AAPL Stock: 109.41 ( + 2.67 )

Printed from

More details on Trojan Horse for Mac OS X

updated 08:40 pm EDT, Thu April 8, 2004

Trojan Horse details

MacNN reader Dave Schroeder provided some more details on the Trojan Horse for Mac OS X earlier today: "This is actually a little bit of the Classic/Carbon paradigm catching up with us, and represents an oversight in the way Mac OS X handles presenting the file to the user. In the case of this proof of concept, a file can be made to appear as an ordinary mp3 file, complete with the familiar icon and .mp3 extension, and even audio content. However, the file contains a PowerPC code fragment - a piece of executable code; a little application - that can be made to do anything the author desires (limited by the permissions of the user executing it)."

"But here's how it does it: the file is really a
Carbon (CFM) application, with file type APPL. The two methods of
identifying files - file extensions (the new Mac OS X way) and file
metadata (e.g., type/creator, resource forks; the old way) - are in
conflict. So Mac OS X shows the file to you as an mp3, when in reality
the behavior when double-clicked is that of an application. Therein
lies the problem: since the file appears to be a legitimate mp3, a user
may unwittingly double click it, executing the potentially malicious
code - thus the proper description of this as a trojan horse.

examination of the file, even a simple Get Info, does reveal that while
it appears to be an mp3, the OS does recognize it as 'Kind:
Application'. This special case - files that identify themselves as
applications, but have inappropriate extensions, such as mp3 - could be
easily handled by a security update. One other point about this trojan:
since it is a CFM application with a resource fork, it will be rendered
useless by any transfer method that does not explicitly retain the
resource form (compressing with StuffIt, encoding with MacBinary, for
example). All in all, an interesting story, but it really represents
taking advantage of a minor oversight in the way Mac OS X displays and
handles potentially conflicting file extensions versus legacy metadata.
Not really big news. :-) There is a proof of concept of this trojan
here (though named "virus.mp3", this is not a virus)."

UpdateDave offered some more info:

Upon closer examination, the proof-of-concept trojan actually contains
its own copy of iTunes' mp3 icon. The only area where this trojan is
actually taking advantage of something that could legitimately be
referred to as a Mac OS X shortcoming is the ability to display itself
as a file with a .mp3 file extension, while still be handled by the
operating system as an application. This is, once again, a function of
the type/creator metadata, which takes precedence over file extensions.
This trojan is almost pure social engineering, and not really an
"exploit": it's one step away from merely creating a malicious Carbon
application and giving it an mp3 icon, which is trivial, and merely
naming it with a .mp3 extension. The one additional feature of the
trojan is that it actually is a valid mp3 file; but once double
clicked, the damage is done, regardless. One might argue that by
spawning iTunes and playing itself as an mp3, the trojan may hide its
true intent or confuse the user for just a few moments longer, but
either way, the damage has begun - and likely ended - before the user
has even noticed.

The only way for Apple to "fix" this would be to universally visually
identify executable applications in some fashion. Whether or not this
comes to pass, the true source of real widespread damage from trojans,
virii, and worms is their ability to spread. Since any raw transmission
without encoding that preserves resource forks effectively neuters the
trojan, and since there are no easy ways to mass-propagate a virus
using Windows- and Outlook-style methods on Mac OS X, this is really
not a major issue at all.

"You will likely do more damage sending out a friendly email message
politely asking people to move their home directories to the trash.

by MacNN Staff





  1. wrwjpn

    Joined: Dec 1969


    But Can it?

    My question is can it do any real damage? All apps I install always ask for my admin password. If I were to double click an x**.mp3 file and it asks for my password I would be suspicious. So it wouldn't be able to take down a system like in Windows.

  1. piracy

    Joined: Dec 1969


    It doesn't have to...

    It doesn't have to ask for an admin password - without an admin password, it could still potentially delete all the files you own within your home directory (or attempt to do so), or attempt to do things like email itself, etc. But any type of propagation would require a pretty high level of sophistication, because it would need to run its own mail server, since cannot be scripted to send mail with attachments, AND it would have to carry a copy of itself in .sit or .bin format - and have some hope of reaching someone with a Mac on the other end.

  1. beeble

    Joined: Dec 1969



    So it wouldn't be hard then to have a copy of the trojan in stuffit compressed form contained with the code that it can send as an attachment in an email.

    This really could be quite lethal, but I guess you deserve what you get, not only for playing with an unknown attachement but also uncompressing it and then double clicking it. Frankly, are there people that stupid who use Mac's? It seems like only a Dell user could be dumb enough to go through this lengthy procedure on something they don't know.

  1. John Lockwood

    Joined: Dec 1969


    Intego release has errors

    The Intego press release says the 'virus' is in the ID3 tag and this therefore implies that the 'virus' code is executed by iTunes.

    This is WRONG.

    The 'virus' is in the resource fork of the file AND NEVER GETS EXECUTED BY iTunes.

    The code gets executed if, and only if, you double click on the file.

    While this particular proof of concept example uses MP3 as a disguise, theoretically ANY document file type could be used in this manner (e.g. GIF, JPG, or even DOC and PDF).

    Further more, this approach could equally be used in Mac OS 9 as well as Mac OS X. It would even be possible to have a Carbon 'virus' to attack both.

    As other people have indicated the file has to be transferred over the Internet either as a MacBinary file, a BinHex file or a compressed archive (usually Stuffit). None of these formats would normally be used to transfer an MP3. However a valid scenario where a compressed archive might be, is sending multiple files to someone.

    A further idea would be to send it as a ZIP archive (you can also send resource forks this way). A Mac user would be less suspicious of a Mac virus in a ZIP file since they are more often associated with PCs.

    As most (all?) Mac web-browsers and email clients can automatically and invisibly decode MacBinary format the most dangerous approach would be for the file to be on a web-server in MacBinary format (which means it would not be readable by PCs) or as an attachment to an email (again in MacBinary format which again means it would not be readable by a PC). Because the Mac would automatically decode the MacBinary the user would not be aware of this and would simply see it as an 'MP3'.

    A further development would be for the Trojan to carry the code for its own SMTP engine (which is what all the latest PC viruses do. This gets round Mail clients preventing the scripting (automatic) sending of virus attachments. It would then send copies of itself in MacBinary format. It might also be able to use the various SMTP services builtin to Mac OS X (at the Unix level).

    I am not sure how Apple will block this exploit. The obvious initial idea would be to require all Mac applications to have the extension of .APP in order to execute. However this would instantly break thousands of existing programs. Another more promising idea would be to not allow any extension except .APP or no extension at all to be run as an application (this would still successfully prevent MP3 etc. being exploited). However this means a move away from the historical freedom Mac users have had over file/application names. A possible compromise would be for a warning to be displayed if an application with an extension other than .APP is launched.

  1. jedi1yoda1

    Joined: Dec 1969


    question about fix

    "A possible compromise would be for a warning to be displayed if an application with an extension other than .APP is launched."

    Wouldn't this essentially make about 1/3 of applications be annoying. Office applications do not have .APP. If I were a windows user switching, i'd find this very annoying.

    However, couldn't there be a warning when the file extension and the metadata type are not obviously compatible. I mean, an mp3 meta and a .app extension are pretty far from the same file. I don't know much about this, I'm just trying to throw in some ideas. I'm sure this would be annoying to some too.

    On another note, I think that this is something that we in the Apple/Mac community need to band together and overcome. We can't let this be the beginning of the end of one of our major advantages. The circumstances of actually launching or getting this "bug" seem pretty hard to actually achieve, and I hope that we don't start appearing as stupid as the others...

    Anyway, lets hope Apple or someone can come up with a stop to this.

  1. LouZer

    Joined: Dec 1969


    Re: question

    On another note, I think that this is something that we in the Apple/Mac community need to band together and overcome. We can't let this be the beginning of the end of one of our major advantages. The circumstances of actually launching or getting this "bug" seem pretty hard to actually achieve, and I hope that we don't start appearing as stupid as the others...

    Ummm, how do you propose we 'band' together. Start some club to stop trojans? Vow never to write viruses for our platform? Stop drinking and computing?

    Its actually easy to achieve this 'bug'. There isn't anything to it at all. (If you're trying to hide the fact that your mark has just launched a trojan, it takes more work, but a simple trojan is easy to make). By the way, you people do realize you can 'infect' your computer with a trojan by running an actual App, as well as something hiding as an app, right? I mean, take MS Office (please!). All MS would have to do is throw a block of code at the start to put some insidious hidden program on your computer in your Library folder, run it at this time (or some inoppurtune time in the future), and because Word starts up, you'd never know it.

  1. LouZer

    Joined: Dec 1969


    Re: question

    [Continued because I accidentally hit entered]

    By the way, we like to think of Mac users as being smarter than your average PC drone (well, by default we'd have to be, since we use Macs). But the whole Bagle/Netsky trojans/viruses on the windows side just show how gullibly stupid computer users can be. I mean, not just running an EXE, but running an EXE inside a ZIP file? And running an EXE inside a password protected zip, in an email that says "Mail delivery failure" even though you didn't send mail to the person in question, let alone in a zip file that's got a password, which is shown as a graphic, not just text.

    The GraphicAccelerator 666 trojan in OS 8/9 shows you how gullible Mac users are when finding something on Hotwire (or whatever those warez boards are called).

  1. l008com

    Joined: Dec 1969



    Making an applications look like a file? Thats all this is right? You've been able to do that on Macs and PCs since the beginning of time. I think we've all tricked a friend back in the day by disguising an applescript so it looks like a ReadMe. This isn't a big deal at all. This is nothing new. Its just a Mac security company trying to sell some software, which must be very hard to do since OS X came along. Hopefully this doesn't get on any REAL news, because people will believe that Macs do have viruses now, when in reality, this is not true.

  1. piracy

    Joined: Dec 1969


    Re: hmmmm

    Already on TechTV, complete with lies:,24330,3664271,00.html

    What's funny is the article says:

    "Mac OS X may not have the same user base as Windows, but today it proved it has some of the same vulnerabilities."

    What vulnerability? The ability to write a run-of-the-mill application that does something malicious, and name it to try to hide that it's an executable?

    "Long heralded as a safer alternative to Windows due to the lack of exploits, Apple is now facing some of the same security concerns as its industry-leading rival, Microsoft."

    No one ever said that a Mac OS X was immune to viruses, trojans, or security issues. No OS is. And, right on cue, the articles will begin to flood out that proclaim that Mac OS X isn't secure after all, as if one social engineering exploit - and a proof-of-concept at that - suddenly pulls Mac OS X to the level of Windows, which is a ludicrous claim at best. Market share and installed base completely aside, Mac OS X is a much, much more inherently secure operating system from fundamental standpoints of philosophy, design, and implementation, and one virus vendor twisting around an application handling issue that Mac OS X has always had - and been known to have since day one - into a trojan horse scare doesn't change a thing.

    Where were TechTV and Cnet for the last 4 years when the metadata vs. file extension issue was beaten to death thousands of times in many fora? I can't wait for the laughable articles trumpeting that Mac OS X has the same vulnerabilities as Windows, completely ignoring issues of infection vectors, spread, diversification of email clients, and multitudes of other factors that a trojan/worm/virus *depends on* to spread that simply don't exist on Mac OS X, or don't exist without a great level of sophistication built into the malware itself. Oh well.

    And now *I'm* beating the dead horse, but now to the errors in the article:

    From the TechTV article:

    "How the MP3Concept trojan works

    The MP3Concept trojan masquerades as an MP3 file. Once clicked, malicious code in the MP3 file's ID3 tag is executed, code that has the potential to delete files from a user's hard drive.

    The trojan then spreads by emailing itself to other addresses in the user's address book. In addition to MP3 music files, MP3Concept can also infect image files such as JPGs and GIFs, and MOV QuickTime movie files."

    First of all, MP3Concept is just a name that Intego gave to a proof-of-concept - binary only, no source - posted to comp.sys.mac.programmer.misc. The ID3 tag issue overcomplicates things: all it is is a Carbon application, that's it. The fact that executable code is stored in what is conventionally an ID3 tag is irrelevant. An application that has

  1. piracy

    Joined: Dec 1969


    re: hmmmm (cont'd)

    potential to "delete files" - more like, an application that has the potential to do anything under the sun, like any application can.

    Then they go on to say the trojan spreads by emailing itself to other addresses in the address book. Wrong, on two counts: first, the "MP3Concept", if they want to call it that, does nothing at all to spread itself. At all. Secondly, even if someone wanted to make one that did, the most people would be able to do would be to pull addresses from the address book...and nothing more. This is because - the only mailer a virus writer could rely on being present - cannot be scripted to send attachments of any type (note I have not verified this myself, but others have given enough proof of this in another discussion that I believe it). Additionally, in order to be spread, the malware would have to encode itself as .sit or .bin or similar (or maintain an encoded copy of itself internally), and operate its own mail server to allow it to even begin to spread.

    They further say that MP3Concept can also infect JPG or GIF files. Wrong again. It cannot and does not "infect" them, and doesn't spread in any way. The technique *could be used* with files of those type. Or files of *any* type!

    Call me crazy, but don't virus software vendors usually describe what viruses and trojans that are discovered *actually do* instead of issuing nebulous, vague press releases about what something could or might be able to do, and that contain outright lies, encouraging you to buy their software?

    In short, the entire article is completely about what this trojan horse supposedly could do; it's all theory! It's like me sitting down and thinking about a potential worm, and then releasing a press release about it saying I can protect against it. Interesting that the last paragraph is:

    "How to protect yourself

    Luckily, this trojan hasn't been released into the wild. Still, the best option to protect your Mac from vulnerabilities is to refrain from opening email attachments. Especially be on the lookout for emails containing MP3, JPG, GIF, and MOV file attachments, and delete them immediately.

    Intego offers its VirusBarrier Mac-security software for $59.95. It's probably not a must-buy due to the lack of known viruses and exploits of Mac OS X."

    Well thank my lucky stars! Whatever would I have done otherwise?! I bet it protects me against the boogeyman too...

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines


Most Popular

MacNN Sponsor

Recent Reviews

Dell AD211 Bluetooth speaker

For all of the high-priced, over-engineered Bluetooth speakers in the electronics market, there is still room for mass-market solution ...

VisionTek 128GB USB Pocket SSD

USB flash drives dealt the death blow to both the floppy and Zip drives. While still faster than either of the old removable media, sp ...

Kodak PixPro SL10 Smart Lens Camera

Smartphone imagery still widely varies. Large Megapixel counts don't make for a good image, and the optics in some devices are lackin ...


Most Commented