Infos sur le premier cheval de troie sur MacOsX (communiqué de presse d’intego)

vendredi 9 avril 2004 par michelp

Communiqué de presse d’Intego



Why did Intego decide to make an announcement about a Trojan horse affecting Mac OS X ?

While the first versions of this Trojan horse that Intego has isolated are benign, this technique opens the door to more serious risks. The exploit that it uses is both insidious and dangerous and it is our duty as a vendor of Macintosh security solutions to protect our users. We don’t believe in waiting until the damage occurs, unlike some of our competitors. The Intego Virus Security Laboratory quickly discovered how to block this Trojan horse and prevent it from running its code and as part of our commitment to our users, it was only natural that we release this in our latest virus definitions for Intego VirusBarrier.
We initially hesitated about releasing this information, but finally decided that it was our responsibility to alert users to this security risk

It should be noted that while Intego was the first to publish information about this Trojan horse, both Symantec and McAfee released updates to their antivirus software after the publication of our press release. However, these companies do not specify whether their updates protect against this Trojan horse.
Is this simply a hoax ?

Absolutely not. As we explain below, this is a major security risk, and should be taken very seriously. A hoax is something that is not true, that is created just to make people think there is a risk and to make them worry and doubt. This Trojan horse exists. We have samples of it, and it is potentially dangerous.

But you say this Trojan horse, or at least the examples that you have obtained, is benign. So why worry ?

As far as we know, this Trojan horse is benign today, but nothing prevents a malicious hacker from using this same technique to create a dangerous Trojan horse. We have examined the code contained in this Trojan horse and it doesn’t delete any files or change anything in Mac OS X, but we cannot be sure exactly what this Trojan horse is doing now, or whether it will have other
effects in the future. In any case, protecting users now is better than responding too late, especially when we are aware of the threat.

How did you first find out about this Trojan horse ?

Intego first heard about this from a Mac user who sent an e-mail message to our customer support department on April 6, 2004 at 11:16 am. This user provided us with information regarding this Trojan horse. This user also sent this message to Apple, Symantec and McAfee.

It has been known for some time that you could "hide" an application on MacOS X as another type of file, simply by changing its name. Why is thisTrojan horse different from any application whose name has been changed to, say, Song.mp3 ?

First of all, Mac OS X runs two types of applications : Cocoa and Carbon. Cocoa applications are native OS X applications, and have an .app extension.Cocoa applications are, in fact, folders containing all the bits and pieces of a program-code, resources, graphics, etc. The .app extension tells Mac OSX that an application is going to run natively.

Carbon applications are different. Most Carbon programs can run under either Mac OS 9 or Mac OS X, and, for this reason, have no .app extension. The MacOS knows they are executable programs because of two resources, carb and cfrg. The carb resource indicates that it is a Carbon application and the cfrg resource indicates the location of executable code in a file’s data fork.

This Trojan horse is, in reality, an MP3 file, to which the two resources mentioned above (carb and cfrg) have been added. In addition, the ID3 tag of the MP3 file contains the actual code of the Trojan horse and the cfrg resource contains a pointer to that location in the file’s data fork. (ID3 tags are an integral part of MP3 files : they are designed to contain information such as song titles, artist and album names, etc. These tags also exist in AAC files.)

How exactly does this Trojan horse work ?

When a user double-clicks the file, Mac OS X sees the carb and cfrg resources, assumes that the file is an application and launches it. The cfrg resource, which points to the actual code contained in the ID3 tag, allows this code to be executed. The application then opens, launches iTunes via an AppleEvent and plays the sound contained in the MP3 file.Next, the code contained in the file’s ID3 tag continues executing. In the current Trojan horse, an alert is displayed, saying that it is indeed an application. This type of Trojan horse could launch any application that runs under Mac OS X

There seems to be some confusion regarding the actual way the code is hidden in the file. Can you be more specific about this ?

As we said in our first press release, the actual code, which can be dangerous, is stored in the ID3 tag of the MP3 file. This tag usually contains comments about a song, but in this Trojan horse, executable code is stored in this tag. As mentioned above, the cfrg resource indicates where in the file the code is stored.

What sort of damage can a Trojan horse like this do on Mac OS X ?

Fortunately, unless a user is logged in as root, this type of Trojan horse cannot damage any system files as the permissions applied to these files protect them. However, it could conceivably delete any or all of a user’s personal files. If a user is logged in as root, then a Trojan horse of this type could delete system files as well. A Trojan horse like this could also easily delete files on external hard disks, where users generally turn off ownership and permissions, authorizing anyone to act on the files they contain.

How can this Trojan horse propagate ?

This Trojan horse can propagate in several ways : if a user downloads the file from the Internet, a server or a web site, it must be compressed in one way or another. This could be zip compression, if created from the Mac OS X 10.3 Finder, or Stuffit compression. This compression is necessary because the Trojan horse contains resources, which are stripped if it is downloaded without being compressed. This Trojan horse could also be encoded using binhex encoding, which maintains the resource fork as well. If the file is not compressed or encoded, it can be transferred across a local network between Macs, or even downloaded from a user’s iDisk.

If a user sends this file to someone else by e-mail, unaware that it contains a Trojan horse, there are possibilities that it will be received intact. Apple’s Mail, and Microsoft’s Entourage, for example, encode this file using binhex by default, which transmits the resources that are required for this Trojan horse to function.

Does this Trojan horse exploit a weakness in Apple’s iTunes ?

No, iTunes is not involved in this at all. iTunes plays the audio content of the MP3 file containing the Trojan horse, but does nothing else.

You say that this same technique could work in other types of files, such as JPEG and GIF files. Why is this the case ?

Files such as JPEG or GIF files have tags similar to those in MP3 files. As long as the code can be hidden in tags like this, it is simple to add carb and cfrg resources that point to the code’s location in the files.


Accueil | Contact | Plan du site | Espace privé |