First Trojan Horse for Mac OS X?  (Update)

“Thanks to Apple Computer’s rising star in the world of digital music, Mac OS X has become a target for malware authors,” Leander Kahney reports for Wired News. “A Trojan horse, called MP3Concept or MP3Virus.gen, has been discovered that masquerades as an MP3 file. It hides in ID tags of the file and becomes activated when unwary users click on it, expecting to play a digital song.”

“‘This is the first native Mac OS virus we’ve found,’ said Brian Davis, U.S. sales manager for Intego, a Mac security and privacy firm that discovered the Trojan. The Trojan is benign, according to Intego. If launched, it doesn’t do anything except access files in the System folder. But Intego warned that the code could be modified easily to delete files or hijack a machine and replicate itself through e-mail,” Kahney reports.

“‘This is likely a test Trojan showing these things are possible,’ said Davis. ‘There’s definitely an open door we don’t want to leave open.’ The Trojan appears to be the first malicious code for Mac OS X, which was launched in March 2001. Until now, Mac users have prided themselves on running a system that has been largely virus-free. Few Mac OS X users run antivirus software, or are wary of double-clicking files they’ve downloaded or received in e-mail,” Kahney reports.

Full article here.

Intego’s press release:

Intego, the Macintosh security specialist, has just released updated virus definitions for Intego VirusBarrier to protect Mac users against the first Trojan horse that affects Mac OS X. This Trojan horse, MP3Concept (MP3Virus.Gen), exploits a weakness in Mac OS X where applications can appear to be other types of files.

The Trojan horse’s code is encapsulated in the ID3 tag of an MP3 (digital music) file. This code is in reality a hidden application that can run on any Macintosh computer running Mac OS X.

Mac OS X displays the icon of the MP3 file, with an .mp3 extension, rather than showing the file as an application, leading users to believe that they can double-click the file to listen to it. But double clicking the file launches the hidden code, which can damage or delete files on computers running Mac OS X, then iTunes to play the music contained in the file, to make users think that it is really an MP3 file . While the first versions of this Trojan horse that Intego has isolated are benign, this technique opens the door to more serious risks.

This Trojan horse has the potential to do any of the following:
– Delete all of a user’s personal files
– Send an e-mail message containing a copy of itself to other users
– Infect other MP3, JPEG, GIF or QuickTime files

Due to the use of this technique, users can no longer safely double-click MP3 files in Mac OS X. This same technique could be used with JPEG and GIF files, though no such cases of infected graphic files have yet been seen.

Intego VirusBarrier eradicates this Trojan horse, and Intego remains diligent to ensure that VirusBarrier will also eradicate any future viruses that may try to exploit this same technique. All Intego VirusBarrier users should make sure that their virus definitions are up to date by using the NetUpdate preference pane in the Mac OS X System Preferences.

UPDATE (4.9.04, 9:40am): MacNN reports some more details on the so-called “Trojan Horse for Mac OS X.”

“This is actually a little bit of the Classic/Carbon paradigm catching up with us, and represents an oversight in the way Mac OS X handles presenting the file to the user. In the case of this proof of concept, a file can be made to appear as an ordinary mp3 file, complete with the familiar icon and .mp3 extension, and even audio content. However, the file contains a PowerPC code fragment – a piece of executable code; a little application – that can be made to do anything the author desires (limited by the permissions of the user executing it)… All in all, an interesting story, but it really represents taking advantage of a minor oversight in the way Mac OS X displays and handles potentially conflicting file extensions versus legacy metadata. Not really big news.”

Full article here.

41 Comments

  1. This is all curious!
    This is from Bill Palmer’s site:

    Intego discovers trojan horse for MacOS X, acts bizarrely about it
    4/09/04, 7:37 am EST

    The first trojan horse to affect MacOS X, discovered by antivirus firm Intego, is said to exploit the user’s system by masquerading as an mp3 file. However, the trojan horse is not currently in circulation and, for that matter, does not appear to actually exist. Intego has apparently merely discovered “proof of concept,” meaning that such a trojan horse could theoretically be created. Furthermore, Intego’s insistence on treating the discovery as if it were a new product announcement have cast doubt as to the legitimacy and severity of their entire matter. Bizarre actions on the part of the company range from having a PR firm send out a press release announcing the discovery, to placing banner ads on its own site making the announcement that, when clicked, prompt the user to purchase on of Intego’s products. Even if this trojan horse does indeed turn out to be legitimate, Mac users should be comforted in knowing that in contrast, Symantec has discovered nineteen similar vulnerabilities for Windows so far this week.

  2. The bad code would hide in the resource fork- OS 9 is equally vulnerable.

    Though with the hiding of file extensions, it is easier to disguise one file as another. I wish that the anti-file extensions meta-data zealots would realize that file extensions are necessary so that you can tell what type of file something is simply by looking at its name, without having to look any deeper.

  3. Easy way to avoid getting this “virus” if it exists. Don’t steal music. If you get a virus because you stole something I have no pity for you. End of story.

  4. this is bullshit. if you check the article on slashdot.org they did a lot better research.

    some guy figured out that a file could have both an mp3 id3 tag and .mp3 file extension and could also be labelled as a .app with an executable code payload. it was discussed in newsgroups (you can find it on google groups).

    a patch is most likely in the works as you read this over at apple.

    nothing was ‘discovered’ or ‘found in the wild’, it was just a load of hype by an anti-virus company kicked up to sell their product.

    this is a case of a theoretical vurn. turned into a proof of concept hijacked by a company to product sensational press coverage.

    in a weeks time this won’t be an issue any more as itunes will probably be patched to check for this in your mp3’s and apple will release a security update for os x 10.2 and 10.3. also, they’ll probably be a dozen or so freeware file scanners on macupdate and versiontracker by the same time.

    no one wants to see the mac become a home for viruses and trojans. however, by researching the possible weakspots like the original guys did the problem has come to light and will be plugged quickly – just like what happens on linux, except we have to wait for apple to produce an official patch instead of relying on one made by a 13 year old coder in his bedroom in finland.

  5. Is it that we dont want it to be true? Is it a vulnerability warning? Has anyone gotten it? Macnn has the best piece on the Macweb about for those looking for someone explaining what it is in depth.

  6. true or not, we should be celebrating that the mac is at last getting some serious (if bullshit) security scares… for too long the windows world has lorded over macintosh’s seeming invulnerability. could it be that this is a symptom of the growing popularity of the mac platform, and a precursor of great times ahead? who knows, by this time next year we could have daily warnings of new mac os x viruses and security holes, bringing us in line with the “more popular” windows operating system. happy easter!

  7. Well…as long as you DON’T download MP3’s you are fine….I prefer AAC files. BUT if you are on Limewire or other p2p app’s. Then it’s time to be cautious perhps it could be a deterrent to using P2P app’s. Otherwise the risk is low. Very low.

  8. What about Unix file permissions? None of my .mp3 files have execute permissions. In order for this to work you would need to give your .mp3 files execute permissions ( chmod a+x filename ).

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.