updated 08:40 pm EDT, Thu April 8, 2004
Trojan Horse details
MacNN reader Dave Schroeder provided some more details on the Trojan Horse for Mac OS X earlier today: "This is actually a little bit of the Classic/Carbon paradigm catching up with us, and represents an oversight in the way Mac OS X handles presenting the file to the user. In the case of this proof of concept, a file can be made to appear as an ordinary mp3 file, complete with the familiar icon and .mp3 extension, and even audio content. However, the file contains a PowerPC code fragment - a piece of executable code; a little application - that can be made to do anything the author desires (limited by the permissions of the user executing it)."
"But here's how it does it: the file is really a
Carbon (CFM) application, with file type APPL. The two methods of
identifying files - file extensions (the new Mac OS X way) and file
metadata (e.g., type/creator, resource forks; the old way) - are in
conflict. So Mac OS X shows the file to you as an mp3, when in reality
the behavior when double-clicked is that of an application. Therein
lies the problem: since the file appears to be a legitimate mp3, a user
may unwittingly double click it, executing the potentially malicious
code - thus the proper description of this as a trojan horse.
examination of the file, even a simple Get Info, does reveal that while
it appears to be an mp3, the OS does recognize it as 'Kind:
Application'. This special case - files that identify themselves as
applications, but have inappropriate extensions, such as mp3 - could be
easily handled by a security update. One other point about this trojan:
since it is a CFM application with a resource fork, it will be rendered
useless by any transfer method that does not explicitly retain the
resource form (compressing with StuffIt, encoding with MacBinary, for
example). All in all, an interesting story, but it really represents
taking advantage of a minor oversight in the way Mac OS X displays and
handles potentially conflicting file extensions versus legacy metadata.
Not really big news. :-) There is a proof of concept of this trojan
here (though named "virus.mp3", this is not a virus)."
UpdateDave offered some more info:
Upon closer examination, the proof-of-concept trojan actually contains
its own copy of iTunes' mp3 icon. The only area where this trojan is
actually taking advantage of something that could legitimately be
referred to as a Mac OS X shortcoming is the ability to display itself
as a file with a .mp3 file extension, while still be handled by the
operating system as an application. This is, once again, a function of
the type/creator metadata, which takes precedence over file extensions.
This trojan is almost pure social engineering, and not really an
"exploit": it's one step away from merely creating a malicious Carbon
application and giving it an mp3 icon, which is trivial, and merely
naming it with a .mp3 extension. The one additional feature of the
trojan is that it actually is a valid mp3 file; but once double
clicked, the damage is done, regardless. One might argue that by
spawning iTunes and playing itself as an mp3, the trojan may hide its
true intent or confuse the user for just a few moments longer, but
either way, the damage has begun - and likely ended - before the user
has even noticed.
The only way for Apple to "fix" this would be to universally visually
identify executable applications in some fashion. Whether or not this
comes to pass, the true source of real widespread damage from trojans,
virii, and worms is their ability to spread. Since any raw transmission
without encoding that preserves resource forks effectively neuters the
trojan, and since there are no easy ways to mass-propagate a virus
using Windows- and Outlook-style methods on Mac OS X, this is really
not a major issue at all.
"You will likely do more damage sending out a friendly email message
politely asking people to move their home directories to the trash.