Intego warns of Trojan Horse for OS X, offers update

Macintosh News Network ^ | April 8, 2004

[HAL9000]

Intego today said it released an updated virus definitions for Intego VirusBarrier to protect Mac users against the first Trojan horse that affects Mac OS X. This Trojan horse, MP3Concept (MP3Virus.Gen), exploits a weakness in Mac OS X where applications can appear to be other types of files: "The Trojan horse's code is encapsulated in the ID3 tag of an MP3 (digital music) file. This code is in reality a hidden application that can run on any Macintosh computer running Mac OS X. Intego says the malicious application can delete files, propogate itself by sending a message to other users, and also infect other MP3, JPEG, GIF or QuickTime files.

[DB]

I thought this sort of thing "couldn't happen" with OS X...

A little reality check for those who thought it couldn't.

[finnman69]

BUT BUT BUT it can't happen on a MAC.

[Support Free Republic]

	Daood! Don't be a fuddy duddy. Donate to FR Mail a check to FreeRepublic , LLC PO BOX 9771 FRESNO, CA 93794 or you can use PayPal at Jimrob@psnw.com
SUPPORT FREE REPUBLIC

[wiseone]

look deeper on Mac sites, this is bogus, they are trying to sell you their software

[jnarcus]

That has never been the claim. The claim has always been that people who spend time on their Apple computers tend to be more civilized than the hacking crowd ensconced on other systems. Also it could not have happened prior to Apple moving to a Unix based kernel with an open architecture. It still only points to the need for one to pay attention to what one opens no matter what system they use

[B Knotts]

This isn't really much of a virus or worm, as it would only be able to damage the user's personal files, and is just a stupid filename/resource fork trick.

But, yeah, all software sucks. Some software just sucks less.

I am not a Mac user, BTW.

[B Knotts]

Also it could not have happened prior to Apple moving to a Unix based kernel with an open architecture.

Huh?

Sure it could. This is just an exploit of user ignorance regarding resource forks and file extensions. You could have created the same exploit on previous versions of Mac OS. The chief difference is that, under older versions of Mac OS, this exploit would have toasted the whole system, instead of just your personal files.

[B Knotts]

Actually, let me rephrase that...it's not really user ignorance...it's kind of an inherent weakness of resource forks. Since the resource fork is kind of a "black box," it allows for situations like this, since you can just take any file, and stick in an AAPL creator code with whatever icon you like, apparently.

This is not all that much unlike the "hidden file extension" problem on Windows.

That said, I like the idea of resource forks/extended attributes. There just needs to be some tweaking of the concept to prevent tricks like this.

[antiRepublicrat]

Not great. But what we have found is a method to trick the GUI into presenting a purposely downloaded or saved program as a playable file, tricking people into running it. You won't get hit by just reading your email as on other systems we know of. The damage to the system will then be the infection or deletion of the user's files, period. That is all they could manage with a virus (an actual locally executed file) on a Mac. No trashing system files or permanently infecting the computer. An equivalent virus on a Windows machine could leave the OS a pile of smoking rubble.

After several years, someone finally found out how to infect a Mac, and we'll have to wait and see what kind of damage it will cause relative to the installed user base. I expect not much. There is no security in computers, only relative levels of security. And OS X has shown itself so far to be far more secure than any version of Windows.

Also, let's start the clock for time to patch.

[general_re]

The damage to the system will then be the infection or deletion of the user's files, period. That is all they could manage with a virus (an actual locally executed file) on a Mac.

"Enter your administrator password to update your system!"

And some fraction of users will do it. I know it, you know it, we all know it ;)

[antiRepublicrat]

"Enter your administrator password to update your system!"

Most people on Macs will be running as Administrator, but that's not the same thing as it is on Windows. Those more advanced users who want to mess with Windows-like admin privileges ("root") that can actually screw the system first must set up access to root, which is by default disabled. Those advanced users are less likely to fall for stupid tricks. It's possible it could still happen, but a trojan built to trash OS X installations would have very few successes.

[B Knotts]

Unless there's a buffer overflow lurking somewhere. I don't know if the OS X kernel defends against those. Doesn't seem to.

[general_re]

Those more advanced users who want to mess with Windows-like admin privileges ("root") that can actually screw the system first must set up access to root, which is by default disabled.

Try: man sudo.

Anyway, that's knocking on the front door. There are privilege escalation bugs in unpatched OSX systems, and probably ones in patched machines that have yet to be discovered by the wider world.

[DB]

"The claim has always been that people who spend time on their Apple computers tend to be more civilized..."

Classic.

[DB]

As if my "personal" files are less valuable than the operating system...

My "personal" files are the only files of great value on the computer to begin with so that's hardly a minor issue.

[al_c]

I thought this sort of thing "couldn't happen" with OS X...

Nobody ever said it couldn't happen ... only that it rarely happens. My Macs have been hit a couple of times in the past.

[rivercat]

It's all part of the Vast Right-Wing Conspiracy, dontcha know.
After all, the majority of Mac users are stinking liberals.
I'm sure they are already blaming this on Bush, Cheney, the Carlyle Group, Microsoft, and Starbucks.

[B Knotts]

Yes, to you. However, nuking someone's personal files doesn't result in turning the machine into a DoS attack node, wreaking havoc on the Internet.

[HAL9000]

"Enter your administrator password to update your system!" And some fraction of users will do it. I know it, you know it, we all know it ;)

Yes, but those same users have probably forgotten their administrator password anyway.

Meanwhile, my neighbor called last night and told me that his Windows computer was destroyed by a real virus. He lost all of his files.