Exclusive LG phones only from AT&T
The Mac OS X type/creator, .extension "trojan horse"; clarification from Intego
Intego on Thursday issued a security warning to its customers for the first Trojan horse to affect Mac OS X. Dubbed MP3Concept (MP3Virus.Gen), the Trojan horse exploits a weakness in Mac OS X where applications can appear to be other types of files, according to the company.
The issue is that the OS X Finder can be fooled to represent an application as a file. This occurs because the Finder depends on two different sources of information for how to display an object: it uses both file type/creator codes, for compatibility with OS 9; and also can use .extensions, introduced in OS X.
In this instance, the file type is set to "application", and the .extension is set to "file".
This "exploit" is only one step further from simply renaming an application file with a different extension, ".mp3" for instance. The only difference is that Mac OS X can be fooled into actually launching an application based on the false file type/creator codes and .extensions - iTunes for a file with a .mp3 extension for instance. However, it would seem that any damage done by a file disguised in this manner would already be done when it the application (appearing as a data file) is double-clicked.
Before we delve any further into the issue, there is a simple way to see if any of these files exist on your computer. Simply do a Finder-based search (Command-F) and set two criterion:
- Name contains: place a file extension here; .mp3, .jpeg, .wmv, etc.
- Kind: application
Any files that pop up (including a non-harmful example of the "trojan horse") are likely of the same nature that Intego is describing.
MacFixIt reader Michael Dinsmore writes:
"The practical result of this is illustrated by the proof of concept application posted here. The demonstration code only displays a warning dialog and plays a song: but that dialog could be easily converted to do anything that the currently logged in user has the authority to do, including delete their home directory with all of their data. It wouldn't be capable of doing anything that the current user is not able to do, like implanting a backdoor to the system; but losing all of your data is plenty bad enough.
"The trojan will display some attributes as a regular file: it has an MP3 icon, an MP3 .extension, and will even play a song if double clicked or dropped on iTunes. At first glance, it appears very much like a regular .mp3. However, the same file also has attributes of an application. It is labeled an application in the Get Info window, and in column view. It does not have the playback control that a normal mp3 does in column view.
"If you use a utility that can see file types and creator codes in terminal, you will see that it has type APPL--reserved for applications. It has been noted that the file needs to have it's resource forks preserved during transmission to be effective, which generally means it needs to be compressed. Therefore, as Stuffit is required to make it work, Stuffit can also be used to help thwart it.
Stuffit 8.0.2 Although Stuffit 8.0.2 has a preference that will toggle "Set Execute permissions by default", and indeed if the check box is unchecked this file will not have the x bit set in the terminal, it will nonetheless execute. Therefore, this preference is of no help.
However, Stuffit 8.0.2 can also be set to call a virus scanner to scan decompressing files. Setting this to Intego's VirusBarrier, with the latest virus updates, does indeed flag the file as having an issue during decompression.
UPDATE: Gregory Lawhorn has an important reminder for those who choose to scan files during StuffIt expansion:
"Stuffit Deluxe and Stuffit Expander have separate preferences, and both need to be set to do this - setting Stuffit Deluxe alone won't change the Stuffit Expander preferences."
Forum threads Meanwhile, there two threads going about the first Trojan that affects Mac OS X in the MacFixIt Forums.
- "Trojan Horse for Mac OS X reported" in the Mac OS X 10.x forum:
- "Hey Mike - first OS X confirmed trojan?" in the Symantec for Mac forum
UPDATE: Some MacFixIt readers took issue with Intego's handling of the vulnerability's announcement, noting that the company simultaneously performed a good service by discovering the flaw, but essentially laid out the exploit for those who would like to use it with malicious intent.
Joe. F writes:
"Bravo to their tech people for spotting the flaw, describing it, and providing a fix -- thumbs down to their management and marketing people who decided to exploit the work of the tech people.
"To use a virus example. Suppose a drug company had the only effective treatment for smallpox. Suppose it then decided to send weakened samples of the smallpox virus to anyone who asked with suggestions that the weakened smallpox could be turned into a robust virus that would cause major illness if it were to be spread throughout the population. When the company reaped great profit from its increased sales to treat the resulting epidemic, should we all cheer for its contribution to fighting disease?"
Intego has now issued a new press release clarifying their position, providing correct details, and includes a justification for releasing the original press release. An excerpt:
"While the first versions of this Trojan horse that Intego has isolated are benign, this technique opens the door to more serious risks. The exploit that it uses is both insidious and dangerous and it is our duty as a vendor of Macintosh security solutions to protect our users. We don't believe in waiting until the damage occurs, unlike some of our competitors. The Intego Virus Security Laboratory quickly discovered how to block this Trojan horse and prevent it from running its code and as part of our commitment to our users, it was only natural that we release this in our latest virus definitions for Intego VirusBarrier.
"We initially hesitated about releasing this information, but finally decided that it was our responsibility to alert users to this security risk.
"It should be noted that while Intego was the first to publish information about this Trojan horse, both Symantec and McAfee released updates to their antivirus software after the publication of our press release. However, these companies do not specify whether their updates protect against this Trojan horse. [...]
"As far as we know, this Trojan horse is benign today, but nothing prevents a malicious hacker from using this same technique to create a dangerous Trojan horse. We have examined the code contained in this Trojan horse and it doesn?t delete any files or change anything in Mac OS X, but we cannot be sure exactly what this Trojan horse is doing now, or whether it will have other effects in the future. In any case, protecting users now is better than responding too late, especially when we are aware of the threat."
UPDATE: Update from Symantec coming Symantec's Cary Kwok told MacFixIt that a new virus definition for Norton AntiVirus, addressing the "MP3Concept" vulnerability, is on its way:
"Concept (MP3Virus.Gen) is a Trojan that imbeds mp3 data in an application. Once the file is executed, the Trojan executes and displays the following message -- "Yep, this is an application. So what is your iTunes playing right now?" After displaying the message, the program launches iTunes and plays the mp3 file.
"The Trojan will only execute if opened as an attachment. If the file is downloaded and opened through iTunes, the mp3 will play but the Trojan will not execute. This Trojan does not contain any malicious code. MP3Concept is a proof-of-concept Trojan and is not currently seen "in the wild" -- it is not spreading and infecting Mac users.
"Symantec Security Response is planning to post a definition today for the Trojan and we will continue to closely monitor for any unusual activities as well as other potential threats to the Mac OS X platform. "
Feedback? Late-breakers@macfixit.com.
Resources
This whole thing is a non-story. See below for details.
Intego was even forced to clarify themselves:
http://intego.com/news/pr41.html
Basically, EAT ME!
knee-jerk web reporting, as well as Windows in general.
MacOS X is impervious to this, builtin (at least 10.3) everywhere that matters.
See this screenshot as a start:
<a href="http://homepage.mac.com/kaicherry/mail.jpg">Protection</a>
You can't actually mail this to anyone; mail will TELL THEM its an application.
It cannot run automatically. Its built into the system.
In fact for this to be effective at all, you'd have to change the finder from its
default state to its Mac OS 9 wannabe setup.
This "trojan" is basically cut/pasting a document icon on an application.
Even cleverly contructing said app inside an mp3 does not seem to fool the
system into thinking its not got a CFM PowerPC executable app on its hands.
Nothing that is a direct executable can be attached to a mail message without
apple mail detecting what it truely is after you click it but before it can do any
harm.
Applescripts, sheelscripts, etc...none of this can run automatically, or mask
what it really is from the Finder, or mail.
I think everyone that has a concern about this should simple try for them
selves; Make anything that is a program look like something else, then add it
as a mail attachment.
The fact that Windows mail client seems to NOT do this one simple thing by
default seems to be a bigger problem than anything else, one has to *really*
wonder about a company's motivation behind announcing *this* and the
Great Lost MacOS X Trojan.
I find it hard to believe that they issued a well written "Dihydrous Oxide"-like
warning for what amounts to an icon spoof trick that will never get past the
built-in free with OS mail client.
Take your own scrrenshots and spread the word. And let everyone that wants
to republish this w/o checking know that the OS already know this trick, but
more importantly, Mail does.
-K
<i>MacOS X is impervious to this, builtin (at least 10.3) everywhere that matters.
See this screenshot as a start:
Protection
You can't actually mail this to anyone; mail will TELL THEM its an application.
It cannot run automatically. Its built into the system.
In fact for this to be effective at all, you'd have to change the finder from its
default state to its Mac OS 9 wannabe setup.
</i>
You're incorrect on this. The message you're mentioning is from Mail, not from the finder. Mail is the one warning you that its an App. You're making the assumption its mailed to you. What if you download the file from some other source. You will not be warned in that case.
Secondly, you assume everyone uses Apple's Mail application for mail. This is also wrong. I use Powermail. Many people use Entourage. These programs may or may not work the same way, it depends on the software.
Thirdly, you make the assumption that because a user gets a warning that its an app, they are wise enough not to click "OK, but run it anyway". Windows users do this all the time. Why do you think the Bagel/Netsky viruses are running rampant all over the place?
<i>The fact that Windows mail client seems to NOT do this one simple thing by default seems to be a bigger problem than anything else, one has to *really* wonder about a company's motivation behind announcing *this* and the
Great Lost MacOS X Trojan.</i>
Windows mail programs differ on how they handle this just like Mac programs. MS's software will warn you, as does Eudora. This is true not just of Apps, but of Word and Excel files. This, plus that most virus firewalls just strip out EXEs being passed, is why the latest trojans on windows are in zip files (and then in encrypted zips).
Beyond the fact that this isn't a mail problem, its also an old problem. This has been feasible/easy in OS 7/8/9 as well.
application so as to trick a user into clicking on it. There's no actual
trojan horse, even, it's just a what-if.
us, and represents an oversight in the way Mac OS X handles presenting the
file to the user. In the case of this proof of concept, a file can be made to
appear as an ordinary mp3 file, complete with the familiar icon and .mp3
extension, and even audio content. However, the file contains a PowerPC code
fragment - a piece of executable code; a little application - that can be made
to do anything the author desires (limited by the permissions of the user
executing it). So yes, it could potentially do all those nasty things like erase
your home directory, kick your dog, etc. But here's how it does it: the file is
really a Carbon (CFM) application, with file type APPL. The two methods of
identifying files - file extensions (the new Mac OS X way) and file metadata
(e.g., type/creator, resource forks; the old way) - are in conflict. So Mac OS X
shows the file to you as an mp3, when in reality the behavior when double-
clicked is that of an application. Therein lies the problem: since the file
appears to be a legitimate mp3, a user may unwittingly double click it,
executing the potentially malicious code - thus the proper description of this
as a trojan horse. Further examination of the file, even a simple Get Info,
does reveal that while it appears to be an mp3, the OS does recognize it as
"Kind: Application". This special case - files that identify themselves as
applications, but have inappropriate extensions, such as mp3 - could be
easily handled by a security update. One other point about this trojan: since it
is a CFM application with a resource fork, it will be rendered useless by any
transfer method that does not explicitly retain the resource fork (compressing
with StuffIt or encoding with MacBinary, for example). All in all, an interesting
story, but it really represents taking advantage of a minor oversight in the
way Mac OS X displays and handles potentially conflicting file extensions
versus legacy metadata. Not really big news. :-) There is a proof of concept of
this trojan here (though named "virus.mp3", this is not a virus): http://
www.scoop.se/~blgl/virus.mp3.sit
Upon closer examination, the proof-of-concept trojan actually contains its
own copy of iTunes' mp3 icon. The only area where this trojan is actually
taking advantage of something that could legitimately be referred to as a Mac
OS X shortcoming is the ability to display itself as a file with a .mp3 file
extension, while still be handled by the operating system as an application.
This is, once again, a function of the type/creator metadata, which takes
precedence over file extensions. This trojan is almost pure social engineering,
and not really an "exploit": it's one step away from merely creating a
malicious Carbon application and giving it an mp3 icon, which is trivial, and
naming it with a .mp3 extension. The one additional feature of the trojan is
that it actually is a valid mp3 file, and when double clicked, the application
part of the code actually spawns iTunes and plays the mp3 content in iTunes,
making it appear to the untrained eye to be a normal mp3; but once double
clicked, the damage is done, regardless. One might argue that by doing
something like spawning iTunes and playing itself as an mp3, a malicious
trojan may hide its true intent or confuse the user for just a few moments
longer, but either way, the damage has begun - and likely ended - before the
user has even noticed.
The only way for Apple to "fix" this would be to universally visually identify
executable applications in some fashion. Whether or not this comes to pass,
the true source of real widespread damage from trojans, virii, and worms is
their ability to spread. Since any raw transmission without encoding that
preserves resource forks effectively neuters the trojan, and since there are no
easy ways to mass-propagate a virus using Windows- and Outlook-style
methods on Mac OS X, this is really not a major issue at all. The "issue" has
been around since Mac OS X Public Beta, and the metadata vs. file extension
issue has been discussed at length. Carbon (and Classic) applications need to
identify themselves with metadata, and clearly, anyone can make a malicious
application and disguise it or advertise it as something else. The only
difference now is that someone actually made a working proof-of-concept of
an MP3 trojan - it could actually be any document file type - to demonstrate
the issue, and a virus software company issued an alarmist press release.
If you're out to cause harm, you will likely do more damage sending out a
friendly email message politely asking people to move their home directories
to the trash.
The concept here is nothing more than taking a Carbon application that
identifies itself as such via metadata, and giving it a name like whatever.mp3.
That's it.
Carbon/Classic applications have to be able to be run with any name, since
that's how they have existed for over 17 years prior to Mac OS X's release. I
can make a trojan horse right now:
I'll take Fetch, a Carbon application, paste a Word icon onto it, and name it
"Important file.doc". Voila, a trojan horse Word document that is actually an
FTP client!
So, for something that has been theoretically possible for over 20 years on
the Macintosh and 4 on OS X, Intego realizes that it can capitalize on a
USENET discussion. The extremely basic proof of concept actually does
nothing, and Intego issues a press release that makes it look like:
- it erases files
- infects other files
- emails itself to others in your address book
All are one hundred percent false.
Additionally, this file identifies itself as an application to the user in every
Finder view *except* icon view. I'll agree that icon view is common, and that
by just looking at it in icon view or on the desktop, it appears to be an MP3.
However, thinking about this further, I see no way that Intego's product can
protect against *anything* except this *one* proof-of-concept that's nothing
more that an example, that actually doesn't even do anything - including
spread itself in any way! So all this amounts to is a theoretical possibility that
has existed for over two decades!
The ONLY way this could be specifically "solved" on Mac OS X is for the OS to
visually identify or flag any executable file in some fashion. But you can't
technologically defend against every kind of social engineering.
The gates to Troy didn't open on their own.
The proof of concept is actually an app. what it plays is one of the default
iMovie sound effects.
-K
Um, yes I am aware of this.
It is an app that also is a legitimate MP3 file.
Why is it important that it plays as an MP3? The ONLY argument here is that
since the user expects it to play when double clicked, the fact that iTunes
opens and plays distracts from the fact that it may be doing nasty other
things.
But either way, once double clicked, the damage is done. The real issue is
being able to appear as an mp3 - complete with mp3 file extension - and
actually be an application. Everything else is pure social engineering, which
cannot be protected against. The fact that it actually contains MP3 data - or
an image, or anything else - is merely a novelty.
especially now that it has received wide publicity.
It is also fairly trivial to defend against - a simple cp of your mp3 folder will
strip out any resources (though some use them to store additional info eg
MP3 Rage can do this).
Or, even more simply - do a search for extension = .mp3 AND TYPE=APPL
Should also be easy to write a folder action script that checks extension
against type and alerts you if they are wrong. No need to pay Intego for that.
application's name and icon to make it appear to be an innocuous data file.
And other applications could often be tricked to open it as a data file, too -
as long as they didn't check the file's type code. In Mac OS X any tagged file
format (or which has a way to insert nonvisible binary data as a comment) is
vulnerable to this.
iTunes accepts any type code, probably to ease portability; it's easy to edit its
info.plist to remove the "****" type code which is responsible for that. But this
is no protection; it simply removes the "social engineering" aspect which
others have remarked on.
Mac OS X has a mechanism, apparently implemented to allow old .smi files to
be opened by the (now-defunct) Disk Copy program: if you double-click on a
Classic application whose extension is claimed by a native application, it's
opened as a data file by the native application. I suppose one could extend
that mechanism to work for native CFM apps too, and this might give some
protection.
However, I suppose that if you have an application with some enticing name
and a known document icon, even if it has no extension at all, someone
would double-click on it without checking.
(fear, uncertainty, doubt) and worry OS X users? What would their motivation
be?
From their site:
"As the dangers of the Internet grow, Intego is hard at work, developing new
software to protect users and their Macs from the latest security and privacy
threats. We protect your world."
They fail to mention the fact that they stand to financially benefit from this
rash announcement. Peter Norton would be proud. You protect my world? No
thanks. Go sell your alarmist crap to the PC crowd.
See this article for more on this phenomena:
http://www.vmyths.com/rant.cfm?id=35&page=4
---
Chris Barth ::::::::::::::::::::::::::::::
iMac G4/800 17" - OS X 10.3.2
iPod 15GB
That was exactly my first thought. How else would a company sell their products, if there's no threats. They make up a threat!
Now, lets see how big can of worms they've open up, giving people ideas to attack Mac OS X.
I heard that the same thing more or less happen in the Windows world once upon a time, and that sure open up a huge can of worms. And see now how virus infected the Windows world is. *sigh*
I think it's bad form and a really bad sales trick. I will not buy their product, that's for sure. Over priced and you have to buy "a new version" each year. I think I stick with Virex that I got from free through my .Mac account and they update their protection without charging me an arm and a leg each year.
tackle illegal MP3 downloads!
Firstly they got on to Napster/Gnutella and Kazaa and uploaded
thousands of tunes with high pitched squeels in order to damage
the ears of youngsters and now they have worked out that if they
apply these trojan's into MP3's they can target all the other *.mp3
files on the computer system and delete them accordingly; be it
either Mac or PC.
In order to keep artists in business, this is a really good idea and
will assist in cleaning up the illegal swapping of music on the
internet.
And how exactly does it determine which tracks are legal and which aren't? I
mean, really, what are you talking about? That's just crazy.
Do some investigating some time on how the recording industry really works.
It's not in your favor or in the best interest of the recording artists. Follow the
money. Supporting a bunch of money hungry corporate fatcats doesn't help
keep the artists in business. The idea that any scheme could or will stop
people from trading music online is ridiculous.
New business model please!
---
:::Chris Barth:::
Haven't you noticed that the RIA is trying everything it can to stop MP3s? Why
should this trojan be anything different?
I don't condone what they are (allegedly) doing, however they will try to
protect their interests any which way they can. I don't blame them as they
have a right to running their busiesses as we do ours.
Honestly, you cannot respect music that has been illegally downloaded from
the internet. I know I can't!
Actually, no, since peer-to-peer networks do not preserve resource forks.
It is possible to exploit security holes (namely buffer overflows) in apps.
There's a way to put worms into images this way, but this is a bug in the
player, not in the OS.
- by NaOH April 10, 2004 1:19 AM PDT
- Just a little suggestion on how Apple could work around this issue.
- Like this Reply to this comment
-
Showing 1 of 2 pages (25 Comments)You have all probably noticed how an alias will get a little arrow in the bottom left hand corner of the icon.
How about making a tiny diamond shape appear, when an app has had it's default icon pasted over by something else, or it's file extension indicates it's a different kind of file?
Some of you may remember the User Interface Guidelines, which Apple drew up for the original Macintosh System. In those guidelines, Apple stated that the recommended icon for an Application, should be some kind of diamond shape, with a pen, or some other kind of writing tool pointing onto the diamond shape.
This old faithful standard could be used, to assist users in identifying what a given file is REALLY up to. The little symbol need only appear when there is a conflict between the metadata and the file extension/icon.
I hope this little idea can be adopted and used to minimise the danger of applications masquerading as files in the future. (Apple 'borrowed' the little arrow in the corner of the alias from Windows, surely it isn't wrong to improve on the idea?)