It's a CFM app that HAS to be compressed in some way to keep it from being destroyed by the internet. Hardly a trojan... Also, the .sit WILL appear because OS X does NOT permit double extensions (ie, .mp3.sit will appear even if extensions are hidden).

So to be safe just drag and drop your mp3 files to iTune and it iTume doesn't regcognize it put it in the trash...simple as that :)

I downloaded the file from the link I posted above - it does play in iTunes (it plays a short burst of laughter). So saying that if iTunes doesn't recognize it doesn't help.

Control Click it wouldn't allow you to open with but just Open...

It seems that this may be at best questionable, as the "proof of concept" is nothing more than a standalone application that has been given a creator type of 'APPL', but with the file extension '.mp3', and the contents of an mp3. While the file does indeed appear at first glance to be an ordinary mp3, what can admittedly be potentially dangerous, it is in fact an application.

Anti-Virus product for OS X (talk about a slow business! Zero exploits in years...!) Please consider why a security company might want to sell you a product.....!!!

The press release states it is "Benign" ( does Nothing ) but "Could", possibly, theoretically......and hopefully drum up some business for a product no one wants, needs, or will use.......how stupid!!!

Thanks MacNN

Okay - thanks for the specimen kirkmc. Presumably that proof-of-concept is what Intego is protecting us against. :-) So it's a Carbon app with an MP3 extension and misleading icon.

The fact that it also happens to be a valid MP3 is basically unimportant. It's just a classic trojan. The Finder and the OS both know it's an application - get info on it. It's just not obvious to the user. I do agree that Intego is right for updating its virus definitions to help safeguard against this, but it's still a common situation that Windows has had to deal with for some time. Don't open files from untrusted sources.

It's worth noting that since the trojan is a Carbon app, you would only be able to get it via a source that preserves all the Mac metadata (resource fork, type/creator) ... like .sit.hqx, .dmg, or Mail/iChat. That means that Windows machines will generally not be carriers.

Ok, I downloaded the sample virus from the link posted by kirkmc. Double-clicked it and got the message "You don't have permission to ...." blah blah blah. I can't do anything with it, but I never tried dropping it on iTunes. At least I can't run it. (But why not?)

i'm not accusing anyone, but this seems like it would only affect users who download mp3 from the internet off of limewire or whatever. If the only way you get mp3 is by ripping CD's we have nothing to worry about.

I guess unless you have a mean friend who sends you a copy of his newest song on mp3. Then, just check it. Antivirus programs don't seem to be needed to catch it from what the discussion has been.

Its an app with a file extension and icon of an MP3 file. The App infects your computer then writes out a real MP3 file from its data fork (or the like) and has iTunes play that (to make you think it was just an MP3 file). How is this anything new? This has been possible in the Mac OS going back to, gee, I don't know, OS 1.1. (OK, at least system 7, probably earlier).

D/L'ed the file on my Windows box here @ home and it plays, just like an MP3, even after Un-SIT'ing it. It's a .MP3 file on the PC, so I'd think it's a real MP3. If anything, all Apple has to do is close that loophole in iTunes where it is allowed to execute code or a macro.

I'm curious to see what happens on my OSX box....

But that's not the point. It will *not* run on a Mac if it is not transferred in a way that preserves the resource fork. If the resource fork is not preserved, the app will crash before it can actually do anything.

No, its an App (with resource and data forks). When you get the file on the PC, you get just the data fork, which is where they store the MP3 that they play. But on a Mac, its set up as an app which copies the data fork to a file and plays it, so you think its an mp3.

like most other trojan horses. All it takes is an uninformed user to propagate itself.

This is a very big deal for the mac community. What is being discussed is a proof of concept. Not the final version. The resource fork could include something to replecate itself before doing damage to your machine. Or it could be a .gif or .jpg next time and could run an applescript to find your quicken files and email them off to someone.

(yes, it needs the resource fork so it will most likely be in a .sit or .hqx, but safari automatically extracts these types of files anyway.)

Sorry for all you nay-sayers. The days of 'virus free' are gone. Now Mac users have to beware of everyfile they get in their inbox or through file sharing.

the biggest unknown is wether or not there is a valid exploit within itunes. if there is a way to somehow get itunes to execute code within an id3 tag, and execute it as a separate app, then we are screwed.all someone would have to do to completely OWN your machine, is to make an application within this id3 tag that pops up a little dialogue saying "this song file is allowed to be authorized one more time on this compuer, please enter your itunes music store name and password" then no matter what you put in, it will ask you to do it again to verify the second request matches the first, (essentially making sure its the right password, you prolly wont enter the wrong PW twice) then saying it is incorrect and asking you for your administrator name and password (to make you think you have one more chance lol) while quietly sending all that information to a nice little server in clear text while it "authenticates" to let the song be played. a little bit of social engineering AND a bult in app that can only be run by root that activates a script that flags the id3 tag so that the application knows your admin pw is real. and then your ip, and your machine, ANd you ritunes account are belong to me. and all in all you think you are just playing a song and go about your business then, to prevent the app from popping up every time, the MAC address for your computer is stored within that tag behind the scenes and it checks that to see it matches the machine it is on, knowing wether or not its been "activated" yet. the problem is that such an application exists and its Panther native. I wrote it and tested it an dit works flawlessly and long as the user falls for it. dont know how to execute it through itunes or a id3 tag, but when i find out how, im breakin in.............G()t

I use iTunes to handle MP3s, but I never doubleclick to open it with iTunes. That'll just cause problems b/c of the way I have iTunes handle my library. If I want to listen to a MP3 w/o iTunes, I do it with column view. If it doesn't work, I drag it to VLC or MPlayer.

abotu that last scary message, its me, *themacjedi*, and now that your heart rate has gone down , i just wanted to let you all know that , although possible, the app doesnt exist :0)


YET.... hahahah
-theMacjedi-

This does NOT work. I don't know how Intego got this to work (or if they created it themselves), but it can't be executed in that fashion--in MP3, JPG or GIF form. Forget it.

Are you on crack? Who ever said that Macs were "virus free"? There were plenty of viruses in OS 9 and there will be in OS X as time goes on. How does this change your file-management habits? It shouldn't.

Intego has a history of making products that are less than par. One example: the product NetBarrier used anti-piracy measure that installed a key in the OS 9 system file itself, which caused many users a lot of problem and created havoc with disk utilities. This just ONE example of MANY. I wouldn't put it past them to "exaggerate" a virus report.

So, you scare the people to death and they buy your product... I dont know, I believe they are the ones developing this virus so they can sell more useless products, same thing like spam remove lists... I just hope apple takes care of this....

Initially it sounded like the WazUp MP3 virus hoax as described in http://vil.nai.com/vil/content/v_98959.htm
http://securityresponse.symantec.com/avcenter/venc/data/waz.up.hoax.html

But the thread at Google
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&frame=right&th=631707378ffe9292&seekm=blgl-5D750C.02150821032004%40news.bahnhof.se#link6
describes (1) a trojan delivery and execution of a virus executable by changing the extension; (2) theorizes (what if) the file was a valid MP3 file with a virus hiding in the ID3 tags. Niether is nothing new.

The first trojan delivery method and execution is akin to the VBS.Loveletter virus that decieved Windows users as "LOVE-LETTER-FOR-YOU.TXT.vbs" and the AutoStart 9805 worm (MacPPC) that was auomatically executed by QuickTime when you inserted a volume (floppy, CD, HD, Zip...) with the worm.

The second delivery method would be more catastrophic and hoaxes (as in the above WazUp) on the fear have been created. We will probably see this method show up on the Windows OS before MacOSX or MacOS Classic

Either way. Antivirus software looks for the "digital signature" or actions of malitious code. Since there is no actual malitious code (that is being described on the Google forum but the execution of the malitious code) antivirus software (like Intego's) has nothing to detect but the normal operation of software.

Since MacOSX does not comprehend what is a resources for, the resource fork is irrelevant. Carbon (MacOS9/MacOSX) and Cocoa (MacOSX) apps not longer require a resource fork. Resources can now be read from the data fork of a file. See http://developer.apple.com/documentation/MacOSX/Conceptual/SystemOverview/FileSystem/chapter_48_section_5.html

I seriously doubt their statement that "code is encapsulated in the ID3 tag" as I doubt iTunes (or any other MP3 player not made my Microsoft) would attempt to "execute" an ID3 tag. So it would appear to have to be a regular application that: 1) writes an MP3 file someplace on your hard drive, 2) sends an AppleEvent to iTunes to play the MP3 file, 3) procedes to cause mischief.

This appears to be no different than if, in OS 9 or earlier, you pasted a document icon onto an application. But I don't ever recall having to worry about that in the past. Granted, the connectedness of the internet and the scriptability of mail applications could make this a more serious threat than in the past; but I don't think it would be anywhere near the threat level a Window virus would be for several reasons:

1) it would have to be compressed to allow the transport of the resource fork or package contents as a single file
2) it requires an explicit user action to activate the application (unlike Windows/Outlook which tries to run everything without your permission)
3) chain reaction propagation is minor (yes, this is the "security through small market share" arguement)
4) there is still the inherant security of OSX requiring admin passwords to do many things.

Hey, nobody ever said Mac OSX was immune to viriuses; but it is still far more protected than other OSes!

The Intego press release says the 'virus' is in the ID3 tag and this therefore implies that the 'virus' code is executed by iTunes.

This is WRONG.

The 'virus' is in the resource fork of the file AND NEVER GETS EXECUTED BY iTunes.

The code gets executed if, and only if, you double click on the file.

While this particular proof of concept example uses MP3 as a disguise, theoretically ANY document file type could be used in this manner (e.g. GIF, JPG, or even DOC and PDF).

Further more, this approach could equally be used in Mac OS 9 as well as Mac OS X. It would even be possible to have a Carbon 'virus' to attack both.

As other people have indicated the file has to be transferred over the Internet either as a MacBinary file, a BinHex file or a compressed archive (usually Stuffit). None of these formats would normally be used to transfer an MP3. However a valid scenario where a compressed archive might be, is sending multiple files to someone.

A further interesting idea would be to send it as a ZIP archive (you can also send resource forks this way). A Mac user would be less suspicious of a Mac virus in a ZIP file since they are more often associated with PCs.

As most (all?) Mac web-browsers and email clients can automatically and invisibly decode MacBinary format the most dangerous approach would be for the file to be on a web-server in MacBinary format (which means it would not be readable by PCs) or as an attachment to an email (again in MacBinary format which again means it would not be readable by a PC). Because the Mac would automatically decode the MacBinary the user would not be aware of this and would simply see it as an 'MP3'.

I am not sure how Apple will block this exploit. The obvious initial idea would be to require all Mac applications to have the extension of .APP in order to execute. However this would instantly break thousands of existing programs. Another more promising idea would be to not allow any extension except .APP or no extension at all to be run as an application (this would successfully prevent MP3 etc. being exploited). However this means a move away from the historical freedom Mac users have had over file/application names.

It is obvious that there are no users who did, or still remember, the good 'ole days of hacking on System 7 (and above, but it was harder).

First, there is no code 'hidden' in the ID3 tag. That would require iTunes to be the culprit, or some other app running to execute this code, as has been suggested on this thread. Run the virus.mp3 app, and you will see that this isn't the case. The .mp3 file itself does the work. This, plus a quick look at the Get Info:Type for this file, indicates that it isn't an MP3 AT ALL. Nor does it 'copy it's data fork to be read by iTunes'. I used to smuggle apps onto the campus network all the time. Usually games that weren't allowed. They would appear as graphic files (or in this case MP3, or usually I would set the CREATOR code to FNDR, so it would appear as a system file) and people would leave them alone. If you did double-click them, though, the game ran.

This was not a difficult hack; not really a hack at all. It requires nothing more than a copy of ResEdit (either with the data fork hack, or later, non-Apple supported versions with the hack built in). Intego is just using the fact that, due to changes in Systems, and no 'ResEdit' for X, per se, people have forgotten.

Here is how to duplicate this 'virus' yourself:
Choose your victim app.
Boot to MacOS 9, and open the victim app in ResEdit.
Now open your MP3, or JPG, or whatever you want the app to appear as and paste it's entire contents into the app. The only problem you will have will be if you choose an app with some of the same type data as the file you are adding to it, there is the potential for ID conflicts. At this point, you can, and the author of this 'virus' did, exchange the resource ID of the app with the one of the MP3 for its ICON value (usually resource ID 128).

You're done. Save.

Reasoning: This new 'virus' does NOT use the file extension to get it's icon from the OS or iTunes. Go ahead. Change the extension. The icon should change. It doesn't because, as an app in 9, it's icon was manually changed to that of an MP3. It's a custom icon.

The only fallacy to this reasoning is this: My versions of this in 9 did NOT automatically open the corresponding app on my computer for that file type. It only ran the program. If you opened the 'program' with a graphic editor, you got the graphic. The resource fork was ignored. As has been mentioned, if you try to transmit this file in a format that doesn't embed the resource fork in data, like a .sit, then nothing will happen.
I can only make the assumption that, as part of Mac OS X's move from pure metadata (TYPE/CREATOR codes) describing a file, to a combination of metadata/file extension, there is the allowance for the OS to both open the 'virus/trojan', and it's corresponding application for the filetype that it is spoofing.

Let the arguements

Since MacOSX does not comprehend what is a resources for, the resource fork is irrelevant. Carbon (MacOS9/MacOSX) and Cocoa (MacOSX) apps not longer require a resource fork. Resources can now be read from the data fork of a file.

Umm, MacOS X comprehends resource forks just fine. They're no longer needed, but they are understood, handled, etc.


Sorry for all you nay-sayers. The days of 'virus free' are gone. Now Mac users have to beware of everyfile they get in their inbox or through file sharing.

This isn't a virus. Its a trojan. Viruses infect through no interaction on the user's part. A trojan needs to be run by the user. (i.e. the Trojan horse didn't sneak into whereever, they conned those people to bring it in). And its not even a complicated trojan (h***, its the Mac version of the Windows Bagel/Netsky viruses, basically). And this concept for MacOS has been around since the OS 7 days, if not OS 1.1. (not 10.1, I'm talking 1984 here).

If you've been opening any file on your computer before now with some thought that you were 'safe' because it was a mac, you're an idiot and should probably check you system to make sure you don't have any insidious programs installed.

Used to see things like this all the time back in the hay-days of Hotline. The funny thing is if you look at the Kind column in the Finder it says Application. If you just pay attention to what you are opening then this is no big deal.

... you just never knew it.

This hack has been available on the MacOS forever, it's not X specific.

To the people above, two things you have wrong:

It doesn't need an app to aid the exploit, it is the app, even though it's .MP3 - that's the point.

It won't infect PCs, they may pass it on, but it's most likely that if it goes through a system other than a Mac it'll get "neutered".