a double extension, as with some windows viruses, or a systemic security flaw in the OS.

    -They claim that the virus lives in the ID3 tag of an actual MP3 file, but don't bother to explain how or why something in a data file can get executed as a program (a security flaw in iTunes?); their description seems to imply that OS X actually executes the code, and then the virus causes the mp3 carrier to be played by iTunes. The big question here is: how does OS X actually manage to get executable code out of an ID3 tag in the first place?

    -They don't bother to give removal instructions, descriptions of any processes the virus spawns, whether or not its capable of autolaunching at login/boot-time, files it leaves around, and where, etc. Thanks guys. Very public-spirited.

    -They helpfully inform us that the virus is completely benign, but then go on with the incredibly alarmist "it might delete all your personal files!!! it might send emails to people!!!" I'd question the integrity of doing this if the virus currently doesn't...

    I'm happy to believe that such a thing as an OS X trojan is possible (in fact, probably quite easy, at the level described here - it doesn't affect the system at all) - but this looks pretty sus to me. Perhaps when a real virus-detection company get their hands on it they can give us a useful description.
  • Reply 4 of 65
    alcimedesalcimedes Posts: 5,486member
    i think i'll wait for confirmation from some other source before i believe this.
  • Reply 5 of 65
    dviantdviant Posts: 483member
    Here's what MacMinute describes it as...


    April 8, 2004 - 15:25 EDT__ Mac security specialist Intego has issued a security warning alerting users of the first Trojan horse to affect Mac OS X. According to the company, this Trojan horse, MP3Concept (MP3Virus.Gen), exploits a weakness in Mac OS X where applications can appear to be other types of files. It has the potential to delete all of a user's personal files; send an e-mail message containing a copy of itself to other users; and infect other MP3, JPEG, GIF or QuickTime files.

    "The Trojan horse's code is encapsulated in the ID3 tag of an MP3 file," explains Intego. "This code is in reality a hidden application that can run on any Mac computer running Mac OS X."

    "Mac OS X displays the icon of the MP3 file, with an .mp3 extension, rather than showing the file as an application, leading users to believe that they can double-click the file to listen to it. But double clicking the file launches the hidden code, which can damage or delete files on computers running Mac OS X, then iTunes to play the music contained in the file, to make users think that it is really an MP3 file. While the first versions of this Trojan horse that Intego has isolated are benign, this technique opens the door to more serious risks."

    Intego said it has released updated virus definitions for Intego VirusBarrier that protect against this threat. The company recommends that users make sure that their virus definitions are up to date by using the NetUpdate preference pane in the Mac OS X System Preferences."

  • Reply 6 of 65
    dviantdviant Posts: 483member
  • Reply 7 of 65
    curiousuburbcuriousuburb Posts: 3,325member

    Originally posted by dviant

    Here's what MacMinute describes it as...

    that's not independent reporting... that's lazy reporting,

    that's just regurgitating Intego's press release without confirmation
  • Reply 8 of 65
    dviantdviant Posts: 483member
    Ha! I didn't read that PR... it IS the same... pffft MM make it look like they had actually talked to someone..
  • Reply 9 of 65
    macusersmacusers Posts: 840member
    doesn't seem like it does anything.. anyway, supposedly it requires to be in a .sit or .dmg so if this ever gets turned into a real virus just don't open up mp3's in a .sit or .dmg.. simple, why would you have one of those anyway. Well i guess it is not that rare to see a mp3 in a .sit but if you know who it's from you'll be alright

    that's the virus...
  • Reply 10 of 65
    dfilerdfiler Posts: 3,420member
    I don't believe the "hidden in mp3 tags" part.

    Sounds like someone confused tag with file-extension. Perhaps a bogus or double extension with a custom icon and creator code in the resource fork?

    If anything, this a trojan horse, not a virus.
  • Reply 11 of 65
    majormattmajormatt Posts: 1,077member
    Only on a mac board would we post links to a virus :P

    Has anyone heard of anyone being affected?
  • Reply 12 of 65
    dstranathandstranathan Posts: 1,714member
    April Fool's Day! Wait, nope. Its a little late for that...
  • Reply 13 of 65
    pbg3pbg3 Posts: 211member
    Actually I ran Norton Anti-Virus the other day and it found a trojan and deleted it.
  • Reply 14 of 65
    ast3r3xast3r3x Posts: 5,012member

    Originally posted by PBG3

    Actually I ran Norton Anti-Virus the other day and it found a trojan and deleted it.

    But one for OS 9 probably.
  • Reply 15 of 65
    dviantdviant Posts: 483member

    Originally posted by ast3r3x

    But one for OS 9 probably.

    Norton for OS X catches PC viruses too
  • Reply 16 of 65
    ipodandimacipodandimac Posts: 3,273member
    if all this is true, i bet apple wrote it to advance the aac format
  • Reply 17 of 65
    ast3r3xast3r3x Posts: 5,012member

    Originally posted by dviant

    Norton for OS X catches PC viruses too

    I know, I just assumed he meant a mac virus.
  • Reply 18 of 65

    Originally posted by dviant

    Norton for OS X catches PC viruses too

    Except that there are none yet.

    This would be the first... if you could call it a virus. And with it being the first, Norton would not be able to catch it because it's not in the definitions yet.
  • Reply 19 of 65
    Interpolating from what I've read, with the disclaimer that I haven't actually looked at the file in question:

    The trojan is both a valid application and a valid MP3 file. The creator code is APPL, and the extension is .mp3. If the thing is opened in iTunes, iTunes looks at the extension, looks at the content, and then plays the MP3 part. If you double-click it in the Finder, the creator code takes precedence over the extension, as usual, and the Finder runs the code. It apparently works the same in OS 9.

    However, I think that to maintain the type/creator codes necessary for this, it would need to be encoded like any OS 9 app, hence the StuffIt archive.

    It sounds neat, but from what I can tell, the same overall effect (user unwittingly runs code) could be accomplished by slapping a document icon on any application. If this ends up being a big problem, then a setting to have the Finder check with the user the first time a program is run would likely put an end to it.
  • Reply 20 of 65
    aquaticaquatic Posts: 5,602member
    I doubt this is true but if it is, WTF MATE. Whoever wrote it is such a douche. This will probably have a bid deal made out of it, just like every tiny little security problem on OS X which always gets fixed before we even know about it.
Sign In or Register to comment.