First OS X exploit: Concept
Technology 04/08/2004 |One of the (many) nice things about being a Mac user is our general invulnerability to the multitudes of viruses, trojan horses, and other exploits that threaten the ‘net on a regular basis. So it’s no wonder that the Mac world is all a-tizzy over anti-virus company Intego releasing news of what appears to be the first Mac OS X trojan horse, wrapped inside an apparent .mp3 file.
This Trojan horse, MP3Concept (MP3Virus.Gen), exploits a weakness in Mac OS X where applications can appear to be other types of files.
The Trojan horse’s code is encapsulated in the ID3 tag of an MP3 (digital music) file. This code is in reality a hidden application that can run on any Macintosh computer running Mac OS X. Mac OS X displays the icon of the MP3 file, with an .mp3 extension, rather than showing the file as an application, leading users to believe that they can double-click the file to listen to it. But double clicking the file launches the hidden code, which can damage or delete files on computers running Mac OS X, then iTunes to play the music contained in the file, to make users think that it is really an MP3 file . While the first versions of this Trojan horse that Intego has isolated are benign, this technique opens the door to more serious risks.
<
p>As it turns out, there are some mitigating factors to this announcement that Intego either didn’t know about, or deliberately chose to ignore in their press release that haven’t been as widely reported, and really should be.
First off — and most importantly — yes, this should be taken seriously, as it does appear to be a very possible source of attack against OS X.
However.
This does not appear to be evidence of someone actually attempting to release a malicious attack into the wild.
Dori Smith was kind enough to point out this usenet thread from comp.sys.mac.programmer.misc where the possibility of this exploit was first broached. During the discussion as to whether or not this was a real possibility, one of the people involved took it upon themselves to create a benign proof-of-concept.
This proof-of-concept seems to be what Intego found, and then proceeded to craft an accurate, but very alarmist press release around. While the concept definitely seems to be sound, and is something that OS X users should keep in mind when accepting files from untrusted sources, there does not appear to actually be a malicious attack of any sort currently propagating across the ‘net aimed at OS X users, now matter how much FUD Intego puts into their Security Alert.
As always, while it’s still very true that OS X is a far more safe and secure system than Windows, no system is entirely safe, and the user has to accept some amount of responsibility for their actions.
iTunes: “Gutter Glitter” by Switchblade Symphony from the album Gothik (1995, 3:50).
[See also: Solutions for MP3Concept | Mac OS X Word 2004 Demo Trojan | First Confirmed OS X Malware | iTMS Exclusive: LXG Soundtrack | 0 is also a number ]
« Condi under oath | Kurt »
7 Responses to “First OS X exploit: Concept”
Leave a Reply
fpz
Gavriel
medhat abbas
Ryan Waddell
Sponge Bob
April 9th, 2004 at 10:02 am
OH MY GOD!
the sky is falling, the sky is falling!!
(i get what you mean, it has to happen at some point right? still, one osx-focused trojan horse suddenly means the world is ending? p-shaw.)
April 9th, 2004 at 10:14 am
I must say I have more problems with iTunes and iChat destroying low level kernel elements than any outside virus or trojan horse. Just yesterday the two managed to force me, once again, to reinstall Panther. Apple always has been its own worst enemy. More reason to maintain frequent backups and CD/DVD copies of everything.
April 9th, 2004 at 10:36 am
Ouch…not good. While I’ve had the occasional glitch with iTunes (no problems with iChat, though my iSight continues to be flaky), nothing that’s prompted a reinstall yet. Sorry to hear about that.
April 12th, 2004 at 8:18 am
I’m curious as to why there HAVEN’T been more trojans for OSX… A lot of windows based trojans aren’t exploiting any security flaws other than human stupidity. And certainly, with Macs touting themselves (at least in the past) as the easier-to-use computer, you’d think the dumbasses writing trojans would try to take advantage of that.
April 12th, 2004 at 9:47 am
My best guess is that it’s simply that the Mac community at large tends to attract fewer “dumbasses”, and most of the people that are out there writing viruses/trojans/exploits don’t have Macs to work with.
Before you write me off as succumbing to more Mac elitism, though, look at it this way: a lot of the people coming up with these things are just a few steps removed from “script kiddies”, often seem to be in their teens to early twenties when we find out who they are, probably don’t have an incredibly high income, and so on. When they’re out to get their own computer to work on, they’re not very likely to be in the market for a Mac: while the TCO for a Mac is far lower than for a Windows box, it’s still very true that you can pick up a bare-bones PC for only a few hundred dollars, which you can’t do with a Mac. That $300 bare-bones PC won’t have nearly the features that even a low-end Mac will, but that’s not what they’re worried about. They just want a cheap box they can use and abuse to surf the web, hang out in IRC channels and pick up the latest tricks for their next exploit.
PC users see their boxes as “just a box” — a necessity in this day and age, but little more than a tool, and a tool that has a tendency to break down a lot. Mac users, on the other hand — well, as much as people tease us about the Cult of Mac, it’s not entirely untrue. On the whole, Mac users like their computers, anthropomorphizing them, imbuing them with their own personalities, and so on. For most of us, the concept of intentionally creating something to cause problems is fairly inimical to every reason that we use a Mac in the first place.
In short, it’s a matter of the differences between the personalities of the stereotypical PC user, the stereotypical trojan/virus/worm author, and the stereotypical Mac user.
April 13th, 2004 at 12:08 am
Solutions for MP3Concept
Another thing I like about the Mac community — there are a lot of very intelligent and creative people in it. Scant days after the proof-of-concept MP3Concept ‘trojan’ caused such a brouhaha in the Mac community, various approaches to dealing wit…
May 13th, 2004 at 1:51 am
Mac OS X Word 2004 Demo Trojan
For the second time in just over a month, panicky news stories are alerting us about a trojan horse attack against Mac OS X. Last time the exploit was disguised as an .mp3 file, this month it’s disguised as a Microsoft Word beta installer.