Nomad

http://arstechnica.com/news/posts/1081455881.html

Virus and Trojan horses are old hat, at least if you run Windows as your primary OS. For years, Mac users have enjoyed the relative obscurity of a low market share, which meant that aside from the occasional Mac OS 8/9 boot worm, malware writers generally overlooked the platform to concentrate on tormenting the largest amount of users with the least amount of effort. Alas, a modern OS and the platform's increased visibility could only be overlooked for so long, and French Mac security firm Intego today announced the sighting of an overly-user-friendly Trojan Horse for OS X.

The Trojan horse's code is encapsulated in the ID3 tag of an MP3 (digital music) file. This code is in reality a hidden application that can run on any Macintosh computer running Mac OS X. Mac OS X displays the icon of the MP3 file, with an .mp3 extension, rather than showing the file as an application, leading users to believe that they can double-click the file to listen to it. But double clicking the file launches the hidden code, which can damage or delete files on computers running Mac OS X, then [launches] iTunes to play the music contained in the file, to make users think that it is really an MP3 file.

This particular Trojan horse has the potential to do all the typical nasty stuff such as deleting files, infecting other media files (i.e., QuickTime, MP3, JPEG), and propagating itself via e-mail. According to Intego, initial versions of the Trojan are benign, but now that this exploit is widely-known, it is likely that this exploit will be adopted by virus and Trojan horse authors. Intego has made updated virus definitions available, and McAfee (makers of Virex) will likely follow.

Mac users have been grown accustomed to not worrying about malware. While it is unrealistic to think that Mac OS X users are soon going to be under a barrage of MyDoom and SoBig-like viruses, chances are that virus authors will begin looking for exploits. If you own a Mac, this might be a good time to dust off that antivirus software.

Silvy

I have some difficulty understanding this:

So the trojan is in the ID3 tag. That means it must be in the MP3 file.
Then it's logically displayed as an MP3 file, which in the above text is thought as deceiving.
Double clicking on it launches the code.... So you mean it's an application? So it's not actually an MP3 file? Then MacOS just assumes it is?
Then the trojan launches iTunes? So it is an MP3 file?
Ok, you got me: what is it?

My conclusion: The exploit is in the way MP3 files are handled (in iTunes?). It is an MP3 file, but some info in there exploits the security hole (in iTunes?). And think I'm correct in assuming that iTunes is launched, the MP3 is played, and then the malicious code is executed.

It's all the same difference, the file is Bad, and the security leak should be patched. But I hardly see it as an Mac OS X problem, as it most certainly lies within the iTunes application.

Note: I've never used Mac OS X

__________________
"Do not kill. Do not rape. Do not steal. These are principles which every man of every faith can embrace. "
- Murphy MacManus (Boondock Saints)

Silverbrain

And this is the reason why I dont work with macs =)

__________________
Over Thinking, Over Analyzing
Seperates the Body from the Mind - MJK

bodypainter

It is an application that contains an MP3. In this case, it's a Carbon application which is a kind of hybrid between OS X and OS 9 that retains the metadata in the resource fork of the file (the resource fork doesn't exist in native OS X (Cocoa) type applications).

Anyway, all they did after creating this application was change one of the metadata attributes to make it appear to the system as an MP3. For good measure, they gave it a .mp3 extension. If you double-click this application in the Finder, you're infected. If you try to play it in iTunes, the embedded MP3 plays and you're not infected (since iTunes won't execute code in an MP3).

All in all, it's a pretty craptactular trojan. It won't infect if used as an MP3 ordinarily would (ie adding it to the iTunes library) and as of now, it's only a concept trojan in a lab and not lose in the wild.

We've always known this day was coming but I don't think it's here quite yet.

Silvy

Thanks for clearing that up.
Never knew Mac files contain metadata... that explains a lot!

__________________
"Do not kill. Do not rape. Do not steal. These are principles which every man of every faith can embrace. "
- Murphy MacManus (Boondock Saints)

bodypainter

Well, up through OS 9 they nearly always did but native type OS X does not. The Carbon thing is part of OS X to maintain backward compatibility and make it easier to convert OS 9 programs to OS X but it's legacy stuff that will eventually die out.

This is a sore point for some long-time Mac users. Some of us *like* the metadata and feel like it's a real loss.

madsenj37

This can happen on any computer platform, not macs only. This has been known for years. No program was released to spur this. It was a compnay's attempt to stir up business. No program can be installed in Mac OS X without a password being entered. If you enter a password to play an mp3 or jpg, then you deserve the havoc the program wreaks.

To do this on any platform one simply has to retitle their program or virus with an extension like .mp3 then change the icon and people will think its that type of file.

__________________
"Only two things are certain: the universe and human stupidity; and I'm not certain about the universe."
-- Albert Einstein