Os X Trojan

Indigo wrote this trojan themselves, and the only thing it does is launch iTunes and display a message that tells you that you launched an application and not an MP3. Their trojan doesn't erase anything or email anything, they say that it could do those things if someone wanted it to.

This is less of a problem than they make it out to be because most mail servers probably wouldn't keep the UNIX file attributes on the file when it was processed so it would come in as just a plain file with no execute attribute. Also, most mail servers would strip the Mac resource fork on the file containing any execute attributes.

This is a complete NO RISK warning which it seems is something they're using to try and sell their software.
 
The bad publicity. Now people will say Macs are susceptible to viruses. I hope that this ::evil:: company goes under for making false claims to sell its product.
 
andychrist said:
"...It was discovered today by antivirus software company Intego, which manufactures VirusBarrier, a security suite for the Mac.... Luckily, this trojan hasn't been released into the wild... Intego offers its VirusBarrier Mac-security software for $59.95..."

Hmm... Now if this trojan hasn't actually been released, how did Intego "discover" it?

What a scam.
Click to expand...

haha, that is such a good and overlooked point
 
The guy below Bo's post said it best:
From: Kaldari (kaldari@angelblade.com)
Subject: Re: Sorta-RFC-ish: Virus in MP3? (was Re: mp3 flood uploads)
Newsgroups: comp.sys.mac.programmer.misc
Date: 2004-04-09 08:59:18 PST
It looks like Intego has successfully launched a FUD campaign to sell
their security software based on your proof-of-concept
Click to expand...


PS:
[Homsar:~] michael% wtf is fud
FUD: fear, uncertainty and doubt

(I love Fink :p)
 
I think a solution to this dilema is for Apple to develop a method to verify whether or not a file *is* the type of file it claims to be. It shouldn't be difficult in concept, the operating system not only knows what file-type extensions are and which programs can open them, but it needs a way to determine if that file really is *that* type of file. It simple has to scan a file with a known (and unknown) file extension and test whether or not the data in that file-type matches the extension, i.e. .mov, .mp3, .jpeg, .html, .xml. I suppose the operating system would be passing the file through a program that is both like an interpreter and a database. If a file runs through it (and it cannot be executed no matter what data is being passed through it), and it doesn't match, the file should be placed into a protected folder, perhaps an "Unknown File Type" folder or placed into the Trash and deleted.

Currently, it's not difficult to "fool" Mac OS X; take any folder and rename it FOLDER.app and it should become a "program/application". This is the technique Steve Jobs & Co. at NextStep came up with from experience with Macintosh files losing their resource forks when Unix and other platforms transferred files over the internet. Other platforms disreguard the resource fork and only send the data fork. To overcome this problem, NextStep just included everything in one folder, which the NextStep GUI, displayed as being a "one file". Other platforms just sent the entire folder, hence, nothing was lost in transfer.
 
yeah.. recently heard about it... its s pitty. but like bobw said.. it was a matter of time... i hopemsteve jobs finds the answer!!!
 
I totally agree with you... it souldnt be so difficult to find a way for the O.S to know what file is an mp3 and what file is an application.. i have faith in steve J!!!
 
chemistry_geek said:
It shouldn't be difficult in concept, the operating system not only knows what file-type extensions are and which programs can open them, but it needs a way to determine if that file really is *that* type of file. It simple has to scan a file with a known (and unknown) file extension and test whether or not the data in that file-type matches the extension.
Click to expand...

In theory that's not a bad idea. However, let's look at it from a resource standpoint : how long does it take you to import one 2-minute track from a CD ? It takes me, let's say for argument's sake, 1 minute on my iMac, assuminging that the resultant file is about 3 megs.

Considering I have 50 gb of files on my hard disk, that kind of scan would take a heck of a long time. And of course it would have to scan files continuously, or when they're opened to account for overwritten files.

Good concept though.
 
"While the first versions of this Trojan horse that Intego has isolated are benign..."

How do you "isolate" something that exists only in theory?

"The other day, upon the stair,
I met a man who wasn't there.
He wasn't there again today--
I do so wish he'd go away."
 
The other problem with scanning / testing files would be that you would have to develop a separate test for each extension. mp3's would mean your OS would have to be an mp3 player, for example.

That's all fine and dandy, but would the OS then be automatically launching viruses when it attempts its scan?
 
The OS wouldn't need to be an MP3 player(but it could easily thanks to Quicktime). It just needs to test if the data matches what the file says it does. Or even simpler, if the file says it's something but it actually is executable code.
 
MacFixIt reader Rick Bargerhuff writes "Simply attach the folder action to the folders where your downloads go to. The following is a comment I posted under the comment section on this article.


"This 'alert' has always existed in the Mac OS but has been under the radar for a long time until now. So I decided to code a Folder Action which I hope will ease Mac user's minds.


"The Folder Action will check any files or folders to see if a file's name- extension corresponds to the file's Type and kind. If it does not meet this criteria, the script asks the user if they want to quarantine the file. If the file does not have an extension and the file's type and kind indicates it is an application, the script acts as if the file did not meet the criteria. If the user chooses to quarantine a file, the script creates a folder named 'Quarantined' which is created inside the directory the Folder Action is attached to. More info is available in the read me."


The folder action can be downloaded from
http://home.comcast.net/~c0ugar/files/Mismatch.sit.
 
OpenOSX Publishes Free TrojanDefuser Meanwhile OpenOSX has announced the immediate availability of TrojanDefuser, offering users "drag and drop operation that will render files suspected of being the recently discovered variations of the Trojan Horse 'MP3Virus.Gen' harmless, by making a copy of the suspected file without the resource fork, therefore eliminating the potentially malicious code and at the same time preserving the data fork of the file."


"If the software detects a potential “Trojan Horse”, a copy of the file(s) that are suspect will be created in the same location as the original(s) starting with the prefix "SAFE_", ending with the original file name and leaving the original file intact. For example a “disinfected” version of "virus.mp3" would become "SAFE_virus.mp3"". The tool is available for free download from

http://OpenOSX.com/support/
 
I think what it should really be doing is a simple scan when you do an action which *COULD* launch code in the Finder (where the vulnerability really lies) when opening a file, and if it is executable code with an extension that isn't .app (Extension-less apps could be assumed fine for CFM situations)... it asks if you want to open it as a document or an application. The Finder already reports this 'trojan' as an Application as the file type, especially if you view in column mode.

Such a simple dialog saying "This file has extension '.whatever', but is actually an application. You can open this file as a document belonging to '<Default File Handler of the Type Here>', open this as an application, or cancel opening this file." with the choices: Open as Document, Open as Application, Cancel. This would bring the user into a situation where user intervention is needed. (There should NOT be a default behavior for this situation)

Would make it so that the only people who could catch a trojan using this particular method would be ones downloading an MP3 and clicking on "Open Application" anyways.
 
Is this a virus?

I have gotten a few emails within the last couple of days that have "applications" attached ot them. Of course I did not launch these attachments, but I'm curious as to what they are. I have not gotten any such emails before.

From: dzieci@mindspring.com
Subject: Re: here
Date: April 13, 2004 4:27:33 PM CDT
To: xxxxxxxxx

I have received your document. The corrected document is attached.

[29.1 KB "application" with Folder icon]


-------------------

From: drkgotham@yahoo.com
Subject: Re: Message Error
Date: April 12, 2004 10:25:58 AM CDT
To: xxxxxxxxxxxx

SMTP: Please confirm the attached message.

?[28.9 KB file "msg.scr" with blank generic paper icon]


--------------------

Do these seem viral?
 
*.scr is a windows virus.

There haven't been any reports of this in the wild, and I doubt there ever will be because email servers will strip off the resource fork that makes the file executable.
 
You must log in or register to reply here.
Back
Top