Intego warns of Trojan Horse for OS X, offers update

Macintosh News Network ^ | April 8, 2004

[HAL9000]

Intego today said it released an updated virus definitions for Intego VirusBarrier to protect Mac users against the first Trojan horse that affects Mac OS X. This Trojan horse, MP3Concept (MP3Virus.Gen), exploits a weakness in Mac OS X where applications can appear to be other types of files: "The Trojan horse's code is encapsulated in the ID3 tag of an MP3 (digital music) file. This code is in reality a hidden application that can run on any Macintosh computer running Mac OS X. Intego says the malicious application can delete files, propogate itself by sending a message to other users, and also infect other MP3, JPEG, GIF or QuickTime files.

[antiRepublicrat]

Try: man sudo.

That's not going to help if I actually want to do something with sudo. :) It'll have to open a terminal first though.

Anyway, let's just sit back and see 1) what percentage of Macs get infected and what degree of harm is done, and 2) see how long it takes for a fix. With the critical IE bug released today it would be nice to see the race.

[DB]

Backup!

I use a firewire drive to backup my computer and then disconnect it. I also backup critical data on my central server.

[general_re]

Yes, but those same users have probably forgotten their administrator password anyway.

Oops. No daemons for you. Guess they won't be installing a virus scanner that could catch this sort of thing. Or patching their system once a fix is available. Or doing anything else that requires root privs to accomplish.

[general_re]

It'll have to open a terminal first though.

Don't blink - you might miss it.

In any case, this little bug takes care of the first half of breaking your system - surreptitiously running my code on your box. From there, I can try to social-engineer my way into rooting everything, or I can try to exploit other holes into rooting everything. Or I can not bother and just wipe out everything in your home directory, which, as someone else pointed out above, is where you keep everything valuable to you anyway. The guy who gets his dissertation erased the week before he was set to hand it in is likely not going to be comforted by the fact that his box wasn't rooted. :^)

[antiRepublicrat]

In any case, this little bug takes care of the first half of breaking your system - surreptitiously running my code on your box.

It's definitely serious, but it does require a bit more work to get on your system than someone reading an email or visiting a web site, or just being on the net period.

I wonder if this is going to be handled by Apple as a virus issue ("update your antivirus") or if they'll fix the bit that allows the program to appear as an innocent file. I don't always trust Apple to do the right thing.

[general_re]

Closing the file-type hole is the way to go, IMO. Pushing the problem off to third-party AV vendors would be a mistake.

[general_re]

Of course, it's not like there's no precedent for pushing the problem off onto third-party vendors - they could pull a Microsoft move out of their hats ;)

[amigatec]

While the first versions of this Trojan horse that Intego has isolated are benign, this technique opens the door to more serious risks.

Everybody missed this line.

[Swordmaker]

Yes, it has happened. The First OS X Trojan horse has made its appearance.

As always, if you want to be included or excluded on the Mac Ping list let me know through Freepmail.

Swordmaker