The Mac OS X type/creator, .extension "trojan horse"; clarification from Intego
The Mac OS X type/creator, .extension "trojan horse"; clarification from Intego
Intego on Thursday issued a security warning to its customers for the first Trojan horse to affect Mac OS X. Dubbed MP3Concept (MP3Virus.Gen), the Trojan horse exploits a weakness in Mac OS X where applications can appear to be other types of files, according to the company.
The issue is that the OS X Finder can be fooled to represent an application as a file. This occurs because the Finder depends on two different sources of information for how to display an object: it uses both file type/creator codes, for compatibility with OS 9; and also can use .extensions, introduced in OS X.
In this instance, the file type is set to "application", and the .extension is set to "file".
This "exploit" is only one step further from simply renaming an application file with a different extension, ".mp3" for instance. The only difference is that Mac OS X can be fooled into actually launching an application based on the false file type/creator codes and .extensions - iTunes for a file with a .mp3 extension for instance. However, it would seem that any damage done by a file disguised in this manner would already be done when it the application (appearing as a data file) is double-clicked.
Before we delve any further into the issue, there is a simple way to see if any of these files exist on your computer. Simply do a Finder-based search (Command-F) and set two criterion:
- Name contains: place a file extension here; .mp3, .jpeg, .wmv, etc.
- Kind: application
Any files that pop up (including a non-harmful example of the "trojan horse") are likely of the same nature that Intego is describing.
MacFixIt reader Michael Dinsmore writes:
"The practical result of this is illustrated by the proof of concept application posted here. The demonstration code only displays a warning dialog and plays a song: but that dialog could be easily converted to do anything that the currently logged in user has the authority to do, including delete their home directory with all of their data. It wouldn't be capable of doing anything that the current user is not able to do, like implanting a backdoor to the system; but losing all of your data is plenty bad enough.
"The trojan will display some attributes as a regular file: it has an MP3 icon, an MP3 .extension, and will even play a song if double clicked or dropped on iTunes. At first glance, it appears very much like a regular .mp3. However, the same file also has attributes of an application. It is labeled an application in the Get Info window, and in column view. It does not have the playback control that a normal mp3 does in column view.
"If you use a utility that can see file types and creator codes in terminal, you will see that it has type APPL--reserved for applications. It has been noted that the file needs to have it's resource forks preserved during transmission to be effective, which generally means it needs to be compressed. Therefore, as Stuffit is required to make it work, Stuffit can also be used to help thwart it.
Stuffit 8.0.2 Although Stuffit 8.0.2 has a preference that will toggle "Set Execute permissions by default", and indeed if the check box is unchecked this file will not have the x bit set in the terminal, it will nonetheless execute. Therefore, this preference is of no help.
However, Stuffit 8.0.2 can also be set to call a virus scanner to scan decompressing files. Setting this to Intego's VirusBarrier, with the latest virus updates, does indeed flag the file as having an issue during decompression.
UPDATE: Gregory Lawhorn has an important reminder for those who choose to scan files during StuffIt expansion:
"Stuffit Deluxe and Stuffit Expander have separate preferences, and both need to be set to do this - setting Stuffit Deluxe alone won't change the Stuffit Expander preferences."
Forum threads Meanwhile, there two threads going about the first Trojan that affects Mac OS X in the MacFixIt Forums.
- "Trojan Horse for Mac OS X reported" in the Mac OS X 10.x forum:
- "Hey Mike - first OS X confirmed trojan?" in the Symantec for Mac forum
UPDATE: Some MacFixIt readers took issue with Intego's handling of the vulnerability's announcement, noting that the company simultaneously performed a good service by discovering the flaw, but essentially laid out the exploit for those who would like to use it with malicious intent.
Joe. F writes:
"Bravo to their tech people for spotting the flaw, describing it, and providing a fix -- thumbs down to their management and marketing people who decided to exploit the work of the tech people.
"To use a virus example. Suppose a drug company had the only effective treatment for smallpox. Suppose it then decided to send weakened samples of the smallpox virus to anyone who asked with suggestions that the weakened smallpox could be turned into a robust virus that would cause major illness if it were to be spread throughout the population. When the company reaped great profit from its increased sales to treat the resulting epidemic, should we all cheer for its contribution to fighting disease?"
Intego has now issued a new press release clarifying their position, providing correct details, and includes a justification for releasing the original press release. An excerpt:
"While the first versions of this Trojan horse that Intego has isolated are benign, this technique opens the door to more serious risks. The exploit that it uses is both insidious and dangerous and it is our duty as a vendor of Macintosh security solutions to protect our users. We don't believe in waiting until the damage occurs, unlike some of our competitors. The Intego Virus Security Laboratory quickly discovered how to block this Trojan horse and prevent it from running its code and as part of our commitment to our users, it was only natural that we release this in our latest virus definitions for Intego VirusBarrier.
"We initially hesitated about releasing this information, but finally decided that it was our responsibility to alert users to this security risk.
"It should be noted that while Intego was the first to publish information about this Trojan horse, both Symantec and McAfee released updates to their antivirus software after the publication of our press release. However, these companies do not specify whether their updates protect against this Trojan horse. [...]
"As far as we know, this Trojan horse is benign today, but nothing prevents a malicious hacker from using this same technique to create a dangerous Trojan horse. We have examined the code contained in this Trojan horse and it doesn?t delete any files or change anything in Mac OS X, but we cannot be sure exactly what this Trojan horse is doing now, or whether it will have other effects in the future. In any case, protecting users now is better than responding too late, especially when we are aware of the threat."
UPDATE: Update from Symantec coming Symantec's Cary Kwok told MacFixIt that a new virus definition for Norton AntiVirus, addressing the "MP3Concept" vulnerability, is on its way:
"Concept (MP3Virus.Gen) is a Trojan that imbeds mp3 data in an application. Once the file is executed, the Trojan executes and displays the following message -- "Yep, this is an application. So what is your iTunes playing right now?" After displaying the message, the program launches iTunes and plays the mp3 file.
"The Trojan will only execute if opened as an attachment. If the file is downloaded and opened through iTunes, the mp3 will play but the Trojan will not execute. This Trojan does not contain any malicious code. MP3Concept is a proof-of-concept Trojan and is not currently seen "in the wild" -- it is not spreading and infecting Mac users.
"Symantec Security Response is planning to post a definition today for the Trojan and we will continue to closely monitor for any unusual activities as well as other potential threats to the Mac OS X platform. "