Could it be? Mac OS X's first "virus?"
Ok, really a trojan horse. Here's the blurb:
http://www.macnn.com/news/24162
Intego is saying that this trojan horse is an application hidden in an .mp3 file's ID3 tags. I wasn't aware that this was possible, but I guess those tags, being extensible, can accept all sort of content including executables. I wonder if other anti-virus makers will confirm this finding.
http://www.macnn.com/news/24162
Intego is saying that this trojan horse is an application hidden in an .mp3 file's ID3 tags. I wasn't aware that this was possible, but I guess those tags, being extensible, can accept all sort of content including executables. I wonder if other anti-virus makers will confirm this finding.
Comments
independent confirmation from a source without a vested interest or potential bias would be nice
and while smuggling a trojan inside extensible tags might be possible,
it would still face a robust unix permissions and propagation deterrent.
-Apparently, it affects files with .mp3 extensions visible (or gifs, or jpegs)... but they don't bother saying whether this is actually a double extension, as with some windows viruses, or a systemic security flaw in the OS.
-They claim that the virus lives in the ID3 tag of an actual MP3 file, but don't bother to explain how or why something in a data file can get executed as a program (a security flaw in iTunes?); their description seems to imply that OS X actually executes the code, and then the virus causes the mp3 carrier to be played by iTunes. The big question here is: how does OS X actually manage to get executable code out of an ID3 tag in the first place?
-They don't bother to give removal instructions, descriptions of any processes the virus spawns, whether or not its capable of autolaunching at login/boot-time, files it leaves around, and where, etc. Thanks guys. Very public-spirited.
-They helpfully inform us that the virus is completely benign, but then go on with the incredibly alarmist "it might delete all your personal files!!! it might send emails to people!!!" I'd question the integrity of doing this if the virus currently doesn't...
I'm happy to believe that such a thing as an OS X trojan is possible (in fact, probably quite easy, at the level described here - it doesn't affect the system at all) - but this looks pretty sus to me. Perhaps when a real virus-detection company get their hands on it they can give us a useful description.
April 8, 2004 - 15:25 EDT__ Mac security specialist Intego has issued a security warning alerting users of the first Trojan horse to affect Mac OS X. According to the company, this Trojan horse, MP3Concept (MP3Virus.Gen), exploits a weakness in Mac OS X where applications can appear to be other types of files. It has the potential to delete all of a user's personal files; send an e-mail message containing a copy of itself to other users; and infect other MP3, JPEG, GIF or QuickTime files.
"The Trojan horse's code is encapsulated in the ID3 tag of an MP3 file," explains Intego. "This code is in reality a hidden application that can run on any Mac computer running Mac OS X."
"Mac OS X displays the icon of the MP3 file, with an .mp3 extension, rather than showing the file as an application, leading users to believe that they can double-click the file to listen to it. But double clicking the file launches the hidden code, which can damage or delete files on computers running Mac OS X, then iTunes to play the music contained in the file, to make users think that it is really an MP3 file. While the first versions of this Trojan horse that Intego has isolated are benign, this technique opens the door to more serious risks."
Intego said it has released updated virus definitions for Intego VirusBarrier that protect against this threat. The company recommends that users make sure that their virus definitions are up to date by using the NetUpdate preference pane in the Mac OS X System Preferences."
http://groups.google.com/groups?hl=e...hnhof.se#link6
Originally posted by dviant
Here's what MacMinute describes it as...
that's not independent reporting... that's lazy reporting,
that's just regurgitating Intego's press release without confirmation
that's the virus... http://www.scoop.se/~blgl/virus.mp3.sit
Sounds like someone confused tag with file-extension. Perhaps a bogus or double extension with a custom icon and creator code in the resource fork?
If anything, this a trojan horse, not a virus.
Has anyone heard of anyone being affected?
Originally posted by PBG3
Actually I ran Norton Anti-Virus the other day and it found a trojan and deleted it.
But one for OS 9 probably.
Originally posted by ast3r3x
But one for OS 9 probably.
Norton for OS X catches PC viruses too
Originally posted by dviant
Norton for OS X catches PC viruses too
I know, I just assumed he meant a mac virus.
Originally posted by dviant
Norton for OS X catches PC viruses too
Except that there are none yet.
This would be the first... if you could call it a virus. And with it being the first, Norton would not be able to catch it because it's not in the definitions yet.
The trojan is both a valid application and a valid MP3 file. The creator code is APPL, and the extension is .mp3. If the thing is opened in iTunes, iTunes looks at the extension, looks at the content, and then plays the MP3 part. If you double-click it in the Finder, the creator code takes precedence over the extension, as usual, and the Finder runs the code. It apparently works the same in OS 9.
However, I think that to maintain the type/creator codes necessary for this, it would need to be encoded like any OS 9 app, hence the StuffIt archive.
It sounds neat, but from what I can tell, the same overall effect (user unwittingly runs code) could be accomplished by slapping a document icon on any application. If this ends up being a big problem, then a setting to have the Finder check with the user the first time a program is run would likely put an end to it.