updated 06:50 pm EDT, Fri April 9, 2004
Q&A on Trojan Horse
Following up on the breaking report about the Trojan Horse for Mac OS X ( by saying that it was "aware of the potential issue identified by Intego and are working proactively to investigate it." Meanwhile, Intego offered a Q&A About MP3Concept Trojan Horse.
Why did Intego decide to make an announcement about a Trojan horse affecting
Mac OS X?
While the first versions of this Trojan horse that Intego has isolated are
benign, this technique opens the door to more serious risks. The exploit
that it uses is both insidious and dangerous and it is our duty as a vendor
of Macintosh security solutions to protect our users. We don't believe in
waiting until the damage occurs, unlike some of our competitors. The Intego
Virus Security Laboratory quickly discovered how to block this Trojan horse
and prevent it from running its code and as part of our commitment to our
users, it was only natural that we release this in our latest virus
definitions for Intego VirusBarrier.
We initially hesitated about releasing this information, but finally decided
that it was our responsibility to alert users to this security risk.
It should be noted that while Intego was the first to publish information
about this Trojan horse, both Symantec and McAfee released updates to their
antivirus software after the publication of our press release. However,
these companies do not specify whether their updates protect against this
Is this simply a hoax?
Absolutely not. As we explain below, this is a major security risk, and
should be taken very seriously. A hoax is something that is not true, that
is created just to make people think there is a risk and to make them worry
and doubt. This Trojan horse exists. We have samples of it, and it is
But you say this Trojan horse, or at least the examples that you have
obtained, is benign. So why worry?
As far as we know, this Trojan horse is benign today, but nothing prevents a
malicious hacker from using this same technique to create a dangerous Trojan
horse. We have examined the code contained in this Trojan horse and it doesn
‚t delete any files or change anything in Mac OS X, but we cannot be sure
exactly what this Trojan horse is doing now, or whether it will have other
effects in the future. In any case, protecting users now is better than
responding too late, especially when we are aware of the threat.
How did you first find out about this Trojan horse?
Intego first heard about this from a Mac user who sent an e-mail message to
our customer support department on April 6, 2004 at 11:16 am. This user
provided us with information regarding this Trojan horse. This user also
sent this message to Apple, Symantec and McAfee.
It has been known for some time that you could "hide" an application on Mac
OS X as another type of file, simply by changing its name. Why is this
Trojan horse different from any application whose name has been changed to,
First of all, Mac OS X runs two types of applications: Cocoa and Carbon.
Cocoa applications are native OS X applications, and have an .app extension.
Cocoa applications are, in fact, folders containing all the bits and pieces
of a program-code, resources, graphics, etc. The .app extension tells Mac OS
X that an application is going to run natively.
Carbon applications are different. Most Carbon programs can run under either
Mac OS 9 or Mac OS X, and, for this reason, have no .app extension. The Mac
OS knows they are executable programs because of two resources, carb and
cfrg. The carb resource indicates that it is a Carbon application and the
cfrg resource indicates the location of executable code in a file's data
This Trojan horse is, in reality, an MP3 file, to which the two resources
mentioned above (carb and cfrg) have been added. In addition, the ID3 tag of
the MP3 file contains the actual code of the Trojan horse and the cfrg
resource contains a pointer to that location in the file's data fork.
(ID3 tags are an integral part of MP3 files: they are designed to contain
information such as song titles, artist and album names, etc. These tags
also exist in AAC files.)
How exactly does this Trojan horse work?
When a user double-clicks the file, Mac OS X sees the carb and cfrg
resources, assumes that the file is an application and launches it. The cfrg
resource, which points to the actual code contained in the ID3 tag, allows
this code to be executed. The application then opens, launches iTunes via an
AppleEvent and plays the sound contained in the MP3 file.
Next, the code contained in the file's ID3 tag continues executing. In the
current Trojan horse, an alert is displayed, saying that it is indeed an
This type of Trojan horse could launch any application that runs under Mac
There seems to be some confusion regarding the actual way the code is hidden
in the file. Can you be more specific about this?
As we said in our first press release, the actual code, which can be
dangerous, is stored in the ID3 tag of the MP3 file. This tag usually
contains comments about a song, but in this Trojan horse, executable code is
stored in this tag. As mentioned above, the cfrg resource indicates where in
the file the code is stored.
What sort of damage can a Trojan horse like this do on Mac OS X?
Fortunately, unless a user is logged in as root, this type of Trojan horse
cannot damage any system files as the permissions applied to these files
protect them. However, it could conceivably delete any or all of a user's
personal files. If a user is logged in as root, then a Trojan horse of this
type could delete system files as well.
A Trojan horse like this could also easily delete files on external hard
disks, where users generally turn off ownership and permissions, authorizing
anyone to act on the files they contain.
How can this Trojan horse propagate?
This Trojan horse can propagate in several ways: if a user downloads the
file from the Internet, a server or a web site, it must be compressed in one
way or another. This could be zip compression, if created from the Mac OS X
10.3 Finder, or Stuffit compression. This compression is necessary because
the Trojan horse contains resources, which are stripped if it is downloaded
without being compressed. This Trojan horse could also be encoded using
binhex encoding, which maintains the resource fork as well. If the file is
not compressed or encoded, it can be transferred across a local network
between Macs, or even downloaded from a user's iDisk.
If a user sends this file to someone else by e-mail, unaware that it
contains a Trojan horse, there are possibilities that it will be received
intact. Apple's Mail, and Microsoft's Entourage, for example, encode this
file using binhex by default, which transmits the resources that are
required for this Trojan horse to function.
Does this Trojan horse exploit a weakness in Apple's iTunes?
No, iTunes is not involved in this at all. iTunes plays the audio content of
the MP3 file containing the Trojan horse, but does nothing else.
You say that this same technique could work in other types of files, such as
JPEG and GIF files. Why is this the case?
Files such as JPEG or GIF files have tags similar to those in MP3 files. As
long as the code can be hidden in tags like this, it is simple to add carb
and cfrg resources that point to the code's location in the files.