 |
Search |
|
|
|
|
Classic 2 Guys |
|
10 Random Stories:
|
|
|
|
First Trojan on the Mac, or FUD? |
|
 There's no way we can sit quietly while this first trojan on OS X hoopla happens. I must admit, I wasn't able to really research this thing enough to form my own conclusion on whether this is a real threat or just a pathetic attempt to make money. The reason I wasn't able to research this as well as I would have liked, is because I was working today, and by the time I got off work there were enough good responses to this trojan buisness, that everyone else pretty much did the research for me.
First thing I want to make very clear. This isn't a virus, this is a trojan horse. A virus is a program that replicates itself and spreads to unaffected computers by itself (just like a real virus). A trojan horse is a program that is disguised as something else (just like the trojan horse from greek mythology).
Basically the way it works is this: there are two different ways OS X knows what a file on your computer is, and whether it needs another program to open it. The first is the file extension (the characters after the dot in a file name: .mp3, .app, .jpg, etc.). The next is the file metadata (resource fork). So if you make an application, and make it a working application, with some work you could then append the .mp3 extension to the end of it making it look like a mp3. Therefore making a trojan horse that would execute the code on the unsuspecting user's computer.
Here are the problems with it being a threat:
1. You have to double click on the file to make it work. If you think it is an mp3 file, and plop it in iTunes, the try to play it, iTunes will ignore the malicious code, and play what ever mpeg stream is in the file.
2. You have to send it in a format that will keep the resource fork. (such as stuffing it with Stuffit)
3. The malicious code would only have permissions of the user that opened it. In other words no 'su' (superuser) or root access, unless you have to type in your administrator password to get it to work. And anyone who gladly enters their password to a prompt they get after opening a mp3 file deserves to have their computer screwed with.
4. It can be easily foiled by a simple security update, one I am sure we will see any day now.
For all those Windows zealots out there who are going to claim this is proof that the Mac is just as susceptible to viruses as Windows, just remember that this threat is more than likely a ploy to get attention and make money by a security company. And that this vulnerability can do any real damage is only a theory, a theory which can be circumvented by the most arbitrary of methods. Which is quite unlike Windows viruses, some of which you don't need to do anything more than turn your computer on to get.
As I said, this info is not my conclusion from researching it. It is what I have gathered from reading various sources. I will now give those sources for you to judge yourself how blown out of proportion this has become.
The original Press release that started it all.
A good explanation of why this trojan is no serious threat
Here is a guy that has the "virus Barrier" software, and claims to have gotten a virus warning before the press release, and from a file that isn't even a mp3 file.
MacNN's excellent coverage of the details of this trojan
A real life stuffed file containing a file that uses this method to open an application that says "yes this is a real application" and plays a short mp3. (Don't worry, it isn't a virus, I have opened it on my computer several times, and it is just fine. It is technically a trojan, but not a bad one.)
Someone other than me that opened the file I linked to above
A great explanation for the "creating this trojan FUD for self promotion" theory surrounding the press release linked to above.
Symantec's response to this threat. |
|
April 9 2004, 9:51 PM EDT, by
 |
Comments:
|
| Jonahan |
4/10/04, 7:36 AM EDT |
Damn dude, you debunked the [doodoo] outta that! Wooooooo! Yeah! Eat that one Intego!
Seriously, that was really good.
|
| Jonahan |
4/10/04, 7:58 AM EDT |
Oh and for the record...MacMischief and MacDailynews were the only Mac news site to tell this news with a grain of salt. Everyone else just basically just spewed info from Intego's spam email. Anyone could have done that, including 2 Guys, but we refrained because something smelled fishy. Sure, it could have been Jedbeck's lifetime supply of fishsticks, but we weren't taking any chances, unlike some other sites. Pff.
|
| speedyrev |
4/10/04, 11:20 AM EDT |
What? it coulda been fishsticks?!?!? That's what I need!
BTW - great article.
|
| King of Town |
4/12/04, 5:41 AM EDT |
Well, no one claimed this lifetime supply of fishsticks.....
|
This article is archived, so you may not comment on it.
(The good news is there's always the shoutbox, the forums or the contact form if you're socially-inclined at the moment!)
|
