Intego warns of first Mac OS X Trojan Horse

Source: MacMinute.com

Intego warns of first Mac OS X Trojan Horse
April 8, 2004 - 15:25 EDT Mac security specialist Intego has issued a security warning alerting users of the first Trojan horse to affect Mac OS X. According to the company, this Trojan horse, MP3Concept (MP3Virus.Gen), exploits a weakness in Mac OS X where applications can appear to be other types of files. It has the potential to delete all of a user's personal files; send an e-mail message containing a copy of itself to other users; and infect other MP3, JPEG, GIF or QuickTime files.

My Comments: Yeouch! Im wondering how true this is. I am having a hard time getting onto Intego's site, but wow.. talk about unexpected at least to me that is I knew eventually, but I didn't think this soon! Ok still a bit shocked *hehe* Ok got onto the site.. sounda quite interesting.. hmm...

You know.. you wonder if any of these virus companies create viruses so people will use their software? Just a thought..

What I find interesting is this statement from Intego

Intego said:

Intego said it has released updated virus definitions for Intego VirusBarrier that protect against this threat.

Click to expand...

Now I am not saying it is not possible, but a company that sell virus protection find the virus.

I also wonder how this trojan horse can execute without permissions... More research seems to point to this as a worthless hoax.

Think of it like a wrapper. You receive this mp3 tune. You double click it to activate iTunes, but in this case. You are activating an application. Inside of this wrapped application is a audio file and the destructive code. The wrapped application does what ever it is designed to do, and then starts up the the iTunes application in order to play the audio file. You as the end-user give the application permission to run when you double click it. The application does what is does the damage to the system if that is what it is suppose to do and play the audio file. You as the end-user know nothing of what has happen except the audio file is played.

well, who knows. there has got to be a virus for mac out there somewhere I imagine. though, it isn't effecting me, or many others.....we'll see what happens I guess. If it turns out to be a hoax...wow....it'll be really funny.

Intego was very fast replying to my e-mail that I think it's a hoax. I still think it is

Because the code is written as a "Carbon" application, it does not need to
have the .app extension in order to run, only to have it's hidden file type
set to APPL. Carbon applications can run in either Mac OS X or the classic
Mac OS. The suffix of .mp3 is then just seen as part of the filename rather
than a denotation of file type.

When the infected file is launched by double-clicking, or opening, with the
Mac's Finder, the virus code will begin to run. First it attempts to launch
your iTunes application and load the MP3 file as a data file so that it will
appear to be playing as though nothing is wrong. Since the virus code is
hidden in the ID3 tags, the audio portion will play as normal. The virus
then continues to run, infecting other MP3 files within the same folder, and
attempts to access some of the CoreServices components of the operating
system. It does not appear to

The current virus that has been found only infects MP3 files. But the
concept used in this virus could be used to create variants that work with
other file types as well. Any data file type that allows for a notation
field to be embedded into the file, such as the ID3 tag that is used for
this purpose in the infected MP3 files, could be targeted as another carrier
for future viruses. While there is not a currently known virus that uses
image files as the transport, it is unfortunately a small step for a virus
writer to modify the current MP3Concept Trojan horse to use another file
type as it's transport method. This is why our virus definitions have been
engineered to look for this type of code outside of just MP3 files as a
measure of preparedness. This came from Intego. What do you all think? I think it's suspicious and not a true threat

this could get ugly

but I'm looking forward to the outcome

Heh - I don't think it's squat it's garbage, think permissions. Period

They must not be making to much money from Virus Barrier if they are so deparate that they need to find a threat!(or in this case, maybe they even created it....I mean Norton or Mcafee hasn't said anything about it..)

Well, reading through the initial link from Murlyn it did sound to me like they wrote the concept worm. Granted to damage the SYSTEM it would need to prompt for permission, but most users would blindly type thier passwords. But even if they didn't YOU have permissions to delete your files. So this could destroy your DATA which could be far more valuable then the time it would take to fix or rebuild your OS.

Just food for thought.

KLank, I think your personal data would be more in peril, than the system files. As you stated you would need to enter a pass word for removal system files. Whereas personal file you have permission to remove then. So the question is what files would a stranger want to delete that would hurt you. I think the most damage that can be don't is to the user id that is currently logged in.

That's exactly what I was saying. It can delete the users personal data which many times can be the most important. If it wipes out the users home directory that could be a BIG problem for some people.

The more I look into it, the more it appears to be a hoax. I'm not at all concerned

I hate extreme Mac fanboys *looks at whiteshark and looks away quickly*
This is no hoax. Apple is looking into this trojan, and Norton is too. McAfee probably is too.
What do you have to say to that, whitey? Eh? Yeah. Quiet, you. Yes, I am a Mac user, and I don't plan on going to Windows, so don't accuse me as a... "doz pc" user...

As you know Absolute Zero, the mp3 virus is not in the wild as of yet. With all the information that Intego is putting out there, it may happen sooner than you think. That is why Apple I believe is taking this seriously. If you look at Apple history with security patches, they try to nail the holes as quickly as possible.

I wonder if Intego has done what cert and other security agencies do when they find a possible security hole. Normally the they notify the maker of the operating system in question. After a period of time, then the public is notified. With all of the information that is coming out of Intego, I think they did it backward, becvause want to say that they found the first OS X virus.