First Trojan Horse for Mac OS X?  (Update)

“Thanks to Apple Computer’s rising star in the world of digital music, Mac OS X has become a target for malware authors,” Leander Kahney reports for Wired News. “A Trojan horse, called MP3Concept or MP3Virus.gen, has been discovered that masquerades as an MP3 file. It hides in ID tags of the file and becomes activated when unwary users click on it, expecting to play a digital song.”

“‘This is the first native Mac OS virus we’ve found,’ said Brian Davis, U.S. sales manager for Intego, a Mac security and privacy firm that discovered the Trojan. The Trojan is benign, according to Intego. If launched, it doesn’t do anything except access files in the System folder. But Intego warned that the code could be modified easily to delete files or hijack a machine and replicate itself through e-mail,” Kahney reports.

“‘This is likely a test Trojan showing these things are possible,’ said Davis. ‘There’s definitely an open door we don’t want to leave open.’ The Trojan appears to be the first malicious code for Mac OS X, which was launched in March 2001. Until now, Mac users have prided themselves on running a system that has been largely virus-free. Few Mac OS X users run antivirus software, or are wary of double-clicking files they’ve downloaded or received in e-mail,” Kahney reports.

Full article here.

Intego’s press release:

Intego, the Macintosh security specialist, has just released updated virus definitions for Intego VirusBarrier to protect Mac users against the first Trojan horse that affects Mac OS X. This Trojan horse, MP3Concept (MP3Virus.Gen), exploits a weakness in Mac OS X where applications can appear to be other types of files.

The Trojan horse’s code is encapsulated in the ID3 tag of an MP3 (digital music) file. This code is in reality a hidden application that can run on any Macintosh computer running Mac OS X.

Mac OS X displays the icon of the MP3 file, with an .mp3 extension, rather than showing the file as an application, leading users to believe that they can double-click the file to listen to it. But double clicking the file launches the hidden code, which can damage or delete files on computers running Mac OS X, then iTunes to play the music contained in the file, to make users think that it is really an MP3 file . While the first versions of this Trojan horse that Intego has isolated are benign, this technique opens the door to more serious risks.

This Trojan horse has the potential to do any of the following:
– Delete all of a user’s personal files
– Send an e-mail message containing a copy of itself to other users
– Infect other MP3, JPEG, GIF or QuickTime files

Due to the use of this technique, users can no longer safely double-click MP3 files in Mac OS X. This same technique could be used with JPEG and GIF files, though no such cases of infected graphic files have yet been seen.

Intego VirusBarrier eradicates this Trojan horse, and Intego remains diligent to ensure that VirusBarrier will also eradicate any future viruses that may try to exploit this same technique. All Intego VirusBarrier users should make sure that their virus definitions are up to date by using the NetUpdate preference pane in the Mac OS X System Preferences.

UPDATE (4.9.04, 9:40am): MacNN reports some more details on the so-called “Trojan Horse for Mac OS X.”

“This is actually a little bit of the Classic/Carbon paradigm catching up with us, and represents an oversight in the way Mac OS X handles presenting the file to the user. In the case of this proof of concept, a file can be made to appear as an ordinary mp3 file, complete with the familiar icon and .mp3 extension, and even audio content. However, the file contains a PowerPC code fragment – a piece of executable code; a little application – that can be made to do anything the author desires (limited by the permissions of the user executing it)… All in all, an interesting story, but it really represents taking advantage of a minor oversight in the way Mac OS X displays and handles potentially conflicting file extensions versus legacy metadata. Not really big news.”

Full article here.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.