Trojan horse on the Mac


Intego has a press release on a Mac Trojan Horse here. It seems they are trying frighten people into getting their product and it’s likely not a real threat. The details are sketchy though. Whether or not this issue is real, I do think Mac OS X is as vunerable to Trojan Horses than Windows if not more so. There’s really not much you can do once a user has double-clicked on an arbitrary executable and let it run. On the Mac, it’ll have full access to your address book and can send mail to everyone in it without a whole lot of work. Many Mac users have a somewhat false sense of security in this regard. I hope they don’t find out the hard way.


Moved up from feedback area:


It turns out it’s a CFM application with a .mp3 extension and icon. The interesting thing is that it’s also a valid mp3 file. The cfrg resource just points into an id3 tag, which is ignored by an mp3 player. This means that it can better hide the fact that it’s executing code. This makes it slightly more insidious than the rash of these sorts of things on Windows that relied on hiding of extensions to pretend to be a different file type. But, not much more insidious…


Comments (4)

  1. David Mollerstuen says:

    Anyone know any more about the exploit? From the linked press release:

    "The Trojan horse’s code is encapsulated in the ID3 tag of an MP3 (digital music) file. This code is in reality a hidden application that can run on any Macintosh computer running Mac OS X."

    Code encapsulated in the ID3 tag of a music file?? I don’t know much about ID3 tags, but I’d be really shocked if the ID3 definition allowed such. Perhaps a buffer overflow vulnerability in either iTunes or Mac OS X?

    Much more likely would be a code resource as part of a package designed to look like an MP3 file — as indicated by the line "This code is in reality a hidden application that can run on any Macintosh computer running Mac OS X."

    Agree with Dan though that they are trying to frighten people into getting their product :->.

  2. Dan Crevier says:

    Sounds like it’s a CFM application with a .mp3 extension and the mp3 icon.

  3. Dan Crevier says:

    Actually the interesting thing is that it’s also a valid mp3 file. The cfrg resource just points into an id3 tag, which is ignored by an mp3 player. This means that it can better hide the fact that it’s executing code. This makes it slightly more insidious than the rash of these sorts of things on Windows that relied on hiding of extensions to pretend to be a different file type. But, not much more insidious…