More on the Mac OS X type/creator, .extension "trojan horse"

Continuing our coverage of the MP3Concept (MP3Virus.Gen) potential vulnerability - which exploits a weakness in Mac OS X where applications can appear to be other types of files - we have a new folder action which checks for correspondence between a filename's extension and the type/kind.

MacFixIt reader Rick Bargerhuff writes "Simply attach the folder action to the folders where your downloads go to. The following is a comment I posted under the comment section on this article.

"This 'alert' has always existed in the Mac OS but has been under the radar for a long time until now. So I decided to code a Folder Action which I hope will ease Mac user's minds.

"The Folder Action will check any files or folders to see if a file's name- extension corresponds to the file's Type and kind. If it does not meet this criteria, the script asks the user if they want to quarantine the file. If the file does not have an extension and the file's type and kind indicates it is an application, the script acts as if the file did not meet the criteria. If the user chooses to quarantine a file, the script creates a folder named 'Quarantined' which is created inside the directory the Folder Action is attached to. More info is available in the read me."

The folder action can be downloaded from http://home.comcast.net/~c0ugar/files/Mismatch.sit.

Restricting application usage In order to prevent unsuspecting users from launching potentially harmful false MP3 files, MacFixIt reader Jack Pate suggests simply restricting application launch capabilities to a certain folder - namely the default /Applications directory.

"To nip this while thing in the bud, simply change the "limitations" of all your users to only applications in the Applications folder (and OS9 Apps, if applicable. . . ). It's is an easy 'check-box' setting, and should TOTALLY eliminate the threat, because it would prevent any executable code from being run outside these apps, while still allowing .sit files to open normally and EVEN 'real' MP3 files, because it would be launching a qualified app in the approved folder to play it."

OpenOSX Publishes Free TrojanDefuser Meanwhile OpenOSX has announced the immediate availability of TrojanDefuser, offering users "drag and drop operation that will render files suspected of being the recently discovered variations of the Trojan Horse 'MP3Virus.Gen' harmless, by making a copy of the suspected file without the resource fork, therefore eliminating the potentially malicious code and at the same time preserving the data fork of the file."

"If the software detects a potential ?Trojan Horse?, a copy of the file(s) that are suspect will be created in the same location as the original(s) starting with the prefix "SAFE_", ending with the original file name and leaving the original file intact. For example a ?disinfected? version of "virus.mp3" would become "SAFE_virus.mp3"". The tool is available for free download from http://OpenOSX.com/support/

Users finding suspicious files Via the methodology listed in Friday's edition, users are finding some strange files - oddly coming from Apple's own distribution.

Terrell Smith writes "I did a search in Finder on my HD for any file "Name contains .mp3" and "Kind: Application," and was surprised to discover that the old iTunes Sampler that came with the original iTunes has a file called "Max Graham Airtight.mp3" which is also a Classic Application. Creation date is Jan 22, 2001."

Symantec posts LiveUpdate file The update for Norton AntiVirus from Symantec encompassing the MP3Concept flaw has been posted via the company's LiveUpdate mechanism.

There is also a manual download link for the new definition.

As posted to Symantec's Web site: "MP3Concept is a proof-of-concept Trojan targeted at the Mac OS X platform, that is currently not seen 'in the wild.' It is not spreading or infecting Mac users. The proof-of-concept program does not contain any malicious payload such as viral code, ability to email itself or perform destructive functions such as deleting files. It only contains code to display a message box and mp3 audio data of a man laughing."

Feedback? Late-breakers@macfixit.com.

Resources