Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Apple Macintosh - New MP3Concept virus


  • Please log in to reply
1 reply to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:09:37 PM

Posted 10 April 2004 - 02:38 PM

A new proof of concept virus has been introduced for the Apple Mac environment. Apple will be taking measures to shore up OS issues and AV vendors supporting the Mac platform will also add protection. While viruses are very few and far between on the Mac platform, security is something that must be continually assessed on any platform.


New Mac MP3Concept Virus (not in the wild)
http://www.intego.com/news/pr40.html
http://maccentral.macworld.com/news/2004/04/08/trojan/

Here is also Apple's response:
http://maccentral.macworld.com/news/2004/04/09/appletrojan/


The AV vendors will also provide protection where they have Mac based AV products

Symantec
http://www.symantec.com/avcenter/venc/data/mp3concept.html

F-Secure - Includes Historical discussion of viruses on the Mac Platform
http://www.f-secure.com/weblog/

Saturday, April 10, 2004
The Macintosh MP3 issue Posted by Mikko @ 11:58 GMT

After years of silence, things are happening on the Macintosh platform. A new trojan known as MP3Concept was found recently. This is not a virus, and it has not been seen in the wild, ie. IT'S NOT SPREADING AND INFECTING MACINTOSHES. We're talking about a proof-of-concept example...but an interesting one; partly because it's on a Mac, partly because it's an MP3 file.

Macintosh used to have lots of viruses. In fact, during late 1980s viruses we're considered to be largly a Macintosh problem, not a PC problem. Nowadays of course situation is exactly the opposite, with less than 100 known Macintosh-only viruses and around 90,000 PC viruses (and a couple of hundred macro viruses which work under Microsoft Office in both Mac and Windows).

In fact, with the release of the new Mac OS X, several expert-techie type of users have migrated to the new Macintosh laptops. Partly because the machines are really nice and look cool, partly because they come with 16:9 wide screens, partly because they are faster than the PC counterparts and partly because the operating system nowadays actually runs on top of unix.

Viruses and MP3 audio files have had a long relationship. There are tons of PC viruses which use filenames like SONG.MP3.PIF and try to fool the user to click on them, expecting to get a song. We've also had several vulnerabilities in common MP3 players such as WinAMP and Windows Media Player. But we haven't seen a "real" MP3 virus.

And this new Mac thing is not a virus either.

In fact, this whole thing has been blown way out of proportion. What happened was that two weeks ago there was discussion in newsgroup comp.sys.mac.programmer.misc about how resources operate under Mac, and a Swedish programmer called Bo Lindbergh posted example code to illustrate the issue. The original thread is accessible right here.

After a week or so, it became news. In fact, there's a headline called "The first Trojan horse virus to target Apple's latest operating system was discovered this week" on CNN.COM! Obviously this is not right.

What the MP3Concept trojan does is that when the MP3 file is opened under Mac OS 9 or Mac OS X, it is executed as an application because of fake resources inserted in it. The actualy code is stored in the ID3 tag of the file, and it will display a message like this:

The audio data in the example MP3 file that was distributed actually contains man's laughter. Yeah, that's interesting, although it has no importance whatever. So we've extracted the laughter to a WAV file which you can listen to by clicking here.

Do note that F-Secure does not have a Macintosh antivirus. We used to, though. F-Secure was actively distributing and developing a Macintosh antivirus product between 1991 and 1998, but nowadays we only do Windows and Linux.



BC AdBot (Login to Remove)

 


#2 Guest_MrSnausage_*

Guest_MrSnausage_*

  • Guests
  • OFFLINE
  •  

Posted 10 April 2004 - 04:33 PM

Interesting Post! Thanks for the info




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users