On Fri, 2004-04-09 at 19:21, James Devenish wrote: > In message <[EMAIL PROTECTED]> > on Fri, Apr 09, 2004 at 06:32:24PM +1000, Onno Benschop wrote: > Yes (though I only tried this under Linux/Pentium). > > > *and* code executes that does something else, > > I haven't tried this under Mac OS X. > > > > From examining this file, I see that it contains a GEO "general > > > encapsulated object" that itself encapsulates a PowerPC PEF header (Mac > > > OS 9 executable) with filename "virus.mp3" -- the same as the existing > > > file. Perhaps iTunes extracts the GEO, overwriting the original > > > virus.mp3 in the process? > > > > If that is the case, we're talking about an iTunes exploit, not a > > Trojan. > > Not necessarily. iTunes would not be executing the code itself -- it > might merely be following a liberal interpretation of ID3 (eek!). While > this would be a misfeature in iTunes, the malicious binary would > actually be launched by the Finder.
Yeah, except that iTunes is the one making the .mp3 into an executable. > Thus, if ID3 provides a sanctioned > way to initiate the extraction of arbitrary files hidden within music, I > would think it to be an example of the Trojan Horse phenomenon. Yup, but my understanding of the ID3 definition is that it contains meta-data like artist, name, album etc. There should be no "extraction" required to get this stuff out. Merely from this byte, or from this delimiter to this delimiter is the name of the artist. I wouldn't have thought that the ID3 definition had any means of packaging anything - unless iTunes decided that it would be cool to say that from this byte to this byte is a compressed image that can be extracted as a separate file, in which case the guy who thought of that is a moron. > It would > be possible, for example, for a cracker to insert malicious code into > other people's audio files as part of website defacement. And it would be pretty subtle too, evil... > Although > Trojans are by their definition (hmm...what definition?) Here are some :-) "The Collaborative International Dictionary of English v.0.48" Trojan horse Tro"jan horse`, n. from the incident described in Homer's Iliad. 1. (Classical mythology) a large hollow wooden horse built by Greek soldiers besieging Troy during the Trojan War, and left as a "gift" when they pretended to abandon their seige. It was taken into the city by the Trojans, and Greek soldiers concealed inside came out and opened the gates to the city, enabling the capture of the city by the Greeks. RP + PJC 2. Hence, any thing or person which appears harmless but is designed to destroy or attack from within. It may sometimes refer to a group; -- see also fifth column. RP + PJC 3. (Computers) A computer program designed to evade the security precautions within a computer system and perform illicit operations, or to do malicious damage, and often designed to look like a different kind of program, such as a game, archiver, or directory lister. This term is not applied to a program that replicates itself, such as a virus. RP + PJC "The Collaborative International Dictionary of English v.0.48" fifth column fifth` col"umn, n. from a statement during the Spanish Civil War (1936) that the Falange had four columns of soldiers marching on the city, and a fifth column "already there" (i.e. sympathizers inside the Republican lines). 1. a group of persons inside the battle lines of a territory engaged in a conflict, who secretly sympathize with the enemy, and who engage in espionage or sabotage; -- sometimes also referred to as a trojan horse. RP 2. Hence, any faction of persons within a group who secretly sympathize with an enemy, especially those who engage in activities harmful to the group; an enemy in one's midst; a group of traitors. RP "WordNet (r) 2.0 (August 2003)" Trojan horse n 1: a subversive group that supports the enemy and engages in espionage or sabotage; an enemy in your midst syn: fifth column, Trojan horse 2: a program that appears desirable but actually contains something harmful; "the contents of a trojan can be a virus or a worm"; "when he downloaded the free game it turned out to be a trojan horse" syn: trojan 3: a large hollow wooden figure of a horse (filled with Greek soldiers) left by the Greeks outside Troy during the Trojan War syn: Trojan Horse, Wooden Horse "The Free On-line Dictionary of Computing (19 Sep 2003)" Trojan horse <application, security> (Coined by MIT-hacker-turned-NSA-spook Dan Edwards) A malicious, security-breaking program that is disguised as something benign, such as a directory lister, archiver, game, or (in one notorious 1990 case on the Mac) a program to find and destroy viruses! A Trojan horse is similar to a back door. See also RFC 1135, worm, phage, mockingbird. Jargon File (1995-03-21) "Jargon File (4.4.4, 14 Aug 2003)" Trojan horse n. coined by MIT-hacker-turned-NSA-spook Dan Edwards A malicious security-breaking program that is disguised as something benign, such as a directory lister, archiver, game, or (in one notorious 1990 case on the Mac) a program to find and destroy viruses! See back door, virus, worm, phage, mockingbird. > [Trojans are by their definition] a social > engineering exploit, a pure social engineering exploit would not need to > involve the concealment of an executable payload. Well, a Trojan Horse wouldn't have worked unless it was brought into the walls, so I agree with you here, and must confess that I would be wrong if the above was the case and the iTunes application extracted a file from the .mp3 and stored it on the file-system. > I did think at first that it must be iTunes-specific, because iTunes is > the default player for MP3 files. (Intego hasn't provided sufficient > details.) However, it might be a common vulnerability amongst audio > players that interpret ID3 headers. On most UNIX systems, however, you'd > also need to set the "executable" permission -- something that probably > can't be conveyed via ID3. I would have thought that this was also the case under OS X - is that not so? > I suspect that it's unlikely that a malicious exploit would be a virus > -- more likely a worm. ..dunno.. (speculating wildly by this stage) > > So now we're opening the same file twice? > > Not by the sound of what I've read on the web. (The double-open > procedure was merely my own speculation.) Ah.. > > I realise I'm arguing semantics here, but in this world I believe that > > this is important, because the difference determines where the fix lies > > - the User, the OS or iTunes. > > I suspect this problem does not lie with the OS or the user. It's either > with ID3 or iTunes (most likely: iTunes' overzealous honouring of ID3). Yup. > > If I were you and you didn't have a completely separate machine that you > > would be prepared to sacrifice, I wouldn't even have gone as far as you > > state you have... > > I didn't believe that a StuffIt Expander, `vim` or `file` exploit was > involved. However, you are correct that I don't consider my test machine > 'entirely sacrificial'. I did think twice before using StuffIt Expander, > and perhaps I shouldn't have carried through with it. However, I cannot > see any evidence that any files were modified as a result of > 'unstuffing' the file (apart from com.stuffit.Expander.plist, which I > have now removed), nor can I see any suspicious processes. But when you play with fire it's good to be careful. I suppose the really creapy thing would be if you could construct an .mp3 that had an embedded pay-load that was extracted by the player and that depending on which processor it ran on, would be executable code for either i368 or PPC, now that would be really evil - 99% of home computers in one hit :-) > > > Get a Mac! Oops ;-) > > I did - two years or so later - a Mac 512ED, which served me well for > > four years when I sold it just before the LC came out. > > Ah, yes, I think the 512K was my mainstay during primary school. The ED was a MacPlus with 512K ram, so it had a HDD floppy drive, larger ROMs and had SCSI - but I'm getting old and I haven't looked at lowendmac to see what the real differences are --- Ah, bugger it: <http://www.lowendmac.com/compact/guide.html> But I note that the 512Ke is *not* the same as an ED! - Basically look in the Plus column and ignore the memory - that's 512Kb - it was sold to educational institutions in Holland - I bought mine at the University of Delft and getting on the train with 4,000 guilders didn't bother me at all (even though that was the most amount of money I'd ever had in one place ever), it was going home to Leiden on the way back with a Macintosh Box, software, external drive and carry case that gave me the willies... Onno Benschop Connected via Optus B3 at S38°01'05" - E145°25'10" (Upper Beaconsfield, VIC) -- ()/)/)() ..ASCII for Onno.. |>>? ..EBCDIC for Onno.. --- -. -. --- ..Morse for Onno.. Proudly supported by Skipper Trucks, Highway1, Concept AV, Sony Central, Dalcon ITmaze - ABN: 56 178 057 063 - ph: 04 1219 8888 - onno at itmaze dot com dot au