Quote:
Originally posted by Silvy
I have some difficulty understanding this:
So the trojan is in the ID3 tag. That means it must be in the MP3 file.
Then it's logically displayed as an MP3 file, which in the above text is thought as deceiving.
Double clicking on it launches the code.... So you mean it's an application? So it's not actually an MP3 file? Then MacOS just assumes it is?
Then the trojan launches iTunes? So it is an MP3 file?
Ok, you got me: what is it?
|
It is an application that contains an MP3. In this case, it's a Carbon application which is a kind of hybrid between OS X and OS 9 that retains the metadata in the resource fork of the file (the resource fork doesn't exist in native OS X (Cocoa) type applications).
Anyway, all they did after creating this application was change one of the metadata attributes to make it appear to the system as an MP3. For good measure, they gave it a .mp3 extension. If you double-click this application in the Finder, you're infected. If you try to play it in iTunes, the embedded MP3 plays and you're not infected (since iTunes won't execute code in an MP3).
All in all, it's a pretty craptactular trojan. It won't infect if used as an MP3 ordinarily would (ie adding it to the iTunes library) and as of now, it's only a concept trojan in a lab and not lose in the wild.
We've always known this day was coming but I don't think it's here quite yet.