Boing Boing Staging

First malware for OS X?

One of the selling points of OS X has been, to date, the lack of any viruses, worms, or Trojan horses. Intego reports that it has identified a Trojan horse called MP3Concept.

Mac OS X displays the icon of the MP3 file, with an .mp3 extension, rather than showing the file as an application, leading users to believe that they can double-click the file to listen to it. But double clicking the file launches the hidden code, which can damage or delete files on computers running Mac OS X, then iTunes to play the music contained in the file, to make users think that it is really an MP3 file . While the first versions of this Trojan horse that Intego has isolated are benign, this technique opens the door to more serious risks.

Link

Meeroh sez: The Mac OS X mp3 trojan is being blown completely out of proportion. Quick review of facts so far:

1. It was pointed out in a Usenet thread that it is possible to embed arbitrary data in an mp3
2. It was subsequently suggested that the arbitrary data could be executable
3. An enterprising developer proceeded to then create a file which to any mp3 player will appear as an mp3 file, but the Mac OS X Finder sees it as an application
4. An anti-virus vendor published advertising for their product saying that it has a cure for this form of Trojan.

Some other relevant points:

1. This has little to do with Mac OS X vs. Mac OS 9. The exact same file will do the exact same thing on Mac OS 9 — be playable by mp3 players, and act as an application
2. This has little to do with Mac OS X using extensions to identify file types. The icon shown by the Finder could be embedded in the file itself, in which case the file would look like an mp3 file regardless of its name.
3. This trick requires using the resource fork, and therefore the file has to be transmitted encoded. Any mp3 file that is transferred as a plain binary file (as opposed to a Mac binary file, with the resource fork), is harmless.
4. The fact that the file can be played in am mp3 player is irrelevant; if the trojan were malicious, the user would be doomed after double-clicking on it regardless of whether the file is a valid audio file.

To summarize, a Mac application can have any icon or name whatsoever, including a name and an icon that make it look like a document. Exactly what happens when you receive such an application (in email or by downloading it in your browser) depends on your settings, but I am not aware of any case in which it will be automatically launched.

Therefore, to activate this Trojan you have to either receive a Mac-encoded attachment and double-click on it in the Finder, or you have to download a Mac-encoded a file (which is then usually decoded to your desktop) and double-click it in the Finder.

The only reason that this is news is that a vendor of anti-virus software took it as an opportunity to generate some advertising, as far as I can tell.

Exit mobile version