“Thanks to Apple Computer’s rising star in the world of digital music, Mac OS X has become a target for malware authors,” Leander Kahney reports for Wired News. “A Trojan horse, called MP3Concept or MP3Virus.gen, has been discovered that masquerades as an MP3 file. It hides in ID tags of the file and becomes activated when unwary users click on it, expecting to play a digital song.”
“‘This is the first native Mac OS virus we’ve found,’ said Brian Davis, U.S. sales manager for Intego, a Mac security and privacy firm that discovered the Trojan. The Trojan is benign, according to Intego. If launched, it doesn’t do anything except access files in the System folder. But Intego warned that the code could be modified easily to delete files or hijack a machine and replicate itself through e-mail,” Kahney reports.
“‘This is likely a test Trojan showing these things are possible,’ said Davis. ‘There’s definitely an open door we don’t want to leave open.’ The Trojan appears to be the first malicious code for Mac OS X, which was launched in March 2001. Until now, Mac users have prided themselves on running a system that has been largely virus-free. Few Mac OS X users run antivirus software, or are wary of double-clicking files they’ve downloaded or received in e-mail,” Kahney reports.
Full article here.
Intego’s press release:
Intego, the Macintosh security specialist, has just released updated virus definitions for Intego VirusBarrier to protect Mac users against the first Trojan horse that affects Mac OS X. This Trojan horse, MP3Concept (MP3Virus.Gen), exploits a weakness in Mac OS X where applications can appear to be other types of files.
The Trojan horse’s code is encapsulated in the ID3 tag of an MP3 (digital music) file. This code is in reality a hidden application that can run on any Macintosh computer running Mac OS X.
Mac OS X displays the icon of the MP3 file, with an .mp3 extension, rather than showing the file as an application, leading users to believe that they can double-click the file to listen to it. But double clicking the file launches the hidden code, which can damage or delete files on computers running Mac OS X, then iTunes to play the music contained in the file, to make users think that it is really an MP3 file . While the first versions of this Trojan horse that Intego has isolated are benign, this technique opens the door to more serious risks.
This Trojan horse has the potential to do any of the following:
– Delete all of a user’s personal files
– Send an e-mail message containing a copy of itself to other users
– Infect other MP3, JPEG, GIF or QuickTime files
Due to the use of this technique, users can no longer safely double-click MP3 files in Mac OS X. This same technique could be used with JPEG and GIF files, though no such cases of infected graphic files have yet been seen.
Intego VirusBarrier eradicates this Trojan horse, and Intego remains diligent to ensure that VirusBarrier will also eradicate any future viruses that may try to exploit this same technique. All Intego VirusBarrier users should make sure that their virus definitions are up to date by using the NetUpdate preference pane in the Mac OS X System Preferences.
UPDATE (4.9.04, 9:40am): MacNN reports some more details on the so-called “Trojan Horse for Mac OS X.”
“This is actually a little bit of the Classic/Carbon paradigm catching up with us, and represents an oversight in the way Mac OS X handles presenting the file to the user. In the case of this proof of concept, a file can be made to appear as an ordinary mp3 file, complete with the familiar icon and .mp3 extension, and even audio content. However, the file contains a PowerPC code fragment – a piece of executable code; a little application – that can be made to do anything the author desires (limited by the permissions of the user executing it)… All in all, an interesting story, but it really represents taking advantage of a minor oversight in the way Mac OS X displays and handles potentially conflicting file extensions versus legacy metadata. Not really big news.”
Full article here.
This is all curious!
This is from Bill Palmer’s site:
Intego discovers trojan horse for MacOS X, acts bizarrely about it
4/09/04, 7:37 am EST
The first trojan horse to affect MacOS X, discovered by antivirus firm Intego, is said to exploit the user’s system by masquerading as an mp3 file. However, the trojan horse is not currently in circulation and, for that matter, does not appear to actually exist. Intego has apparently merely discovered “proof of concept,” meaning that such a trojan horse could theoretically be created. Furthermore, Intego’s insistence on treating the discovery as if it were a new product announcement have cast doubt as to the legitimacy and severity of their entire matter. Bizarre actions on the part of the company range from having a PR firm send out a press release announcing the discovery, to placing banner ads on its own site making the announcement that, when clicked, prompt the user to purchase on of Intego’s products. Even if this trojan horse does indeed turn out to be legitimate, Mac users should be comforted in knowing that in contrast, Symantec has discovered nineteen similar vulnerabilities for Windows so far this week.
old news. not news. move on.
As I said in a thread in the MacAddict forums, THIS is “NOT” a Trojan Horse public notice, it is SPAM! SPAM that isn’t encased by email!
The bad code would hide in the resource fork- OS 9 is equally vulnerable.
Though with the hiding of file extensions, it is easier to disguise one file as another. I wish that the anti-file extensions meta-data zealots would realize that file extensions are necessary so that you can tell what type of file something is simply by looking at its name, without having to look any deeper.
Easy way to avoid getting this “virus” if it exists. Don’t steal music. If you get a virus because you stole something I have no pity for you. End of story.
this is bullshit. if you check the article on slashdot.org they did a lot better research.
some guy figured out that a file could have both an mp3 id3 tag and .mp3 file extension and could also be labelled as a .app with an executable code payload. it was discussed in newsgroups (you can find it on google groups).
a patch is most likely in the works as you read this over at apple.
nothing was ‘discovered’ or ‘found in the wild’, it was just a load of hype by an anti-virus company kicked up to sell their product.
this is a case of a theoretical vurn. turned into a proof of concept hijacked by a company to product sensational press coverage.
in a weeks time this won’t be an issue any more as itunes will probably be patched to check for this in your mp3’s and apple will release a security update for os x 10.2 and 10.3. also, they’ll probably be a dozen or so freeware file scanners on macupdate and versiontracker by the same time.
no one wants to see the mac become a home for viruses and trojans. however, by researching the possible weakspots like the original guys did the problem has come to light and will be plugged quickly – just like what happens on linux, except we have to wait for apple to produce an official patch instead of relying on one made by a 13 year old coder in his bedroom in finland.
Is it that we dont want it to be true? Is it a vulnerability warning? Has anyone gotten it? Macnn has the best piece on the Macweb about for those looking for someone explaining what it is in depth.
true or not, we should be celebrating that the mac is at last getting some serious (if bullshit) security scares… for too long the windows world has lorded over macintosh’s seeming invulnerability. could it be that this is a symptom of the growing popularity of the mac platform, and a precursor of great times ahead? who knows, by this time next year we could have daily warnings of new mac os x viruses and security holes, bringing us in line with the “more popular” windows operating system. happy easter!
Well…as long as you DON’T download MP3’s you are fine….I prefer AAC files. BUT if you are on Limewire or other p2p app’s. Then it’s time to be cautious perhps it could be a deterrent to using P2P app’s. Otherwise the risk is low. Very low.
What about Unix file permissions? None of my .mp3 files have execute permissions. In order for this to work you would need to give your .mp3 files execute permissions ( chmod a+x filename ).
“The Trojan is benign, according to Intego.”
“The Trojan appears to be the first malicious code for Mac OS X”
Both in the same article…
Mmmmm….
FUD
Search for “MP3 Virus Hoax” on Google.com. These stories are old news
and another thing… who double clicks mp3s? surely you drag them to your itunes dock icon, well i do, or use apps like acquisition or leechster which add them automatically to the itunes library (and reject anything that only purports to be an mp3). double clicking anything is just so 1999.
This is why I laugh at you tree-hugging, pinko, veggie-freak, throat-sausage-loving Mac fags. See? Same as Windows is Mac OS X. probably much worse, but since nobody uses the faggy OS X, nobody bothers to write Malware for that toy. Right, butt-blasters?
This is also why Steve Jobs and Apple won’t advertise “No Mac OS X Viruses” anywhere. If they tried it, they’d get blasted by worms, viruses, and trojan horses.
Look on the bright side, better this trojan than the usual Trojan-covered skin sausage that you Mac fudge packers so desire.
To those who are still using an inferior format to AAC/.m4a…tsk, tsk. My snobbishness aside, whether or not this is a legitimate issue, it will without a doubt garnish huge attention from our critics. Like most criticism of our family, the interest of facts will be markedly absent, and basic logic will be abandoned.
hey everyone. look at ron! he’s a prick!
ron:
You’ve got some real anger issues, bud. You might want to get some help. It’s hard to understand you with a mouthful of Mother Nature’s Jimmy Dean.
Eat a steak, stop trying to play the skin flute, cut down a tree to build something, stop voting for libs, and stop being so artsy-fartsy, then the rest of the world will consider Apple Mac. Until then, lube up and bend over as usual, Mac fags!
I think ron is hilarious! So do all of my public restroom butt buddies.
Wow.
now THERE was a well thought out response, right Ron?
You know, I love my Mac’s just as much as anyone else. So does my wife, and all the clients here in Portland that I have converted. But the LEVEL of emotion that runs around this issue here is just a little scarey.
Guys like Ron…lol…let me just say this. Ron is probably all of 13, and he just got home from a bad day in jr. high. He’s probably got acne, and probably just finished extracating himself from the dumpster behind the gym that the cool kids dumped him in after school. He’s an Eric Harris or Dylan Klebold in the making, but making it worse, he’s got the hots for the school quarter back, so now his problems are worsening! His nuts probably havent dropped yet, and he sure doesnt have any hair there either.
Whats my point? I dont know, I’m just so tired of seeing all these little kids posting their pointless “I hate Mac. WinDOZE rulez” drivel.
Similarly, I’m getting tired of people saying that Mac is invulnerable.
Guys, it’s an OS thats made by MAN. Yes, MAN, not God (despite Job’s obvious canadicy for the position.)
This OS was made by man, therefore it IS vulnerable. Everything has a weekness. I can promise you that.
Is Mac better than WinDOZE? Undboutably.
But lets keep our emotions in check.
Jason
Ron, grow up. Your vapid and injudicious comments clearly show your maturity. If you wish to actually have a productive discussion or debate, we can, but displaying this worthless behavior does nothing for you.
“Look on the bright side, better this trojan than the usual Trojan-covered skin sausage that you Mac fudge packers so desire.”
Actually, a good one, ron. Pretty creative. Otherwise, you’re a horrible, nasty, little, creepy thing, indeed.
I posted this in another thread but this is where it belongs:
You know what that new OS X “Concept” Trojan sounds like to me? It sounds like something the Intego company might have even made themselves to boost sales of their anti-virus software. Where did they come across this “Concept” Trojan. It was not in the wild. Maybe somebody sent it in to them. We always knew that it is possible in theory. It must drive Mac anti-virus software makers bonkers that there are currently no wild malicious viruses for the Mac and this undoubtedly was part of the motivation of Intego in issuing this press release.
Apple should address the issue that app files can look like other files and further increase the security of OS X. Even though I am suspicious that Intego issued this warning to stimulate sales of their software, this might serve as a a wake up call fort Mac Users to not become too complacent. Mac Users need to make sure they are practicing good security. It sounds like from the post by beeblebrox
“as long as you copied it out of your email program (OS X does not allow the execution of an app from within an email program) onto the desktop and then double-clicked it, your data would be gone.”
That a good rule of thumb would be to ONLY CLICK ON ATTACHMENTS WHILE THEY ARE STILL IN THE EMAIL. I know that I can open documents from within an email but was not aware that OS X does not allow execution of an app from within an email. This is very good to know and Apple should also issue a press release or a security advisory to this effect. It would make things that much more difficult for potential virus writers.
Please tell me if I am wrong but I don’t believe windoze has this functionality and that an app is executable from within an email program on windoze. If this is so then OS X is, once again, much more secure than the swiss cheese represented by Windoze.
Correction:
I just tried it out and Mail WILL ALLOW an app to run from within mai. HOWEVER, it give you a warning that this is an app and might contain a virus first SOOOOO it seems that if someone actually ever tries this ploy, as long as you open attachments from within Mail first, you will be alerted that what looks like an MP3 etc. is actually an app and so you can avoid it.
ron are you playing with that computer again? Get back over here and let’s see if we can get that gerbil out of your ass.
I’ve seen a lot of debate on the accuracy of Intego’s PR, but at the very worst it appears that this is a Trojan Horse with no Trojans, and it’s apparently been around for almost two years. If you did receive one, doing a “Show Info” or looking at it in column view would show the true nature of this beast. I’d agree with those who think this is merely scare tactics used to sell software.