“Thanks to Apple Computer’s rising star in the world of digital music, Mac OS X has become a target for malware authors,” Leander Kahney reports for Wired News. “A Trojan horse, called MP3Concept or MP3Virus.gen, has been discovered that masquerades as an MP3 file. It hides in ID tags of the file and becomes activated when unwary users click on it, expecting to play a digital song.”
“‘This is the first native Mac OS virus we’ve found,’ said Brian Davis, U.S. sales manager for Intego, a Mac security and privacy firm that discovered the Trojan. The Trojan is benign, according to Intego. If launched, it doesn’t do anything except access files in the System folder. But Intego warned that the code could be modified easily to delete files or hijack a machine and replicate itself through e-mail,” Kahney reports.
“‘This is likely a test Trojan showing these things are possible,’ said Davis. ‘There’s definitely an open door we don’t want to leave open.’ The Trojan appears to be the first malicious code for Mac OS X, which was launched in March 2001. Until now, Mac users have prided themselves on running a system that has been largely virus-free. Few Mac OS X users run antivirus software, or are wary of double-clicking files they’ve downloaded or received in e-mail,” Kahney reports.
Full article here.
Intego’s press release:
Intego, the Macintosh security specialist, has just released updated virus definitions for Intego VirusBarrier to protect Mac users against the first Trojan horse that affects Mac OS X. This Trojan horse, MP3Concept (MP3Virus.Gen), exploits a weakness in Mac OS X where applications can appear to be other types of files.
The Trojan horse’s code is encapsulated in the ID3 tag of an MP3 (digital music) file. This code is in reality a hidden application that can run on any Macintosh computer running Mac OS X.
Mac OS X displays the icon of the MP3 file, with an .mp3 extension, rather than showing the file as an application, leading users to believe that they can double-click the file to listen to it. But double clicking the file launches the hidden code, which can damage or delete files on computers running Mac OS X, then iTunes to play the music contained in the file, to make users think that it is really an MP3 file . While the first versions of this Trojan horse that Intego has isolated are benign, this technique opens the door to more serious risks.
This Trojan horse has the potential to do any of the following:
– Delete all of a user’s personal files
– Send an e-mail message containing a copy of itself to other users
– Infect other MP3, JPEG, GIF or QuickTime files
Due to the use of this technique, users can no longer safely double-click MP3 files in Mac OS X. This same technique could be used with JPEG and GIF files, though no such cases of infected graphic files have yet been seen.
Intego VirusBarrier eradicates this Trojan horse, and Intego remains diligent to ensure that VirusBarrier will also eradicate any future viruses that may try to exploit this same technique. All Intego VirusBarrier users should make sure that their virus definitions are up to date by using the NetUpdate preference pane in the Mac OS X System Preferences.
UPDATE (4.9.04, 9:40am): MacNN reports some more details on the so-called “Trojan Horse for Mac OS X.”
“This is actually a little bit of the Classic/Carbon paradigm catching up with us, and represents an oversight in the way Mac OS X handles presenting the file to the user. In the case of this proof of concept, a file can be made to appear as an ordinary mp3 file, complete with the familiar icon and .mp3 extension, and even audio content. However, the file contains a PowerPC code fragment – a piece of executable code; a little application – that can be made to do anything the author desires (limited by the permissions of the user executing it)… All in all, an interesting story, but it really represents taking advantage of a minor oversight in the way Mac OS X displays and handles potentially conflicting file extensions versus legacy metadata. Not really big news.”
Full article here.
SsnMx: Malicious code means you have ill intent. Just because the it’s benign, doesn’t make that article dichotomous.
“Well…as long as you DON’T download MP3’s you are fine” – giofoto
Actually downloading MP3’s aren’t the problem. As the article pointed out, you need to keep the resource fork intact. Downloading MP3 file will only give you the data fork. So, using P2P or the web won’t give you the problem. The problem is when you download or get through email an MP3 file in packaged form that preserve the resource fork: StuffIt compresssed, MacBinary encoded, etc. Hopefully, as a Mac user, one is intelligent enough not to just run anything one gets in the mail unrequested. Even as a trojan horse, this requires a bit of an effort to spread.
Don’t feed the trolls. If this ever gets out in the wild it will make it 90 some odd thousand to 1. Windows wins again. That ratio is even worse than the lousy market share.
Apple has done a response the story is on maccentral
Allright Sausage Boy, that’s it! I’ve had enough fuckin’ sausage jokes for one week, pack up your sausages and get the fuck outta here! Geezus Christ already! C’mon man, give us a break with the sausage’s already!
Out on Usenet, there was a discussion of how some of the architecture of the Mac could be exploited <http://groups.google.com/groups?hl=en&lr;=&ie=UTF-8&oe=UTF-8&frame=right&th=631707378ffe9292&seekm=blgl-5D750C.02150821032004@news.bahnhof.se#link6>. One participant posted a proof of concept of one of the ideas . The existence of the proof of concept led Intego to update their product to protect against such an exploit. Responsible, even laudable. But I note two things about it – their protection is brain-dead and they’ve spun their PR to sound as though their diligence “outed” this. As one respondent noted elsewhere – perhaps Q1 sales were flat…
Ron,
You constantly amaze me. What eloquent thought-provoking retorts you share with us here.You are obviously a person with intelligence, education, and refinement.
NOT.
Go get a job, and quit trolling the Mac sites. Better yet go back to high school and get that degree. I think I can, I think I can……..
What a loser.
I’ve seen several misconceptions floating around the web about this. First of all, this Trojan can be hidden in ANY data file, not just an mp3. If the file has a type “APPL” (which this “virus” demo file has), and you double-click on it, it will run as an application. It won’t launch iTunes or anything else other than itself, unless the code that executes launches another application (which this demo Trojan supposedly does). This type of Trojan was possible on Mac systems at least as far back as system 7 if not earlier (I suspect all the way back to the 128k Mac of ’84), and it was possible on OSX the day it was released. The ONLY way you can get this Trojan into your computer is to do a Finder copy from another disk or to download a stuffed/zipped file, which when unstuffed creates the “application”. Then you have to double-click it to have it run; dragging it into iTunes will do nothing except play the audio that is present in the data fork of this file — no code will execute. I downloaded the sample “virus” file and tried to run it, but was told by Panther that “You do not have permission to run the application ‘virus.mp3′”. If I was logged in under an admin account then it probably would have run, since others have said they have done this. Furthermore, this is NOT a VIRUS. It is a Trojan horse. Big difference. A virus is self propagating, requiring no human intervention to spread to another system. Trojans need help — they have to be run/opened by the user. I don’t believe there is any computer system in the world that can prevent a cleverly designed Trojan from getting through at least some of the time. They all need a clueless human at the controls.
This is not news. It is some anti-virus peddler in need of sales. And it really ticks me off to see many of the Wintel sites jumping all over this as though Mac systems are now just as susceptable to a virus as they are. When a Mac can be taken down just by RECEIVING an email (don’t even have to open it), can be infected just by CLICKING on a web link, or by just LISTENING to an embedded music file on the web, when it can become a SOURCE of spam just by being connected to the internet and left alone for a while …… THEN there will be some news.
You may now return to your worry-free web browsing and email. (If you’re on a Mac, that is.)
Part 1 of 2:
I’ve seen several misconceptions floating around the web about this. First of all, this Trojan can be hidden in ANY data file, not just an mp3. If the file has a type “APPL” (which this “virus” demo file has), and you double-click on it, it will run as an application. It won’t launch iTunes or anything else other than itself, unless the code that executes launches another application (which this demo Trojan supposedly does). This type of Trojan was possible on Mac systems at least as far back as system 7 if not earlier (I suspect all the way back to the 128k Mac of ’84), and it was possible on OSX the day it was released. The ONLY way you can get this Trojan into your computer is to do a Finder copy from another disk or to download a stuffed/zipped file, which when unstuffed creates the “application”. Then you have to double-click it to have it run; dragging it into iTunes will do nothing except play the audio that is present in the data fork of this file — no code will execute. I downloaded the sample “virus” file and tried to run it, but was told by Panther that “You do not have permission to run the application ‘virus.mp3′”. If I was logged in under an admin account then it probably would have run, since others have said they have done this. Furthermore, this is NOT a VIRUS. It is a Trojan horse. Big difference. A virus is self propagating, requiring no human intervention to spread to another system. Trojans need help — they have to be run/opened by the user. I don’t believe there is any computer system in the world that can prevent a cleverly designed Trojan from getting through at least some of the time. They all need a clueless human at the controls. (continued….)
Part 2 of 2:
I’m happy to see that Apple is already undertaking steps to eliminate the possibility that a Trojan of this sort has a chance to succeed, even though there are no known Trojans of this type (or any other type) “in the wild” that have attempted to invade the MacOSX community. But it really ticks me off to see many of the Wintel sites jumping all over this as though Mac systems are now just as susceptable to a virus as they are. When a Mac can be taken down just by RECEIVING an email (don’t even have to open it), can be infected just by CLICKING on a web link, or by just LISTENING to an embedded music file on the web, when it can become a SOURCE of spam just by being connected to the internet and left alone for a while …… THEN there will be some news.
You may now return to your worry-free web browsing and email. (If you’re on a Mac, that is.)
“This is why I laugh at you tree-hugging, pinko, veggie-freak, throat-sausage-loving Mac fags. See? Same as Windows is Mac OS X. probably much worse, but since nobody uses the faggy OS X, nobody bothers to write Malware for that toy. Right, butt-blasters?”
Go play on the freeway you fucking retard!
Mac users are too intelligent to fall for the usual crap used to infect PCs. As your idiotic posts would indicate, PC users on average are a bunch of lemming like morons. You are not going to see Mac users falling for such obvious attempts to spread virus infections.
Keep it up retard. Every post you make here helps prove that Windows is the system of choice for the intellectually challenged among the population
This is all a load of bullsh*t and FUD. Apple will likely have a patch for this alleged vulnerability shortly anyway. For CNET and others to be sounding the “virus threat” alarm is both ludicrous and self serving.
The fact of the matter is that this Trojan (note, it’s not a virus or worm) is NOT present in the wild, nor has ANY system been infected. This is simply a case of a company looking to peddle their never before heard of anti-virus software and OS X/Apple detractors looking for a story where there is none.
I just found a picture of Ron
The problem is not about it being a real threat or not a real threat.
News services are picking up this story and running with it. They are reporting that there is now something that attacks the Mac OS. Real or not does not matter. They are blindly reporting that something is out there. True to form the media is just reporting what is little more than “hear say”.
Like many of us run into every day the difference between what is percieved about the Mac and Mac OS and what is reality is often very, very different. The same is happening here. I suspect by Monday most Wintel users will have heard that the Mac OS has been torn apart by the worst virus attack ever. Some will even take the misinformation as proof that the Mac OS is even more vulnerable than Window.
My suggestion? Find every reporter (either by email address or voice contact) and make absolutely certain they tell the story correctly and when they tell the story incorrectly demand an immediate correction — this was a proof of concept piece and it has not been proven to have infected anyone.
If Mac users don’t nip this one in the bud, it will be like the days before OS X. The Classic Mac OS has had 41 confirmed viruses, trojans and worms. Windows up through January 2001 has had over 41,000. However, the average user though the classic Mac OS was just as vulnerable as the Window OS.
Billpalmer is a Jobs’ bitch. Little Macfag now cries like a baby.
Wired magazine covers this BS story pretty well. They point out that the “trojan horse” is made harmless when transmitted over email. So much for it being a trojan horse…