macnn news
Text Size

Intego offers Q&A on Trojan Horse for Mac OS X

updated 06:50 pm EDT, Fri April 9, 2004

Q&A on Trojan Horse

Following up on the breaking report about the Trojan Horse for Mac OS X ( by saying that it was "aware of the potential issue identified by Intego and are working proactively to investigate it." Meanwhile, Intego offered a Q&A About MP3Concept Trojan Horse.

Why did Intego decide to make an announcement about a Trojan horse affecting
Mac OS X?



While the first versions of this Trojan horse that Intego has isolated are
benign, this technique opens the door to more serious risks. The exploit
that it uses is both insidious and dangerous and it is our duty as a vendor
of Macintosh security solutions to protect our users. We don't believe in
waiting until the damage occurs, unlike some of our competitors. The Intego
Virus Security Laboratory quickly discovered how to block this Trojan horse
and prevent it from running its code and as part of our commitment to our
users, it was only natural that we release this in our latest virus
definitions for Intego VirusBarrier.



We initially hesitated about releasing this information, but finally decided
that it was our responsibility to alert users to this security risk.



It should be noted that while Intego was the first to publish information
about this Trojan horse, both Symantec and McAfee released updates to their
antivirus software after the publication of our press release. However,
these companies do not specify whether their updates protect against this
Trojan horse.



Is this simply a hoax?



Absolutely not. As we explain below, this is a major security risk, and
should be taken very seriously. A hoax is something that is not true, that
is created just to make people think there is a risk and to make them worry
and doubt. This Trojan horse exists. We have samples of it, and it is
potentially dangerous.



But you say this Trojan horse, or at least the examples that you have
obtained, is benign. So why worry?



As far as we know, this Trojan horse is benign today, but nothing prevents a
malicious hacker from using this same technique to create a dangerous Trojan
horse. We have examined the code contained in this Trojan horse and it doesn
‚t delete any files or change anything in Mac OS X, but we cannot be sure
exactly what this Trojan horse is doing now, or whether it will have other
effects in the future. In any case, protecting users now is better than
responding too late, especially when we are aware of the threat.



How did you first find out about this Trojan horse?



Intego first heard about this from a Mac user who sent an e-mail message to
our customer support department on April 6, 2004 at 11:16 am. This user
provided us with information regarding this Trojan horse. This user also
sent this message to Apple, Symantec and McAfee.



It has been known for some time that you could "hide" an application on Mac
OS X as another type of file, simply by changing its name. Why is this
Trojan horse different from any application whose name has been changed to,
say, Song.mp3?



First of all, Mac OS X runs two types of applications: Cocoa and Carbon.
Cocoa applications are native OS X applications, and have an .app extension.
Cocoa applications are, in fact, folders containing all the bits and pieces
of a program-code, resources, graphics, etc. The .app extension tells Mac OS
X that an application is going to run natively.



Carbon applications are different. Most Carbon programs can run under either
Mac OS 9 or Mac OS X, and, for this reason, have no .app extension. The Mac
OS knows they are executable programs because of two resources, carb and
cfrg. The carb resource indicates that it is a Carbon application and the
cfrg resource indicates the location of executable code in a file's data
fork.



This Trojan horse is, in reality, an MP3 file, to which the two resources
mentioned above (carb and cfrg) have been added. In addition, the ID3 tag of
the MP3 file contains the actual code of the Trojan horse and the cfrg
resource contains a pointer to that location in the file's data fork.



(ID3 tags are an integral part of MP3 files: they are designed to contain
information such as song titles, artist and album names, etc. These tags
also exist in AAC files.)



How exactly does this Trojan horse work?



When a user double-clicks the file, Mac OS X sees the carb and cfrg
resources, assumes that the file is an application and launches it. The cfrg
resource, which points to the actual code contained in the ID3 tag, allows
this code to be executed. The application then opens, launches iTunes via an
AppleEvent and plays the sound contained in the MP3 file.



Next, the code contained in the file's ID3 tag continues executing. In the
current Trojan horse, an alert is displayed, saying that it is indeed an
application.



This type of Trojan horse could launch any application that runs under Mac
OS X.



There seems to be some confusion regarding the actual way the code is hidden
in the file. Can you be more specific about this?



As we said in our first press release, the actual code, which can be
dangerous, is stored in the ID3 tag of the MP3 file. This tag usually
contains comments about a song, but in this Trojan horse, executable code is
stored in this tag. As mentioned above, the cfrg resource indicates where in
the file the code is stored.



What sort of damage can a Trojan horse like this do on Mac OS X?



Fortunately, unless a user is logged in as root, this type of Trojan horse
cannot damage any system files as the permissions applied to these files
protect them. However, it could conceivably delete any or all of a user's
personal files. If a user is logged in as root, then a Trojan horse of this
type could delete system files as well.



A Trojan horse like this could also easily delete files on external hard
disks, where users generally turn off ownership and permissions, authorizing
anyone to act on the files they contain.



How can this Trojan horse propagate?



This Trojan horse can propagate in several ways: if a user downloads the
file from the Internet, a server or a web site, it must be compressed in one
way or another. This could be zip compression, if created from the Mac OS X
10.3 Finder, or Stuffit compression. This compression is necessary because
the Trojan horse contains resources, which are stripped if it is downloaded
without being compressed. This Trojan horse could also be encoded using
binhex encoding, which maintains the resource fork as well. If the file is
not compressed or encoded, it can be transferred across a local network
between Macs, or even downloaded from a user's iDisk.



If a user sends this file to someone else by e-mail, unaware that it
contains a Trojan horse, there are possibilities that it will be received
intact. Apple's Mail, and Microsoft's Entourage, for example, encode this
file using binhex by default, which transmits the resources that are
required for this Trojan horse to function.



Does this Trojan horse exploit a weakness in Apple's iTunes?



No, iTunes is not involved in this at all. iTunes plays the audio content of
the MP3 file containing the Trojan horse, but does nothing else.



You say that this same technique could work in other types of files, such as
JPEG and GIF files. Why is this the case?



Files such as JPEG or GIF files have tags similar to those in MP3 files. As
long as the code can be hidden in tags like this, it is simple to add carb
and cfrg resources that point to the code's location in the files.

By MacNN Staff

Article Tags :

E-Mail
Print
Comments (6)
digg
buzz up
slashdot
del.icio.us
tweet

Related Articles

Recent Articles

 
Previous Comments

Get over yourselves macnn

04/09, 08:11pm reply

I don't look favorably upon sites that keep saying they're the first to report any news item (regardless of if it's true or not) - just makes them look needy or appear to think they're above other sites.

Keep this up and you'll lose another contributor!


Sebastien

Forum Regular

Joined: Apr 2000

0

Wrong

04/09, 09:21pm reply

"Carbon applications are different. Most Carbon programs can run under either Mac OS 9 or Mac OS X, and, for this reason, have no .app extension. The Mac OS knows they are executable programs because of two resources, carb and cfrg. The carb resource indicates that it is a Carbon application and the cfrg resource indicates the location of executable code in a file's data fork. "

No, most Carbon Applications made today are also bundled, just like Cocoa Apps. However, the older single-file application format is still understood on Mac OS X. The cfrg resource specifies where in the data fork the code is. The carb resource (or a plst resource in more modern single-file Carbon applications) specifies that the application can natively run under Mac OS X (as opposed to running in the Classic environment).

Oh, and all this applies to CFM Carbon Applications. Carbon Applications can also be MachO, and in that case they are even more similar to Cocoa Apps with respect to the layout of the application bundle.

"When a user double-clicks the file, Mac OS X sees the carb and cfrg resources, assumes that the file is an application and launches it. The cfrg resource, which points to the actual code contained in the ID3 tag, allows this code to be executed. The application then opens, launches iTunes via an AppleEvent and plays the sound contained in the MP3 file."

Wrong, the carb and cfrg resources are not why Mac OS X considers it an application - it is considered an application because that is what the file TYPE is set to (APPL). If you set the file type to indicate it was a text file for example, it would open it in a text editor instead of launching it as an application. The fact that the code is stored in an ID3 tag is just a red herring. The code could just as easily be appended to the MP3 file without bothering with encoding it as an ID3 tag - the difference would simply be that iTunes would c*** out trying to process the executable code as MP3 data.

"Files such as JPEG or GIF files have tags similar to those in MP3 files. As long as the code can be hidden in tags like this, it is simple to add carb and cfrg resources that point to the code's location in the files."

You don't even need the tags. Just concat your application data to the end of the file your trying to propagate. Or don't even bother, the whole reason why the user even opens the thing is because they believe it to be something it is not, because the author was slick enough to pray on the user's expectations. If you inspect the file in the Finder, it tells you exactly what it is, an Application. Not an MP3, not a jpeg, not a gif or anything else that the extension would imply it is.

Rincewind

Fresh-Faced Recruit

Joined: May 2000

0

re:Get over yourselves...

04/09, 10:38pm reply

I think you interpreted the first line wrong. It says, "first reported by MacNN yesterday...". What they mean is that yesterday is when MacNN first made mention of this topic on their site. Nowhere did they claim that they were the first web site to report it it.

namannik

Dedicated MacNNer

Joined: Nov 1999

0

Re: Wrong

04/10, 01:21am reply

The problem here is that some people find a supposed new hole, and rather than admit that they overreacted about it being some 'new' exploit, they try to push their point more and more. There is nothing new here than making an app look like a file and running it. They can claim all they want that this is more insidious or different than what's been doable since System 1.0, but its not. At worst, its just a different variation on an old theme.

Technically you can do the same thing with a shell script as long as you set it as rwx.

BTW, there is NO way to prevent a trojan horse from running. You can maybe try preventing them, but a trojan can be in an EXE as well as an EXE pretending to be an MP3. (Hey, some people think MS Word is a trojan horse in amongst itself).

Finally, this also applies to Cocoa apps. While its true that if you rename an app (say iCab) to have an extension, it will show iCab.mp3.app. But use a comma instead of a period (really, who will notice???) it looks like iCab.mp3. This is just a large folder, not even a single file, so it might be downloaded uncompressed. But it could be in a zip file without the binary setting. Users won't notice its an app.

Hey guys, you going to handle this next! Maybe what they need to do is prevent the user from running any application on their computer...

LouZer

Fresh-Faced Recruit

Joined: Nov 2000

0

Bundles

04/10, 12:29pm reply

I think, though I'm not 100% sure, that bundles don't need a .app extension, they just need some resources to be present within the bundle folder. Additionally it's wrong that sticking .MP3 on the end of an app name will show "application name.MP3.app", it won't it'll just show "application name.MP3" if people don't have extension shown (which is the default in X).

Clive

Mac Enthusiast

Joined: Jan 2001

0

Re: Bundles

04/10, 05:12pm reply

Your right that bundles don't require a .app extension. But if you have two or more extensions on any file name, the Finder will show you all of the extensions (So Foo.app.mp3 is displayed as Foo.app.mp3 not Foo.mp3). Of course, if the file name is Foo.mp3, then you get Foo.mp3. I just tested this with both extensions always visible, and not always visible.

Oh, and just to prove to myself that you can do it, I wrote a bundled application that does something extremely similar to what this trojan does and it worked perfectly. In fact it works better because you don't have to hack at the file format your trying to pose as and you have simple access to all of the APIs on the system. Oh, and you can write it using the free tools that Apple provides instead of having to pay for CodeWarrior.

Rincewind

Fresh-Faced Recruit

Joined: May 2000

0

Popular News