TMO Reports - Intego Issues OS X Trojan Horse Alert For Mac OS X
by , 6:15 PM EDT, April 8th, 2004
Macintosh security specialists Intego issued a security warning Thursday for the first Trojan horse to affect Mac OS X. The company said the Trojan horse could exploit a weakness in the operating system by attaching itself to tags of primarily MP3 files. Early reports are no such campaign to spread viruses through the Trojan Horse have been reported.
Called the MP3Concept (MP3Virus.Gen), the Trojan horse can appear as other types of files, according to company spokesperson Brian Davis, who spoke to The Mac Observer on Thursday.
"Our virus team found an apparent weakness with the way OS X handles some MP3 files whereby a file can be labeled an MP3 file, but not actually be one," Davis said.
"What has been discovered in this weakness is that files that are encapsulated in the ID3 tags of an MP3 file will open when you double-click the file. So there's a potential there for somebody to include some sort of malicious code embedded in this part of the MP3 file that can run and obviously exploit operations on a Mac in a lot of different ways."
How it works
Davis warned the Trojan horse has the potential to delete all of a user's personal files, send an e-mail message containing a copy of itself to others and infect other MP3, JPEG, GIF or QuickTime files. "This same technique could be used to infect .jpg or .gif files as well," Davis said.
Intego has released updated virus definitions for VirusBarrier to combat the Trojan horse. The company recommended that users make sure that their virus definitions are up to date by using VirusBarrier's NetUpdate preference pane.
A spokesman for Symantec Corp., who makes Norton AntiVirus for Macintosh, told The Mac Observer Thursday the company is aware of the Trojan horse issue, but had no additional detail on when or what it plans to do to combat the Trojan horse.
Davis said the way in which someone could cause trouble could be by including of script or application in the file that would be used to infect other files. "Or it could be used to erase files," he said. "Our virus team in France reports a potential Trojan horse can access files in the OS X libraries core services."
No reported uses, so far
Davis said that as far as Intego knows, no one has received MP3 files using the Trojan Horse technique. "So far what we've discovered is basically this weakness is benign, but we see an opportunity for exploitation here, so that's why we have released this Trojan horse protection update," Davis commented.
While news of this Trojan horse is disturbing, Davis added that finding the "hole" is better done now, rather than later.
"This is actually a good thing because it looks like we've caught this one early," Davis said, adding programmers at Intego were made aware of the Trojan horse on Monday in e-mails from customers. "The good thing is that this has been caught early before it can wreck major problems."
The bad guys are looking
But Davis said what it also shows is that there are people in the world that are trying to find ways to exploit OS X. "As the user base increases, I don't think anybody thought this would happen sooner or later," Davis said.
Davis said Intego virus experts are now actively searching for additional problems related to the Trojan horse issue, such as what other possible 'doors' could be available in Mac OS X. Davis did not know the level of communications going on between Intego developers and programmers at Apple Computer with regard to the Trojan horse issue.
Representatives from Apple Computer were not immediately available for comment. TMO will be offering an analysis of this development in a separate commentary.