Mac OS X first true Trojan Horse

[Peter Hinchliffe]

An article by Rob Griffiths at Macworld describes what might be the  
first genuine Trojan Horse which might affect an average Mac user:


http://www.macworld.com/2007/10/firstlooks/trojanhorse/index.php? 
lsrc=mwrss


Worth a read, if only to maintain the awareness. We may well see more  
of this sort of stuff begin to surface as the popularity of the Mac  
and Leopard grows.



--
Peter HinchliffeApwin Computer Services
FileMaker Pro Solutions Developer
Perth, Western Australia
Phone (618) 9332 6482Fax (618) 9332 0913

Mac because I prefer it -- Windows because I have to.



-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Unsubscribe - <mailto:[EMAIL PROTECTED]>

Re: Onno and the Trojan Horse

[logrythm]

You dont know hardship!
I 'ad to use an IBM Pentyum 1 'undred usin' Windows 95!!
You're all soft by 'eck!!

Paul

James Green wrote:



A slide rule?! Luxury


On Saturday, Apr 10, 2004, at 10:32 Australia/Perth, John Taylor wrote:

IBM 1620? You're lucky! I used to live in a shoe-box in't middle of 
the road and work it all out on a slide rule!


Best wishes,

John

On 9 Apr 2004, at 6:37 PM, Rob Phillips wrote:


On Fri, 2004-04-09 at 12:45, Peter Hinchliffe wrote:

 It may be a little too early to panic over this. Apparently, it's  
doubtful if the virus exists as anything more than a "proof of 
concept"  that such a thing is possible.



Uhm, from what I've read so-far, this is not a virus or a trojan horse
at all. It's a concept of social engineering. The idea is that you can
make an attachment look like one thing and be another.

A virus spreads without your intervention - AFAIK this doesn't.

A trojan horse pretends to be one thing while doing another - AFAIK 
this

isn't.


(PS. I've you've got something to rebuke the above, I'm all ears



And I thought it was nose... :-)


- I
don't profess to know everything about everything, but I'll confess I
know a lot about a great many things to do with computing



I see you're still working on your modesty!


 - hint: I've
been doing this for a few years :-)

(Second hint: My first computer was a Commodore Vic-20)



and my first computer was an IBM 1620(?) in 1973.  It was the first 
computer at UWA, and took up about a lounge room.  UWA decommissioned 
it for a new machine and turned it over to students to play with.  I 
used to sneak into the Physics building to play with it on weekends. 
Andrew Marriott who teaches in Comp Sci at Curtin was another, with a 
guy called Mike Palm.  All input and output from the computer was 
thru punched cards, even loading the operating system.  I would guess 
the operating system took up 800 cards -> 800 lines of code.  How 
things have changed...


Anyway, Sev Crisp from Albany, who was teaching me Physics at the 
time, probably used this machine before I got to it.  I used to do 
fun(?) things like solving integrals numerically using the 
Newton-Rhapson method.  It took 20 minutes for something a $200 
calculator would now do in a flash.


Back to my wheelchair...

Rob

PS. I first used email and chat in 1982.






--
---
Dr Rob Phillips, Senior Lecturer,[EMAIL PROTECTED]
Room 4.38 Teaching and Learning Centre, Library North Wing
Murdoch University, South St, Murdoch, 6150, Perth, AUS
Phone: +61 8 9360 6054Mobile: 0416 065 054
Chair, 2004 ASCILITE Conference, 
http://www.ascilite.org.au/conferences/perth04/

---

-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Unsubscribe - <mailto:[EMAIL PROTECTED]>

WAMUG is powered by Stalker CommuniGatePro



Regards,

John Taylor


-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Unsubscribe - <mailto:[EMAIL PROTECTED]>

WAMUG is powered by Stalker CommuniGatePro





-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Unsubscribe - <mailto:[EMAIL PROTECTED]>

WAMUG is powered by Stalker CommuniGatePro

Re: Onno and the Trojan Horse

[James Green]

A slide rule?! Luxury


On Saturday, Apr 10, 2004, at 10:32 Australia/Perth, John Taylor wrote:

IBM 1620? You're lucky! I used to live in a shoe-box in't middle of 
the road and work it all out on a slide rule!


Best wishes,

John

On 9 Apr 2004, at 6:37 PM, Rob Phillips wrote:


On Fri, 2004-04-09 at 12:45, Peter Hinchliffe wrote:
 It may be a little too early to panic over this. Apparently, it's  
doubtful if the virus exists as anything more than a "proof of 
concept"  that such a thing is possible.


Uhm, from what I've read so-far, this is not a virus or a trojan 
horse
at all. It's a concept of social engineering. The idea is that you 
can

make an attachment look like one thing and be another.

A virus spreads without your intervention - AFAIK this doesn't.

A trojan horse pretends to be one thing while doing another - AFAIK 
this

isn't.


(PS. I've you've got something to rebuke the above, I'm all ears


And I thought it was nose... :-)


- I
don't profess to know everything about everything, but I'll confess I
know a lot about a great many things to do with computing


I see you're still working on your modesty!


 - hint: I've
been doing this for a few years :-)

(Second hint: My first computer was a Commodore Vic-20)


and my first computer was an IBM 1620(?) in 1973.  It was the first 
computer at UWA, and took up about a lounge room.  UWA decommissioned 
it for a new machine and turned it over to students to play with.  I 
used to sneak into the Physics building to play with it on weekends. 
Andrew Marriott who teaches in Comp Sci at Curtin was another, with a 
guy called Mike Palm.  All input and output from the computer was 
thru punched cards, even loading the operating system.  I would guess 
the operating system took up 800 cards -> 800 lines of code.  How 
things have changed...


Anyway, Sev Crisp from Albany, who was teaching me Physics at the 
time, probably used this machine before I got to it.  I used to do 
fun(?) things like solving integrals numerically using the 
Newton-Rhapson method.  It took 20 minutes for something a $200 
calculator would now do in a flash.


Back to my wheelchair...

Rob

PS. I first used email and chat in 1982.






--
---
Dr Rob Phillips, Senior Lecturer,[EMAIL PROTECTED]
Room 4.38 Teaching and Learning Centre, Library North Wing
Murdoch University, South St, Murdoch, 6150, Perth, AUS
Phone: +61 8 9360 6054  Mobile: 0416 065 054
Chair, 2004 ASCILITE Conference, 
http://www.ascilite.org.au/conferences/perth04/

---

-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Unsubscribe - <mailto:[EMAIL PROTECTED]>

WAMUG is powered by Stalker CommuniGatePro



Regards,

John Taylor


-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Unsubscribe - <mailto:[EMAIL PROTECTED]>

WAMUG is powered by Stalker CommuniGatePro

Re: Trojan Horse - Not (Update)

[Onno Benschop]

On Sat, 2004-04-10 at 14:12, James Devenish wrote:
> But...what can Apple do about this?

As you already pointed out, we've been living with this for some time -
in fact since 1984 - did you know that the System File used to "be" a
text-file if you opened it in a text-editor? (You could read all about
the blue meanies.)

It reminds me of the introduction of network printing. All of a sudden
you could print to a printer that wasn't attached to your computer.
People were up in arms because all of a sudden the Sales department
printer could be abused by the Marketing department - since the Sales
department would have their budget and the Marketing department could
use Sales department consumables and you couldn't track it!

So people spent a whole lot of energy and resources building printer
accounting software, tracking jobs in small offices, installing print
servers with counters, adding page counters, key cards - you name it, to
stop the potential of the Marketing department spending any of the Sales
department budget.

Only one problem.

The Marketing department had to actually collect the print job, thus
making it really obvious that they'd used the Sales printer.

Moral of this story: "Don't fix things that aren't broken."

In short, if the reports we have are correct that this "Virus" is just
an Application with a data-fork that contains MP3 data then Apple
doesn't need to do anything at all.

Agreed, a cool idea would be to require that each base-type
(document/folder/application) has an OS tag of some sort on the icon.

I always found it really irritating to have to support those users who
thought it was cool to put a custom icon on *everything* and then expect
that I would be able to figure out how to support them and not drive
myself mad attempting to open a folder when it was an application or a
document.

Onno Benschop 

Connected via Optus B3 at S38°01'05" - E145°25'10" (Upper Beaconsfield, VIC)
-- 
()/)/)()..ASCII for Onno.. 
|>>?..EBCDIC for Onno.. 
--- -. -. ---   ..Morse for Onno.. 

Proudly supported by Skipper Trucks, Highway1, Concept AV, Sony Central, Dalcon
ITmaze - ABN: 56 178 057 063 - ph: 04 1219  - onno at itmaze dot com dot au

Re: Trojan Horse - Not (Update)

[James Devenish]

In message <[EMAIL PROTECTED]>
on Sat, Apr 10, 2004 at 12:12:54PM +0800, James Devenish wrote:
> something that could have been done readily since System 7 (custom
> icons).

(Sorry for continuing this thread.) I made an error -- this is nothing
to do with custom icons, it's to do with application icons. So, this
would have been present in System 6, too (and prior?).

Re: Trojan Horse - Not (Update)

[Craig Ringer]

On Sat, 2004-04-10 at 12:12, James Devenish wrote:
> Therefore, I guess that we've lived with this threat for more
> than a decade. It would seem that the "test of time" has shown this
> threat to be negligible. 

Until, of course, an anti-virus vendor jumps up and down and screams
"Look! A possible way to trick users! *hint* *hint* Isn't it scary!"

Craig Ringer

Re: Trojan Horse - Not (Update)

[James Devenish]

In message <[EMAIL PROTECTED]>
on Sat, Apr 10, 2004 at 11:15:32AM +0800, Craig Ringer wrote:
> On Sat, 2004-04-10 at 11:13, Craig Ringer wrote:
> > Yeah, that looks like it. My reading suggests a Mac application that
> > happens to have MP3 data in the [data] fork, 

Oh yeah...LOL. How incredibly lame -- is this any different to any Mac
app?? It basically sounds like a classical Trojan Horse -- is that why
it can be launched in the Classic environment ;-). This sounds like
something that could have been done readily since System 7 (custom
icons). Therefore, I guess that we've lived with this threat for more
than a decade. It would seem that the "test of time" has shown this
threat to be negligible. Should someone still fall for it, the MP3 ruse
might mean it takes a while for the person to realise the deception. But
Mac OS's track record suggests that people don't get into that situation
in the first place. (However, I haven't tried out the proof-of-concept,
and perhaps there is slightly more deception in Mac OS Xthat could have
been achieved with System 7.)

But...what can Apple do about this? Is there anything that it /should/
do? Could ban applications from having icons -- not a chance! Could ban
apps from having "deceptive" filenames -- define "deceptive"! Could add
a little 'badge' to the icons of all apps in the Finder (possible --
just as with aliases, I imagine).

% /Developer/Tools/GetFileInfo virus.mp3
file: "virus.mp3"
type: "APPL"
creator: "vMP3"
attributes: avbstclInmed
created: 03/20/2004 00:45:12
modified: 03/21/2004 01:49:04

Resource Forks [was: Re: Trojan Horse - Not (Update)]

[James Devenish]

In message <[EMAIL PROTECTED]>
on Sat, Apr 10, 2004 at 11:39:33AM +0800, Robert Howells wrote:
> Hm !For OS Pre OSX resource forks are normal but
> I thought that with OSX,resource forks no longer existed !

If resource forks no longer existed, all your Classic apps and System
Folders would have stopped working, and your old SimpleText files would
have lost all their formatting. Rather, Mac OS X no longer makes use of
resource forks for new applications -- but resource forks continue to
be supported as a legacy feature.

Re: Trojan Horse - Not (Update)

[Robert Howells]

On Saturday, April 10, 2004, at 11:15  AM, Craig Ringer wrote:


On Sat, 2004-04-10 at 11:13, Craig Ringer wrote:


Yeah, that looks like it. My reading suggests a Mac application that
happens to have MP3 data in the resource fork,


Uggh. I meant data fork. The /code/, icon, etc is in the resource fork,
if I guess correctly



Hm !For OS Pre OSX resource forks are normal but
I thought that with OSX,resource forks no longer existed !

Am I wrong ?

Bob

Re: Trojan Horse - Not (Update)

[Craig Ringer]

On Sat, 2004-04-10 at 11:13, Craig Ringer wrote:

> Yeah, that looks like it. My reading suggests a Mac application that
> happens to have MP3 data in the resource fork, 

Uggh. I meant data fork. The /code/, icon, etc is in the resource fork,
if I guess correctly.

Craig Ringer

Re: Trojan Horse - Not (Update)

[Craig Ringer]

On Sat, 2004-04-10 at 06:53, Onno Benschop wrote:
> As I suspected and wrote, this isn't a Trojan Horse at all:
> 
> <http://www.wired.com/news/mac/0,2125,63000,00.html?tw=newsletter_topstories_html>

All they seem to be saying is that because the sample exploit isn't
malicious, it's not a trojan. They do say something interesting though:

"The program can't be spread by e-mail or through a file-sharing network 
unless it is compressed using software like Aladdin's Stuffit. Failing 
to compress the MP3 file before sending it renders the software inoperative."

To me, this suggests that perhaps they're storing the code, icon, or
some other important part of the attack in the resource fork, or they
need the type/creator codes to be set a particular way.

Yeah, that looks like it. My reading suggests a Mac application that
happens to have MP3 data in the resource fork, a custom icon, and a
filename extension. It sounds like the app also plays its self when run.
Does this sound likely?

If so, it is an issue, but a pretty minor one.

Craig Ringer

Re: Onno and the Trojan Horse

[John Taylor]

IBM 1620? You're lucky! I used to live in a shoe-box in't middle of the 
road and work it all out on a slide rule!


Best wishes,

John

On 9 Apr 2004, at 6:37 PM, Rob Phillips wrote:


On Fri, 2004-04-09 at 12:45, Peter Hinchliffe wrote:
 It may be a little too early to panic over this. Apparently, it's  
doubtful if the virus exists as anything more than a "proof of 
concept"  that such a thing is possible.


Uhm, from what I've read so-far, this is not a virus or a trojan horse
at all. It's a concept of social engineering. The idea is that you can
make an attachment look like one thing and be another.

A virus spreads without your intervention - AFAIK this doesn't.

A trojan horse pretends to be one thing while doing another - AFAIK 
this

isn't.


(PS. I've you've got something to rebuke the above, I'm all ears


And I thought it was nose... :-)


- I
don't profess to know everything about everything, but I'll confess I
know a lot about a great many things to do with computing


I see you're still working on your modesty!


 - hint: I've
been doing this for a few years :-)

(Second hint: My first computer was a Commodore Vic-20)


and my first computer was an IBM 1620(?) in 1973.  It was the first 
computer at UWA, and took up about a lounge room.  UWA decommissioned 
it for a new machine and turned it over to students to play with.  I 
used to sneak into the Physics building to play with it on weekends. 
Andrew Marriott who teaches in Comp Sci at Curtin was another, with a 
guy called Mike Palm.  All input and output from the computer was thru 
punched cards, even loading the operating system.  I would guess the 
operating system took up 800 cards -> 800 lines of code.  How things 
have changed...


Anyway, Sev Crisp from Albany, who was teaching me Physics at the 
time, probably used this machine before I got to it.  I used to do 
fun(?) things like solving integrals numerically using the 
Newton-Rhapson method.  It took 20 minutes for something a $200 
calculator would now do in a flash.


Back to my wheelchair...

Rob

PS. I first used email and chat in 1982.






--
---
Dr Rob Phillips, Senior Lecturer,[EMAIL PROTECTED]
Room 4.38 Teaching and Learning Centre, Library North Wing
Murdoch University, South St, Murdoch, 6150, Perth, AUS
Phone: +61 8 9360 6054  Mobile: 0416 065 054
Chair, 2004 ASCILITE Conference, 
http://www.ascilite.org.au/conferences/perth04/

---

-- The WA Macintosh User Group Mailing List --
Archives - <http://www.wamug.org.au/mailinglist/archives.shtml>
Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml>
Unsubscribe - <mailto:[EMAIL PROTECTED]>

WAMUG is powered by Stalker CommuniGatePro



Regards,

John Taylor

Trojan Horse - Not (Update)

[Onno Benschop]

As I suspected and wrote, this isn't a Trojan Horse at all:

<http://www.wired.com/news/mac/0,2125,63000,00.html?tw=newsletter_topstories_html>


Onno Benschop 

Connected via Optus B3 at S38°01'05" - E145°25'10" (Upper Beaconsfield, VIC)
-- 
()/)/)()..ASCII for Onno.. 
|>>?..EBCDIC for Onno.. 
--- -. -. ---   ..Morse for Onno.. 

Proudly supported by Skipper Trucks, Highway1, Concept AV, Sony Central, Dalcon
ITmaze - ABN: 56 178 057 063 - ph: 04 1219  - onno at itmaze dot com dot au

Re: Trojan Horse

[Dark Servant]

Just check to see if the stock went up by $4.01 recently.  I would do 
it myself but it's getting late and I really can't be bothered right 
now.

Ruben

This story in TidBits  didn't get much of a mention on the list  Was 
it an April  Fools joke

John


 Although 1999 seems an eternity ago, some things never change,
  and today the U.S. Department of Homeland Security (DHS) announced
  that it would be standardizing all of its computing functions on
  Macs running Mac OS X. As with the Army's decision back in 1999,
  the reason is security. Even though Microsoft continues to block
  holes in Windows, we've seen an ever-increasing number of worm and
  virus epidemics that have turned millions of Windows-based PCs
  into zombie spam generators and resulted in many billions of
  dollars of damage and cleanup costs.

  Therein lies the difference since 1999. Although DHS remains
  concerned about the security of its internal and external Web
  sites, the real worry today is that the entire department could
  be crippled by a virulent Windows worm or virus. The Army was
  merely embarrassed by their Web site being modified, but a worm-
  based attack on DHS computers could seriously compromise the
  agency's ability to respond to a terrorist attack. DHS has been
  particularly concerned about such attacks, issuing an alert in
  March about a Windows program called Phatbot that brings peer-
  to-peer networking concepts to malicious software.



  Needless to say, the announcement is good news for Apple Computer,
  since it will entail the purchase of hundreds of thousands of
  Macintosh systems. Apple stock rose $4.01 on the announcement
  as Wall Street took account of the future earnings.

  It's important to remain realistic about the effects of DHS
  switching to Mac OS X. In the past, Macs have been largely free of
  worms and viruses at least in part because Macs weren't generally
  used in "interesting" places (interesting, that is, to the sort of
  people who write malicious software). Targets don't get much more
  prominent than DHS, and I fully expect to see more hacking effort
  aimed against Macs in the near future. Apple is not unaware of
  this possibility either, and has already started advertising for
  additional security engineers, as evidenced by the job posting
  below (Apple ID required for login).

-- The WA Macintosh User Group Mailing List --
Archives - 
Guidelines - 
Unsubscribe - 

WAMUG is powered by Stalker CommuniGatePro

Trojan Horse

[John Currie]

This story in TidBits  didn't get much of a mention on the list  Was 
it an April  Fools joke

John


 Although 1999 seems an eternity ago, some things never change,
  and today the U.S. Department of Homeland Security (DHS) announced
  that it would be standardizing all of its computing functions on
  Macs running Mac OS X. As with the Army's decision back in 1999,
  the reason is security. Even though Microsoft continues to block
  holes in Windows, we've seen an ever-increasing number of worm and
  virus epidemics that have turned millions of Windows-based PCs
  into zombie spam generators and resulted in many billions of
  dollars of damage and cleanup costs.

  Therein lies the difference since 1999. Although DHS remains
  concerned about the security of its internal and external Web
  sites, the real worry today is that the entire department could
  be crippled by a virulent Windows worm or virus. The Army was
  merely embarrassed by their Web site being modified, but a worm-
  based attack on DHS computers could seriously compromise the
  agency's ability to respond to a terrorist attack. DHS has been
  particularly concerned about such attacks, issuing an alert in
  March about a Windows program called Phatbot that brings peer-
  to-peer networking concepts to malicious software.



  Needless to say, the announcement is good news for Apple Computer,
  since it will entail the purchase of hundreds of thousands of
  Macintosh systems. Apple stock rose $4.01 on the announcement
  as Wall Street took account of the future earnings.

  It's important to remain realistic about the effects of DHS
  switching to Mac OS X. In the past, Macs have been largely free of
  worms and viruses at least in part because Macs weren't generally
  used in "interesting" places (interesting, that is, to the sort of
  people who write malicious software). Targets don't get much more
  prominent than DHS, and I fully expect to see more hacking effort
  aimed against Macs in the near future. Apple is not unaware of
  this possibility either, and has already started advertising for
  additional security engineers, as evidenced by the job posting
  below (Apple ID required for login).

Re: Onno and the Trojan Horse

[Rob Phillips]

On Fri, 2004-04-09 at 12:45, Peter Hinchliffe wrote:
 It may be a little too early to panic over this. Apparently, it's 
 doubtful if the virus exists as anything more than a "proof of concept" 
 that such a thing is possible.


Uhm, from what I've read so-far, this is not a virus or a trojan horse
at all. It's a concept of social engineering. The idea is that you can
make an attachment look like one thing and be another.

A virus spreads without your intervention - AFAIK this doesn't.

A trojan horse pretends to be one thing while doing another - AFAIK this
isn't.


(PS. I've you've got something to rebuke the above, I'm all ears


And I thought it was nose... :-)


- I
don't profess to know everything about everything, but I'll confess I
know a lot about a great many things to do with computing


I see you're still working on your modesty!


 - hint: I've
been doing this for a few years :-)

(Second hint: My first computer was a Commodore Vic-20)


and my first computer was an IBM 1620(?) in 1973.  It was the first 
computer at UWA, and took up about a lounge room.  UWA decommissioned 
it for a new machine and turned it over to students to play with.  I 
used to sneak into the Physics building to play with it on weekends. 
Andrew Marriott who teaches in Comp Sci at Curtin was another, with a 
guy called Mike Palm.  All input and output from the computer was 
thru punched cards, even loading the operating system.  I would guess 
the operating system took up 800 cards -> 800 lines of code.  How 
things have changed...


Anyway, Sev Crisp from Albany, who was teaching me Physics at the 
time, probably used this machine before I got to it.  I used to do 
fun(?) things like solving integrals numerically using the 
Newton-Rhapson method.  It took 20 minutes for something a $200 
calculator would now do in a flash.


Back to my wheelchair...

Rob

PS. I first used email and chat in 1982.






--
---
Dr Rob Phillips, Senior Lecturer,[EMAIL PROTECTED]
Room 4.38 Teaching and Learning Centre, Library North Wing
Murdoch University, South St, Murdoch, 6150, Perth, AUS
Phone: +61 8 9360 6054  Mobile: 0416 065 054
Chair, 2004 ASCILITE Conference, 
http://www.ascilite.org.au/conferences/perth04/

---

Re: More on Trojan Horse -- discussion of "Trojan Horse" terminology

[Onno Benschop]

On Fri, 2004-04-09 at 19:21, James Devenish wrote:
> In message <[EMAIL PROTECTED]>
> on Fri, Apr 09, 2004 at 06:32:24PM +1000, Onno Benschop wrote:
> Yes (though I only tried this under Linux/Pentium).
> 
> > *and* code executes that does something else,
> 
> I haven't tried this under Mac OS X.
> 
> > > From examining this file, I see that it contains a GEO "general
> > > encapsulated object" that itself encapsulates a PowerPC PEF header (Mac
> > > OS 9 executable) with filename "virus.mp3" -- the same as the existing
> > > file. Perhaps iTunes extracts the GEO, overwriting the original
> > > virus.mp3 in the process?
> > 
> > If that is the case, we're talking about an iTunes exploit, not a
> > Trojan.
> 
> Not necessarily. iTunes would not be executing the code itself -- it
> might merely be following a liberal interpretation of ID3 (eek!). While
> this would be a misfeature in iTunes, the malicious binary would
> actually be launched by the Finder.

Yeah, except that iTunes is the one making the .mp3 into an executable.


> Thus, if ID3 provides a sanctioned
> way to initiate the extraction of arbitrary files hidden within music, I
> would think it to be an example of the Trojan Horse phenomenon.

Yup, but my understanding of the ID3 definition is that it contains
meta-data like artist, name, album etc. There should be no "extraction"
required to get this stuff out. Merely from this byte, or from this
delimiter to this delimiter is the name of the artist.

I wouldn't have thought that the ID3 definition had any means of
packaging anything - unless iTunes decided that it would be cool to say
that from this byte to this byte is a compressed image that can be
extracted as a separate file, in which case the guy who thought of that
is a moron.


> It would
> be possible, for example, for a cracker to insert malicious code into
> other people's audio files as part of website defacement.

And it would be pretty subtle too, evil...


>  Although
> Trojans are by their definition (hmm...what definition?)

Here are some :-)


"The Collaborative International Dictionary of English v.0.48"
Trojan horse Tro"jan horse`, n. from the incident described
   in Homer's Iliad.
   1. (Classical mythology) a large hollow wooden horse built by
  Greek soldiers besieging Troy during the Trojan War, and
  left as a "gift" when they pretended to abandon their
  seige. It was taken into the city by the Trojans, and
  Greek soldiers concealed inside came out and opened the
  gates to the city, enabling the capture of the city by the
  Greeks.
  RP + PJC

   2. Hence, any thing or person which appears harmless but is
  designed to destroy or attack from within. It may
  sometimes refer to a group; -- see also fifth column.
  RP + PJC

   3. (Computers) A computer program designed to evade the
  security precautions within a computer system and perform
  illicit operations, or to do malicious damage, and often
  designed to look like a different kind of program, such as
  a game, archiver, or directory lister. This term is not
  applied to a program that replicates itself, such as a
  virus.
  RP + PJC

"The Collaborative International Dictionary of English v.0.48"
fifth column fifth` col"umn, n. from a statement during the
   Spanish Civil War (1936) that the Falange had four columns of
   soldiers marching on the city, and a fifth column "already
   there" (i.e. sympathizers inside the Republican lines).
   1. a group of persons inside the battle lines of a territory
  engaged in a conflict, who secretly sympathize with the
  enemy, and who engage in espionage or sabotage; --
  sometimes also referred to as a trojan horse.
  RP

   2. Hence, any faction of persons within a group who secretly
  sympathize with an enemy, especially those who engage in
  activities harmful to the group; an enemy in one's midst;
  a group of traitors.
  RP

"WordNet (r) 2.0 (August 2003)"
Trojan horse
n 1: a subversive group that supports the enemy and engages in
 espionage or sabotage; an enemy in your midst syn:
 fifth column, Trojan horse
2: a program that appears desirable but actually contains
   something harmful; "the contents of a trojan can be a
   virus or a worm"; "when he downloaded the free game it
   turned out to be a trojan horse" syn: trojan
3: a large hollow wooden figure of a horse (filled with Greek
   soldiers) left by the Greeks outside Troy during the
   Trojan War syn: Trojan Horse, Wooden Horse

"The Free On-line Dictionary of Computing (19 Sep 2003)"
Trojan horse

(Coined by
   MIT-hacker-tu

Re: More on Trojan Horse -- discussion of "Trojan Horse" terminology

[Craig Ringer]

On Fri, 2004-04-09 at 17:21, James Devenish wrote:

> I suspect this problem does not lie with the OS or the user. It's either
> with ID3 or iTunes (most likely: iTunes' overzealous honouring of ID3).

iTunes does support storing album covers or somesuch, doesn't it?
Perhaps it supports storing images in ID3 data, and that support is a
little _too_ flexible?

Craig Ringer

Re: More on Trojan Horse

[Craig Ringer]

On Fri, 2004-04-09 at 16:59, Peter Hinchliffe wrote:

> Just as an aside - I had to re-install re-install Windows XP for 
> someone the other day. After erasing the partition and reinstalling XP, 
> I immediately installed McAfee VirusScan Enterprise Edition. Between 
> installing the OS and downloading the latest virus libraries, XP had 
> already contracted at least 5 viruses by the time VirusScan started 
> doing its thing. I can only conclude they came down with the virus 
> libraries or they were already installed, courtesy of Micro$oft 
> themselves. It's a self-perpetuating disaster.

If you were connected to the 'net at the time, and hadn't installed a
firewall or the XP security patches, that's probably where they came
from. Not all viruses spread by email.

The only safe way to do things appears to be to install the XP security
fixes and ZoneAlarm from a CD or USB key after downloading them on
another machine, and only then connect the newly installed machine to
the 'net. Oh - or use a /proper/ firewall at the network edge instead
(good for DSL users, not so useful for dialup).

Craig Ringer

Re: More on Trojan Horse -- discussion of "Trojan Horse" terminology

[James Devenish]

In message <[EMAIL PROTECTED]>
on Fri, Apr 09, 2004 at 06:32:24PM +1000, Onno Benschop wrote:
> To make sure here, we're talking about a valid stuffit archive file that
> has a compressed file that when extracted is identified as an mp3?

Yes (I tried this under Mac OS X).

> Now if you can actually play the mp3 and music happens

Yes (though I only tried this under Linux/Pentium).

> *and* code executes that does something else,

I haven't tried this under Mac OS X.

> > From examining this file, I see that it contains a GEO "general
> > encapsulated object" that itself encapsulates a PowerPC PEF header (Mac
> > OS 9 executable) with filename "virus.mp3" -- the same as the existing
> > file. Perhaps iTunes extracts the GEO, overwriting the original
> > virus.mp3 in the process?
> 
> If that is the case, we're talking about an iTunes exploit, not a
> Trojan.

Not necessarily. iTunes would not be executing the code itself -- it
might merely be following a liberal interpretation of ID3 (eek!). While
this would be a misfeature in iTunes, the malicious binary would
actually be launched by the Finder. Thus, if ID3 provides a sanctioned
way to initiate the extraction of arbitrary files hidden within music, I
would think it to be an example of the Trojan Horse phenomenon. It would
be possible, for example, for a cracker to insert malicious code into
other people's audio files as part of website defacement. Although
Trojans are by their definition (hmm...what definition?) a social
engineering exploit, a pure social engineering exploit would not need to
involve the concealment of an executable payload.

I did think at first that it must be iTunes-specific, because iTunes is
the default player for MP3 files. (Intego hasn't provided sufficient
details.) However, it might be a common vulnerability amongst audio
players that interpret ID3 headers. On most UNIX systems, however, you'd
also need to set the "executable" permission -- something that probably
can't be conveyed via ID3.

I suspect that it's unlikely that a malicious exploit would be a virus
-- more likely a worm.

> So now we're opening the same file twice?

Not by the sound of what I've read on the web. (The double-open
procedure was merely my own speculation.)

> I realise I'm arguing semantics here, but in this world I believe that
> this is important, because the difference determines where the fix lies
> - the User, the OS or iTunes.

I suspect this problem does not lie with the OS or the user. It's either
with ID3 or iTunes (most likely: iTunes' overzealous honouring of ID3).

> If I were you and you didn't have a completely separate machine that you
> would be prepared to sacrifice, I wouldn't even have gone as far as you
> state you have...

I didn't believe that a StuffIt Expander, `vim` or `file` exploit was
involved. However, you are correct that I don't consider my test machine
'entirely sacrificial'. I did think twice before using StuffIt Expander,
and perhaps I shouldn't have carried through with it. However, I cannot
see any evidence that any files were modified as a result of
'unstuffing' the file (apart from com.stuffit.Expander.plist, which I
have now removed), nor can I see any suspicious processes.

> > Get a Mac! Oops ;-)
> I did - two years or so later - a Mac 512ED, which served me well for
> four years when I sold it just before the LC came out.

Ah, yes, I think the 512K was my mainstay during primary school.

Re: First Trojan Horse for MacOS X reported

[Craig Ringer]

On Fri, 2004-04-09 at 10:34, Peter Hinchliffe wrote:

> This thing apparently comes in on MP3 files, and can do all sorts of 
> nasty things, including deleting all the files in your user account, 
> emailing itself to other users, and infecting other files on your 
> computer. The warning from Intego is to avoid double-clicking MP3 
> files.

While the actual issue appears to be blown out of all proportion (anyone
remember the "JPEG virus" for Linux? *lol*), it does appear to raise a
valid issue.

By supporting type/creator codes, file extensions, and other methods of
identifying files, the MacOS can and will run into areas where it
identifies a file one way for display, and another when actually opened.
This is very similar to the eternal problems Microsoft has with IE,
where it will display information based on the MIME type, and act based
on the file extension, or vice versa.

This will almost certainly lead to significant security problems, just
as it has on Windows. Users who are aware now that a file with a given
icon and listed type may not actually be that sort of file will be safer
- so keep that in mind, especially when you get email.

Alternately, instead of thinking "only Windows users need to worry about
attachments," think "I'll be careful anyway" - and avoid being bitten
when the first /real/ Mac worm hits. (Note: the same goes for users of
other plaforms. Linux users in particular seem far too happy to say
"it'll never happen to us.").

Craig Ringer

Re: More on Trojan Horse

[Rod Lavington]

On 9/4/04 5:15 PM, "Onno Benschop" <[EMAIL PROTECTED]> wrote:


>> Hope the trip is going well Onno!
> 
> Yeah, bit lonely socially, so I rile some WAMUGgers when I can :-)
> 
> 

And an excellent job you are doing of that!

Have a good Easter!

Seeya

Rod!

Re: More on Trojan Horse

[Onno Benschop]

On Fri, 2004-04-09 at 18:58, Rod Lavington wrote:
> On 9/4/04 4:18 PM, "Onno Benschop" <[EMAIL PROTECTED]> wrote:
> 
> > On Fri, 2004-04-09 at 16:11, Rod Lavington wrote:
> >> On 9/4/04 1:28 PM, "Onno Benschop" <[EMAIL PROTECTED]> wrote:
> >> 
> >> 
> >> 
> >>> 
> >>> (Second hint: My first computer was a Commodore Vic-20)
> >>> 
> >> 
> >> My first was a C64, so na na ne nah na!
> > 
> > So you're younger and dumber?
> > 
> > 
> > 
> > Onno Benschop 
> > 
> 
> Younger, yes.  Dumber, well, why buy the crappy base model when for a few
> extra bucks you can get a much better machine???

Ahh, because when I bought my Vic 20, the Commodore 64 didn't exist...


> ;-)

Indeed...


> Hope the trip is going well Onno!

Yeah, bit lonely socially, so I rile some WAMUGgers when I can :-)


Onno Benschop 

Connected via Optus B3 at S38°01'05" - E145°25'10" (Upper Beaconsfield, VIC)
-- 
()/)/)()..ASCII for Onno.. 
|>>?..EBCDIC for Onno.. 
--- -. -. ---   ..Morse for Onno.. 

Proudly supported by Skipper Trucks, Highway1, Concept AV, Sony Central, Dalcon
ITmaze - ABN: 56 178 057 063 - ph: 04 1219  - onno at itmaze dot com dot au

Re: More on Trojan Horse

[Rod Lavington]

On 9/4/04 4:59 PM, "Peter Hinchliffe" <[EMAIL PROTECTED]> wrote:

> 
> On 09/04/2004, at 1:28 PM, Onno Benschop wrote:
> 
>> 
>>> From my perspective this is just an attempt to create a marketing need
>> for anti-virus software for the Macintosh.
>> 
>> 

Out of interest, I notice Virex 7.5 beta has been released.  Have installed
it, and seems to run okay.

As with all beta software, run at your own risk!

Seeya

Rod!

Re: More on Trojan Horse

[Rod Lavington]

On 9/4/04 4:18 PM, "Onno Benschop" <[EMAIL PROTECTED]> wrote:

> On Fri, 2004-04-09 at 16:11, Rod Lavington wrote:
>> On 9/4/04 1:28 PM, "Onno Benschop" <[EMAIL PROTECTED]> wrote:
>> 
>> 
>> 
>>> 
>>> (Second hint: My first computer was a Commodore Vic-20)
>>> 
>> 
>> My first was a C64, so na na ne nah na!
> 
> So you're younger and dumber?
> 
> 
> 
> Onno Benschop 
> 

Younger, yes.  Dumber, well, why buy the crappy base model when for a few
extra bucks you can get a much better machine???

;-)

Hope the trip is going well Onno!

Seeya

Rod!

Re: More on Trojan Horse

[Peter Hinchliffe]

On 09/04/2004, at 1:28 PM, Onno Benschop wrote:




From my perspective this is just an attempt to create a marketing need

for anti-virus software for the Macintosh.




This was definitely my first reaction after reading the Intego report. 
The distressing thing, apart from the FUD factor, is that there is a 
huge (virus protection) industry out there that needs to be fed. I 
worry that it's looking on the Mac market as finger food.


Just as an aside - I had to re-install re-install Windows XP for 
someone the other day. After erasing the partition and reinstalling XP, 
I immediately installed McAfee VirusScan Enterprise Edition. Between 
installing the OS and downloading the latest virus libraries, XP had 
already contracted at least 5 viruses by the time VirusScan started 
doing its thing. I can only conclude they came down with the virus 
libraries or they were already installed, courtesy of Micro$oft 
themselves. It's a self-perpetuating disaster.


We need to run and hide from this.


--
Peter Hinchliffe
Apwin Computer ServicesFileMaker Pro Solutions Developer
Perth,  
Western Australia   Phone (618) 9332 6482Fax (618) 9332 0913

   Mac because I prefer it -- Windows because I have to.

Re: More on Trojan Horse

[Onno Benschop]

On Fri, 2004-04-09 at 17:46, James Devenish wrote:
> I just downloaded "virus.mp3.sit" (not a virus) from the Google groups
> thread (can't remember where I found it) and unstuffed it. `file`
> identifies it as "MP3 file with ID3 version 2.2.0 tag". The valid ID3
> tag is followed by a valid MPEG 1 Layer III stream.

So you can play it in an mp3 player?

To make sure here, we're talking about a valid stuffit archive file that
has a compressed file that when extracted is identified as an mp3?

Now if you can actually play the mp3 and music happens *and* code
executes that does something else, you've got a ridgey-didge Trojan, but
I'm not yet convinced.


> From examining this file, I see that it contains a GEO "general
> encapsulated object" that itself encapsulates a PowerPC PEF header (Mac
> OS 9 executable) with filename "virus.mp3" -- the same as the existing
> file. Perhaps iTunes extracts the GEO, overwriting the original
> virus.mp3 in the process?

If that is the case, we're talking about an iTunes exploit, not a
Trojan.


> Then, when virus.mp3 is next opened, it is 
> recognised as a PEF file and it is launched? I don't know if this is
> actually what happens (especially since it doesn't seem to have the
> proper 'metadata' to signify that the file is an application).

So now we're opening the same file twice? (While it got changed in the
background...) That would mean more argument against a Trojan and more
for an exploit - and social engineering project.

I realise I'm arguing semantics here, but in this world I believe that
this is important, because the difference determines where the fix lies
- the User, the OS or iTunes.


> But, if
> it is, then it would seem to arise from (a) the use of ID3 as a "file
> archive" and (b) the action taken by iTunes (namely, extracting files
> from that archive). Alternatively, iTunes is invoking the GEO directly?
> That seems very foolish. Perhaps there is some invalid length field in
> the header that causes iTunes to get confused? I don't know the
> specifics, but the proof-of-concept does seem to be a Trojan Horse.
> (Note: I have not tried running the proof-of-concept Trojan.)

If I were you and you didn't have a completely separate machine that you
would be prepared to sacrifice, I wouldn't even have gone as far as you
state you have...


> Normally, I think it is hard to spread Mac programme directly via e-mail
> because of the necessary 'metadata' (OS 9) or .app directory structure
> (OS X), which either give the game away or require "extra steps" to make
> the virus into a double-clickable application. This ID3 vulnerability
> (if it is true) would allow people to insert executables into valid,
> pre-existing audio files that could be sent easily via e-mail.

I'd agree with that.


> > (Second hint: My first computer was a Commodore Vic-20)
> 
> Get a Mac! Oops ;-)

I did - two years or so later - a Mac 512ED, which served me well for
four years when I sold it just before the LC came out.


Onno Benschop 

Connected via Optus B3 at S38°01'05" - E145°25'10" (Upper Beaconsfield, VIC)
-- 
()/)/)()..ASCII for Onno.. 
|>>?..EBCDIC for Onno.. 
--- -. -. ---   ..Morse for Onno.. 

Proudly supported by Skipper Trucks, Highway1, Concept AV, Sony Central, Dalcon
ITmaze - ABN: 56 178 057 063 - ph: 04 1219  - onno at itmaze dot com dot au

Re: More on Trojan Horse

[Onno Benschop]

On Fri, 2004-04-09 at 16:11, Rod Lavington wrote:
> On 9/4/04 1:28 PM, "Onno Benschop" <[EMAIL PROTECTED]> wrote:
> 
> 
> 
> > 
> > (Second hint: My first computer was a Commodore Vic-20)
> > 
> 
> My first was a C64, so na na ne nah na!

So you're younger and dumber?



Onno Benschop 

Connected via Optus B3 at S38°01'05" - E145°25'10" (Upper Beaconsfield, VIC)
-- 
()/)/)()..ASCII for Onno.. 
|>>?..EBCDIC for Onno.. 
--- -. -. ---   ..Morse for Onno.. 

Proudly supported by Skipper Trucks, Highway1, Concept AV, Sony Central, Dalcon
ITmaze - ABN: 56 178 057 063 - ph: 04 1219  - onno at itmaze dot com dot au

Re: More on Trojan Horse

[James Devenish]

In message <[EMAIL PROTECTED]>
on Fri, Apr 09, 2004 at 03:28:51PM +1000, Onno Benschop wrote:
> Uhm, from what I've read so-far, this is not a virus or a trojan horse
> at all. It's a concept of social engineering. The idea is that you can
> make an attachment look like one thing and be another.

I'm not entirely sure what Intego are talking about -- I don't know if
they have found code "in the wild" or whether they are simply pointing
out the potential for malicious use. I did see a proof-of-concept
"virus.mp3.sit", which is a Trojan Horse -- as I recall, English wasn't
Onno's first language ;-) (Just teasing.)

I just downloaded "virus.mp3.sit" (not a virus) from the Google groups
thread (can't remember where I found it) and unstuffed it. `file`
identifies it as "MP3 file with ID3 version 2.2.0 tag". The valid ID3
tag is followed by a valid MPEG 1 Layer III stream.

>From examining this file, I see that it contains a GEO "general
encapsulated object" that itself encapsulates a PowerPC PEF header (Mac
OS 9 executable) with filename "virus.mp3" -- the same as the existing
file. Perhaps iTunes extracts the GEO, overwriting the original
virus.mp3 in the process? Then, when virus.mp3 is next opened, it is
recognised as a PEF file and it is launched? I don't know if this is
actually what happens (especially since it doesn't seem to have the
proper 'metadata' to signify that the file is an application). But, if
it is, then it would seem to arise from (a) the use of ID3 as a "file
archive" and (b) the action taken by iTunes (namely, extracting files
from that archive). Alternatively, iTunes is invoking the GEO directly?
That seems very foolish. Perhaps there is some invalid length field in
the header that causes iTunes to get confused? I don't know the
specifics, but the proof-of-concept does seem to be a Trojan Horse.
(Note: I have not tried running the proof-of-concept Trojan.)

Normally, I think it is hard to spread Mac programme directly via e-mail
because of the necessary 'metadata' (OS 9) or .app directory structure
(OS X), which either give the game away or require "extra steps" to make
the virus into a double-clickable application. This ID3 vulnerability
(if it is true) would allow people to insert executables into valid,
pre-existing audio files that could be sent easily via e-mail.

> (Second hint: My first computer was a Commodore Vic-20)

Get a Mac! Oops ;-)

Re: More on Trojan Horse

[Rod Lavington]

On 9/4/04 1:28 PM, "Onno Benschop" <[EMAIL PROTECTED]> wrote:



> 
> (Second hint: My first computer was a Commodore Vic-20)
> 

My first was a C64, so na na ne nah na!

:-)

All jokes aside, your points are very valid Onno.  I'm sure the spread of
virii in the PC world would be so much less if people didn't open
attachments without thinking first, not send emails to people with the
subject lines of  "Hi there!" and so forth, and if using Outlook-style email
programs, keeping the preview pane *closed*!  A bit of commonsense goes
along way in this world..

Seeya

Rod!

Re: More on Trojan Horse

[Onno Benschop]

On Fri, 2004-04-09 at 12:45, Peter Hinchliffe wrote:
> It may be a little too early to panic over this. Apparently, it's  
> doubtful if the virus exists as anything more than a "proof of concept"  
> that such a thing is possible.

Uhm, from what I've read so-far, this is not a virus or a trojan horse
at all. It's a concept of social engineering. The idea is that you can
make an attachment look like one thing and be another.

A virus spreads without your intervention - AFAIK this doesn't.

A trojan horse pretends to be one thing while doing another - AFAIK this
isn't.

I know, right now some of you are jumping up and down and getting ready
- or have already - hit the reply button and have all manner of
argument.

Let me point this out:

A trojan horse pretends to *be* one thing while *doing* another. This
doesn't pretend to be an MP3 file - it just looks like one - nor from
what I read is it actually playable in iTunes - so it's not an MP3 -
it's an application.

Also it doesn't spread by itself - though it conceivably mail copies of
itself to others if you launched it, so it's not a virus.

Back to my original statement:

"This is social engineering"

So.

Hope you've stopped being huffy, and got to this part - what do you do
about it? For starters, don't launch things you get from people you
don't know or don't expect.

Second, don't launch things you get from people you don't know or don't
expect.

>From my perspective this is just an attempt to create a marketing need
for anti-virus software for the Macintosh.

Here endeth the lesson

(PS. I've you've got something to rebuke the above, I'm all ears - I
don't profess to know everything about everything, but I'll confess I
know a lot about a great many things to do with computing - hint: I've
been doing this for a few years :-)

(Second hint: My first computer was a Commodore Vic-20)


Onno Benschop 

Connected via Optus B3 at S38°01'05" - E145°25'10" (Upper Beaconsfield, VIC)
-- 
()/)/)()..ASCII for Onno.. 
|>>?..EBCDIC for Onno.. 
--- -. -. ---   ..Morse for Onno.. 

Proudly supported by Skipper Trucks, Highway1, Concept AV, Sony Central, Dalcon
ITmaze - ABN: 56 178 057 063 - ph: 04 1219  - onno at itmaze dot com dot au

Re: First Trojan Horse for MacOS X reported

[Ryan Schotte]

> However, the fact that the MP3 icon appears bouncing in the Dock
> makes 
>this an easily noticeable trojan. The application is a Carbon app, and
>Carbon apps may not have the ability to not have their icons appear in
>the Dock -- the fact that it is a Carbon application is why it is
>allowed not to have a ".app" extension, as all Cocoa apps require. If
>the application was a Cocoa application, it would have a ".app"
>extension, in which case the application would not have an MP3 icon on
>it. A custom icon could be applied in this case, however, to fool
>users AND have the Dock icon hidden, since Cocoa apps can definitely
>hide their icon in the Dock.

Hmm. If it wanted to produce a little more uncertainty and doom, it
could even launch iTunes when the trojan starts running ;)

Of course type of trojan could have happened on OS 9 as well... it isn't
something that OS X's extensions have helped produce.

I am very glad that it's just a proof of concept -- it's even named
"virus.mp3.sit"! But it wouldn't take much for someone else to run with
the idea...

Just have to be more careful about anything from an untrusted source I
guess.

Ryan

Re: First Trojan Horse for MacOS X reported

[Rob Findlay]

>From apple-x.net
Rob
--
 Is this the real deal?

[UPDATE: This alert seems to be blown out of proportion. The only working
code seems to be just a CONCEPT trojan for Mac OS X (especially since
"concept" appears in the trojan's name). A Google groups thread has an
actual working trojan that does not harm your computer, but just illustrates
the "vulnerability".

 Another dodgy fact about the press release is that it contradicts itself.
First, the press release states that "[t]he Trojan horse's code is
encapsulated in the ID3 tag of an MP3 (digital music) file." This is
obviously wrong (unless someone at Apple really screwed up), because iTunes
only reads and displays information in ID3 tags. The press release then goes
on to say that "Mac OS X displays the icon of the MP3 file, with an .mp3
extension, rather than showing the file as an application, leading users to
believe that they can double-click the file to listen to it." Here Intego
says that the trojan creator simply masked the icon of the application to
make it look like an MP3 file, rather than actually having any code in an
ID3 tag of a real MP3 file. Clearly, the only possibility is the second case
(and the concept code is precisely done in this second manner), but Intego
didn't seem to have understood this.

 There's one flaw in the execution of this concept trojan, however. When you
double-click the MP3 file, it becomes obvious it's an application if your
Dock is visible -- an MP3 file appears in your Dock and starts bouncing. The
only reason it looks like an MP3 file is because the application has no
".app" extension, but the creator named it with a ".mp3" extension. Mac OS X
interprets this to be an MP3 file, even though it does correctly identify it
as an application when you get info on it.

 However, the fact that the MP3 icon appears bouncing in the Dock makes this
an easily noticeable trojan. The application is a Carbon app, and Carbon
apps may not have the ability to not have their icons appear in the Dock --
the fact that it is a Carbon application is why it is allowed not to have a
".app" extension, as all Cocoa apps require. If the application was a Cocoa
application, it would have a ".app" extension, in which case the application
would not have an MP3 icon on it. A custom icon could be applied in this
case, however, to fool users AND have the Dock icon hidden, since Cocoa apps
can definitely hide their icon in the Dock.

 Given how high profile this concept trojan has already become, let's hope
that Apple will issue a security update to address this issue. Mac OS X can
clearly identify what an application is or isn't (as evidenced by the Get
Info window), so Mac OS X should display file icons based on the KIND of
file, not its extension. Of course, this doesn't change the fact that a
custom icon can still be applied to mask the trojan application.

 -- simX]

Re: First Trojan Horse for MacOS X reported

[James Devenish]

In message <[EMAIL PROTECTED]>
on Fri, Apr 09, 2004 at 10:34:17AM +0800, Peter Hinchliffe wrote:
> Mac security software firm Intego have reported what they claim to be 
> the first Trojan horse (MP3Concept) to affect MacOS X.

As an administrator of UNIX and Linux systems, I am intrigued by the
wording of the Intego advice. It says "Mac OS X displays the icon of the
MP3 file, with an .mp3 extension, rather than showing the file as an
application...double clicking the file launches the hidden code,...then
iTunes." It then says "users can no longer safely double-click MP3
files". From a technical point of view, this requires clarification. One
possibility is that they are implying that someone is producing
double-clickable applications with icons that are the same as iTunes'
audio icons. Although this might be true, it's the same risk that you
run when downloading any application. If you download a StuffIt archive
or installer from the web, thinking it's a music file when in fact it's
an application, this is no different to the risk you run when
downloading any software on any platform. If, instead, they are
definitely indicating that the ID3 tags can contain executable content
within the valid structure of an MPEG audio file, then there are a
number of issues at hand. The main one is that this must represent a bug
in the audio player (e.g. iTunes), and that this vulnerability is
dependent on the audio file being opened within that specific audio
player. So, I hope they have made direct contact with Apple and that
Apple release a security update. This type of 'data execution'
vulnerability applies to all data formats/protocols and is therefore a
routine risk that programmers must skillfully avoid. (Actually, it is
possible for an operating system to provide a high degree of protection
against this type of fault, but I am not sure of any such mechanisms
within Mac OS X client.) The extent of the vulnerability depends on the
application and the development on an exploit (for instance, it might
just cause iTunes to crash). Also, ID3 processing flaws are well-known,
and have affected a number of products on various platforms in the past.
It is a shame that Apple has succumbed to such a flaw, but at least it
can be fixed readily (if everyone can has access to an iTunes security
update, that is). Intego's claims seem highly speculative ("has the
potential..." "could infect other files..."), which makes me wonder how
they can detect this Trojan, and whether they are talking about multiple
Trojans (or none!). Can their product detect variations of this Trojan?

More on Trojan Horse

[Peter Hinchliffe]

It may be a little too early to panic over this. Apparently, it's  
doubtful if the virus exists as anything more than a "proof of concept"  
that such a thing is possible. Read more in the reader responses at





--
Peter Hinchliffe
Apwin Computer ServicesFileMaker Pro Solutions Developer
Perth,  
Western Australia   Phone (618) 9332 6482Fax (618) 9332 0913

   Mac because I prefer it -- Windows because I have to.

First Trojan Horse for MacOS X reported

[Peter Hinchliffe]

Mac security software firm Intego have reported what they claim to be 
the first Trojan horse (MP3Concept) to affect MacOS X.


<http://www.intego.com/news/pr40.html>

This thing apparently comes in on MP3 files, and can do all sorts of 
nasty things, including deleting all the files in your user account, 
emailing itself to other users, and infecting other files on your 
computer. The warning from Intego is to avoid double-clicking MP3 
files.


Of course, Intego are entreating us all to install their VirusBarrier 
software which will remove this nasty. At the same time, McAfee have 
released an update (v7.5 beta) to their Virex package, but apparently 
this does not detect MP3Concept.


The virus has also been reported on other sites, including MacCentral, 
apple-x.net and MacNN.


Looks like the fun's starting, folks...

--
Peter Hinchliffe
Apwin Computer ServicesFileMaker Pro Solutions Developer
Perth,  
Western Australia   Phone (618) 9332 6482Fax (618) 9332 0913

   Mac because I prefer it -- Windows because I have to.