As for the Norton thing in the Virus description is just said "strain of Trojan" or something along those lines. It did not say "PC Virus" as it would if I had a PC virus.
I just downloaded a demo of Virex and for fun ran it. I didn't know the Mac version finds PC viruses! That is so cool. I am tempted to get it to filter my E-Mail. However, the Virus alert window's counter seems max out at 4,689. But Virex is still finding much more.
EDIT: I choose "Clean" and the window reset and counted up to 4,688 again and stopped. I reset it and it started counting a third time! I needed to do this a long time ago.
The trojan is both a valid application and a valid MP3 file. The creator code is APPL, and the extension is .mp3. If the thing is opened in iTunes, iTunes looks at the extension, looks at the content, and then plays the MP3 part. If you double-click it in the Finder, the creator code takes precedence over the extension, as usual, and the Finder runs the code. It apparently works the same in OS 9.
....
The Finder serves many functions in MacOS X. However, it does not run application code other than its own. The Finder's purpose is to launch each application, not to execute their code for them.
I want to know the bottom line here, do I have to worry about this? I don't run anti-virus software...should I worry? I'm not an idiot, I don't open attachments and crap like that...do I need to worry?
Nice catch, blanco niño! The Finder tells the system to execute the file. Or maybe not. Maybe it gets an intermediary to find out what to do with it, and then that tells the system. But the main point is that the file is executed according to its creator code. Anyway, the Finder doesn't execute any of that code itself, like I tried to trick everyone into thinking.
Nice catch, blanco niño! The Finder tells the system to execute the file. Or maybe not. Maybe it gets an intermediary to find out what to do with it, and then that tells the system. But the main point is that the file is executed according to its creator code. Anyway, the Finder doesn't execute any of that code itself, like I tried to trick everyone into thinking.
It's niño blanco, and the Finder uses the preference file com.apple.LaunchServices.plist to figure it all out.
"Nice catch, blanco niño!" es una referencia a los videos "GI Joe" de Eric Fensler. I haven't used Spanish in a while, but I do remember word order. Thanks for the other info, though. I'd forgotten.
The trojan is both a valid application and a valid MP3 file. The creator code is APPL, and the extension is .mp3. If the thing is opened in iTunes, iTunes looks at the extension, looks at the content, and then plays the MP3 part. If you double-click it in the Finder, the creator code takes precedence over the extension, as usual, and the Finder runs the code. It apparently works the same in OS 9.
True. To be more precise, both the executable code and the MP3 data are in the data fork, while the resource fork contains resources necessary for the system to run the application. Finder correctly identifies the file as an application (judging from its 4-letter type code, APPL) and launches it.
Quote:
However, I think that to maintain the type/creator codes necessary for this, it would need to be encoded like any OS 9 app, hence the StuffIt archive.
Yes. Any format preserving a resource fork would do: dmg, sit, sitx, bin, to name a few.
Quote:
It sounds neat, but from what I can tell, the same overall effect (user unwittingly runs code) could be accomplished by slapping a document icon on any application.
This has always been the case on Mac OS. What is worse, the plst resource can contain a flag which lets an app run without showing in Dock and without menus. So you double-click a what-you-think-is-a-document and nothing visually happens, but the trojan is already busy deleting your files.
Just pay attention to what you download. Think before you click.
I want to know the bottom line here, do I have to worry about this? I don't run anti-virus software...should I worry? I'm not an idiot, I don't open attachments and crap like that...do I need to worry?
I don't think so, because it can't spread itself. I don't think Mail.app can be scripted to send attachments. To get it you would have to download it intentionally from a website as a .sit, .dmg, or .zip, and then you would have to decompress it and double click the file. Or, someone would have to email you an archive containing the file directly. It'd be too much work to send it to a bunch of people, and you'd know exactly where it came from.
At least, once launched, it can easily copy itself to mounted volumes. Potentially it can install itself as a login item and do almost whatever it likes.
Quote:
To get it you would have to download it intentionally from a website as a .sit, .dmg, or .zip, and then you would have to decompress it and double click the file.
If you ever download any files, tell me honestly how often do you check those files for type/creator codes before opening them?
This is what Symantec have to say (from Maccentral):
Quote:
"Symantec Corp. said they were aware of the Trojan, but noted that the virus has not been found in the "wild."
"Symantec Security Response is aware of the MP3Virus.Gen Trojan," a spokesperson from Symantec Security Response, told MacCentral. "It is a proof of concept Trojan that does affect the Mac platform, however it is currently not present in the wild. Symantec Security Response will continue to closely monitor this and any other potential threats to the Mac OS X platform."
I don't think so, because it can't spread itself. I don't think Mail.app can be scripted to send attachments. To get it you would have to download it intentionally from a website as a .sit, .dmg, or .zip, and then you would have to decompress it and double click the file. Or, someone would have to email you an archive containing the file directly. It'd be too much work to send it to a bunch of people, and you'd know exactly where it came from.
I took that challenge, and I managed to write an AppleScript that sends a message with an attachment to every person in your address book. I'm only missing one step: I can't figure out how to get the script to figure out where on the hard drive it is located. Zipping and sending it is then a triviality.
You can even keep the new message window invisible while it's adding all the recipients and such. Of course, it is still Applescript, so it took about 5 minutes to add my 500 contacts, with CPU at 100%.
Of course, you can't get Mail to automatically open the file... you have to rely on user's stupidity.
I took that challenge, and I managed to write an AppleScript that sends a message with an attachment to every person in your address book. I'm only missing one step: I can't figure out how to get the script to figure out where on the hard drive it is located.
Since the exploit is not an AppleScript but a CFM application, you could use Carbon API to get the path to the executable. No problems.
Quote:
You can even keep the new message window invisible while it's adding all the recipients and such. Of course, it is still Applescript, so it took about 5 minutes to add my 500 contacts, with CPU at 100%.
If you did the same thing in C, it would be times faster. If you paused the main thread periodically, nobody would notice it.
Quote:
Of course, you can't get Mail to automatically open the file... you have to rely on user's stupidity.
Generally, you can easily presume it's always available.\
Who will start the countdown to the first real OS X virus?
I just looked into the thing, and it is a valid trojan.
The executable code is in the data fork (like it always has been since the introduction of PPC), the icon shown by the finder is in the resource fork.
The "high-concept"-trick with this trojan is that the data fork starts off with a valid mp3-header, followed by a PEFF-code segment starting off at position 64 in the data fork which in turn is followed by the mp3 data.
The mp3 file format contains information as different chunks. PEFF also allows code in segements. If you are clever, you can interleave code and mp3. This allows the file to be played as an mp3 without any noise to reveal the true identity, but launched as an application.
The code is only executable because the 'cfrg'-Resource allows executable chunks to start at an offset in the byte stream. The first member in this resource is located at 64 bytes - this is where the system jumps into if you launch it.
This kind of virus could have been engineered years ago - since the advent of Carbon 1.1 (not because Carbon is insecure, but because it introduced the 'cfrg'-resources) on MacOS 8.6.
The application code is in the General encapsulated object (lines starting with === denote ID3-tags, so it is in a tag). Conveniently, iTunes does not show the existance of GEO-tags...
Yeah, it's a trojan all right. A friendly one, but a valid one nonetheless.
The blame lies squarely at Apple.
- iTunes should - under no circumstances - play anything that identifies itself as an applications. But it does and this is wrong, because it allows users to play this from the web, then store it and double click it one day. This would not be the case if it did not play in the first place.
- The Finder should mark each and every piece of software it would launch. Including AppleScripts, shell scripts, Carbon and Cocoa apps.
- The CFM-Launcher disregards the Unix executable bit (chmod -x and you still can launch it). I can't figure out why - exept for the notable disregard inside Apple of anything Carbon. Hell, the NeXTies are too lazy to even look after security-relevant problems.
Outlook:
the same trick could be employed with every "chunky" file format. TIFF comes to mind, as well as QuickTime (we all never double click QuickTime .movs, right?), and... AAC. Apple better move fast to do something about it.
A further version could contain code that doctors existing mp3-files to become infected, thus spreading on your disk.
Besides the obvious "erase the home directory", a boosted version could employ AppleScript to read your contacts from the Adress book and send spam mails via Mail.app. This is the exact thing we have seen on windows for years now.
Check it out, it really was nothing and a fix will be out soon.
Great, so I am not the only one to think that, although this exploit is real, on the other hand is trivial and is based on functionality present many years already in MacOS. Anyone (who can write a program), could write malicious code and wrap it with certain file type clothes, hopping it would cheat the user. I think after a certain point, exploits of this kind are unavoidable in any GUI based operating system. There can be taken certain measures though to notify the user that something is wrong with this "file" he tries to open. I don't see why so much fuss for this right now and not before. Hmmm, (cheap and questionable) marketing tactics from Intego?
Quote:
Originally posted by Smircle
Besides the obvious "erase the home directory", a boosted version could employ AppleScript to read your contacts from the Adress book and send spam mails via Mail.app. This is the exact thing we have seen on windows for years now.
Are you sure about that? It is the first time a read something similar.
There is no fool-proof system. This is GUI sleight-of-hand, and it's another reason why, even if the chances are remote, you should maintain a secure system. I don't feel like I have any egg on my face as a Mac user because I've always recommended keeping permissions in place, not abusing root and keeping virus-protection around. Hopefully others will know better now than to be so dismissive. The weakest link in the chain should be the user.
Comments
As for the Norton thing in the Virus description is just said "strain of Trojan" or something along those lines. It did not say "PC Virus" as it would if I had a PC virus.
EDIT: I choose "Clean" and the window reset and counted up to 4,688 again and stopped. I reset it and it started counting a third time!
And AGAIN! #3! Keeps stopping at 4,688.
Total viruses: Over 56,878
Originally posted by Mac The Fork
....
The trojan is both a valid application and a valid MP3 file. The creator code is APPL, and the extension is .mp3. If the thing is opened in iTunes, iTunes looks at the extension, looks at the content, and then plays the MP3 part. If you double-click it in the Finder, the creator code takes precedence over the extension, as usual, and the Finder runs the code. It apparently works the same in OS 9.
....
The Finder serves many functions in MacOS X. However, it does not run application code other than its own. The Finder's purpose is to launch each application, not to execute their code for them.
Originally posted by Mac The Fork
Nice catch, blanco niño! The Finder tells the system to execute the file. Or maybe not. Maybe it gets an intermediary to find out what to do with it, and then that tells the system. But the main point is that the file is executed according to its creator code. Anyway, the Finder doesn't execute any of that code itself, like I tried to trick everyone into thinking.
It's niño blanco, and the Finder uses the preference file com.apple.LaunchServices.plist to figure it all out.
Originally posted by Mac The Fork
The trojan is both a valid application and a valid MP3 file. The creator code is APPL, and the extension is .mp3. If the thing is opened in iTunes, iTunes looks at the extension, looks at the content, and then plays the MP3 part. If you double-click it in the Finder, the creator code takes precedence over the extension, as usual, and the Finder runs the code. It apparently works the same in OS 9.
True. To be more precise, both the executable code and the MP3 data are in the data fork, while the resource fork contains resources necessary for the system to run the application. Finder correctly identifies the file as an application (judging from its 4-letter type code, APPL) and launches it.
However, I think that to maintain the type/creator codes necessary for this, it would need to be encoded like any OS 9 app, hence the StuffIt archive.
Yes. Any format preserving a resource fork would do: dmg, sit, sitx, bin, to name a few.
It sounds neat, but from what I can tell, the same overall effect (user unwittingly runs code) could be accomplished by slapping a document icon on any application.
This has always been the case on Mac OS. What is worse, the plst resource can contain a flag which lets an app run without showing in Dock and without menus. So you double-click a what-you-think-is-a-document and nothing visually happens, but the trojan is already busy deleting your files.
Just pay attention to what you download. Think before you click.
I want to know the bottom line here, do I have to worry about this? I don't run anti-virus software...should I worry? I'm not an idiot, I don't open attachments and crap like that...do I need to worry?
I don't think so, because it can't spread itself. I don't think Mail.app can be scripted to send attachments. To get it you would have to download it intentionally from a website as a .sit, .dmg, or .zip, and then you would have to decompress it and double click the file. Or, someone would have to email you an archive containing the file directly. It'd be too much work to send it to a bunch of people, and you'd know exactly where it came from.
Originally posted by Mr Beardsley
I don't think so, because it can't spread itself.
At least, once launched, it can easily copy itself to mounted volumes. Potentially it can install itself as a login item and do almost whatever it likes.
To get it you would have to download it intentionally from a website as a .sit, .dmg, or .zip, and then you would have to decompress it and double click the file.
If you ever download any files, tell me honestly how often do you check those files for type/creator codes before opening them?
"Symantec Corp. said they were aware of the Trojan, but noted that the virus has not been found in the "wild."
"Symantec Security Response is aware of the MP3Virus.Gen Trojan," a spokesperson from Symantec Security Response, told MacCentral. "It is a proof of concept Trojan that does affect the Mac platform, however it is currently not present in the wild. Symantec Security Response will continue to closely monitor this and any other potential threats to the Mac OS X platform."
Intego just drumming up business then?
Originally posted by Mr Beardsley
I don't think so, because it can't spread itself. I don't think Mail.app can be scripted to send attachments. To get it you would have to download it intentionally from a website as a .sit, .dmg, or .zip, and then you would have to decompress it and double click the file. Or, someone would have to email you an archive containing the file directly. It'd be too much work to send it to a bunch of people, and you'd know exactly where it came from.
I took that challenge, and I managed to write an AppleScript that sends a message with an attachment to every person in your address book. I'm only missing one step: I can't figure out how to get the script to figure out where on the hard drive it is located. Zipping and sending it is then a triviality.
You can even keep the new message window invisible while it's adding all the recipients and such. Of course, it is still Applescript, so it took about 5 minutes to add my 500 contacts, with CPU at 100%.
Of course, you can't get Mail to automatically open the file... you have to rely on user's stupidity.
Originally posted by bauman
I took that challenge, and I managed to write an AppleScript that sends a message with an attachment to every person in your address book. I'm only missing one step: I can't figure out how to get the script to figure out where on the hard drive it is located.
Since the exploit is not an AppleScript but a CFM application, you could use Carbon API to get the path to the executable. No problems.
You can even keep the new message window invisible while it's adding all the recipients and such. Of course, it is still Applescript, so it took about 5 minutes to add my 500 contacts, with CPU at 100%.
If you did the same thing in C, it would be times faster. If you paused the main thread periodically, nobody would notice it.
Of course, you can't get Mail to automatically open the file... you have to rely on user's stupidity.
Generally, you can easily presume it's always available.
Who will start the countdown to the first real OS X virus?
The executable code is in the data fork (like it always has been since the introduction of PPC), the icon shown by the finder is in the resource fork.
The "high-concept"-trick with this trojan is that the data fork starts off with a valid mp3-header, followed by a PEFF-code segment starting off at position 64 in the data fork which in turn is followed by the mp3 data.
The mp3 file format contains information as different chunks. PEFF also allows code in segements. If you are clever, you can interleave code and mp3. This allows the file to be played as an mp3 without any noise to reveal the true identity, but launched as an application.
The code is only executable because the 'cfrg'-Resource allows executable chunks to start at an offset in the byte stream. The first member in this resource is located at 64 bytes - this is where the system jumps into if you launch it.
This kind of virus could have been engineered years ago - since the advent of Carbon 1.1 (not because Carbon is insecure, but because it introduced the 'cfrg'-resources) on MacOS 8.6.
id3info shows how the datafork is structured:
*** Tag information for virus.mp3
=== GEO (General encapsulated object): (virus)[virus.mp3]: application/octet-stream, 3221 bytes
=== TEN (Encoded by): iTunes v4.2
=== COM (Comments): (iTunNORM)[eng]: 00000A0C 00000000 000055AC 00000000 00000187 00000000 00007E8A 00000000 0000016D 00000000
=== TT2 (Title/songname/content description): Wild Laugh
=== TAL (Album/Movie/Show title): iMovie
*** mp3 info
MPEG1/layer III
Bitrate: 64KBps
Frequency: 44KHz
The application code is in the General encapsulated object (lines starting with === denote ID3-tags, so it is in a tag). Conveniently, iTunes does not show the existance of GEO-tags...
Yeah, it's a trojan all right. A friendly one, but a valid one nonetheless.
The blame lies squarely at Apple.
- iTunes should - under no circumstances - play anything that identifies itself as an applications. But it does and this is wrong, because it allows users to play this from the web, then store it and double click it one day. This would not be the case if it did not play in the first place.
- The Finder should mark each and every piece of software it would launch. Including AppleScripts, shell scripts, Carbon and Cocoa apps.
- The CFM-Launcher disregards the Unix executable bit (chmod -x and you still can launch it). I can't figure out why - exept for the notable disregard inside Apple of anything Carbon. Hell, the NeXTies are too lazy to even look after security-relevant problems.
Outlook:
the same trick could be employed with every "chunky" file format. TIFF comes to mind, as well as QuickTime (we all never double click QuickTime .movs, right?), and... AAC. Apple better move fast to do something about it.
A further version could contain code that doctors existing mp3-files to become infected, thus spreading on your disk.
Besides the obvious "erase the home directory", a boosted version could employ AppleScript to read your contacts from the Adress book and send spam mails via Mail.app. This is the exact thing we have seen on windows for years now.
Check it out, it really was nothing and a fix will be out soon.
Originally posted by MacUsers
http://maccentral.macworld.com/news/...=1081504585000
Check it out, it really was nothing and a fix will be out soon.
Great, so I am not the only one to think that, although this exploit is real, on the other hand is trivial and is based on functionality present many years already in MacOS. Anyone (who can write a program), could write malicious code and wrap it with certain file type clothes, hopping it would cheat the user. I think after a certain point, exploits of this kind are unavoidable in any GUI based operating system. There can be taken certain measures though to notify the user that something is wrong with this "file" he tries to open. I don't see why so much fuss for this right now and not before. Hmmm, (cheap and questionable) marketing tactics from Intego?
Originally posted by Smircle
Besides the obvious "erase the home directory", a boosted version could employ AppleScript to read your contacts from the Adress book and send spam mails via Mail.app. This is the exact thing we have seen on windows for years now.
Are you sure about that? It is the first time a read something similar.