In message <[EMAIL PROTECTED]> on Fri, Apr 09, 2004 at 03:28:51PM +1000, Onno Benschop wrote: > Uhm, from what I've read so-far, this is not a virus or a trojan horse > at all. It's a concept of social engineering. The idea is that you can > make an attachment look like one thing and be another.
I'm not entirely sure what Intego are talking about -- I don't know if they have found code "in the wild" or whether they are simply pointing out the potential for malicious use. I did see a proof-of-concept "virus.mp3.sit", which is a Trojan Horse -- as I recall, English wasn't Onno's first language ;-) (Just teasing.) I just downloaded "virus.mp3.sit" (not a virus) from the Google groups thread (can't remember where I found it) and unstuffed it. `file` identifies it as "MP3 file with ID3 version 2.2.0 tag". The valid ID3 tag is followed by a valid MPEG 1 Layer III stream. >From examining this file, I see that it contains a GEO "general encapsulated object" that itself encapsulates a PowerPC PEF header (Mac OS 9 executable) with filename "virus.mp3" -- the same as the existing file. Perhaps iTunes extracts the GEO, overwriting the original virus.mp3 in the process? Then, when virus.mp3 is next opened, it is recognised as a PEF file and it is launched? I don't know if this is actually what happens (especially since it doesn't seem to have the proper 'metadata' to signify that the file is an application). But, if it is, then it would seem to arise from (a) the use of ID3 as a "file archive" and (b) the action taken by iTunes (namely, extracting files from that archive). Alternatively, iTunes is invoking the GEO directly? That seems very foolish. Perhaps there is some invalid length field in the header that causes iTunes to get confused? I don't know the specifics, but the proof-of-concept does seem to be a Trojan Horse. (Note: I have not tried running the proof-of-concept Trojan.) Normally, I think it is hard to spread Mac programme directly via e-mail because of the necessary 'metadata' (OS 9) or .app directory structure (OS X), which either give the game away or require "extra steps" to make the virus into a double-clickable application. This ID3 vulnerability (if it is true) would allow people to insert executables into valid, pre-existing audio files that could be sent easily via e-mail. > (Second hint: My first computer was a Commodore Vic-20) Get a Mac! Oops ;-)
