Mac OS X Trojan "hypeware"
I’ve been hearing all day about the “new Trojan” that could wreck Mac OS X systems far and wide. It was announced yesterday by Intego, a utility and security company, who flung press releases everywhere saying that their anti-virus product had just been updated to handle the “problem.” Quoth CNN:
“We take this first Trojan very seriously,” said Intego CEO Laurent Marteau. “This is very easy to modify and create a different version of the same problem.”
Only one problem: it’s hype, to sell their product.
It stems from the Mac’s ability to be able to change icons and skip extensions, thus “disguising” anything as something else, and has been “an issue,” for lack of a better term, since before the days of OS X. The best explanation by far comes from Meeroh, via BoingBoing:
The Mac OS X mp3 trojan is being blown completely out of proportion. Quick review of facts so far:
1. It was pointed out in a Usenet thread that it is possible to embed arbitrary data in an mp3 2. It was subsequently suggested that the arbitrary data could be executable 3. An enterprising developer proceeded to then create a file which to any mp3 player will appear as an mp3 file, but the Mac OS X Finder sees it as an application 4. An anti-virus vendor published advertising for their product saying that it has a cure for this form of Trojan.
Some other relevant points:
1. This has little to do with Mac OS X vs. Mac OS 9. The exact same file will do the exact same thing on Mac OS 9 — be playable by mp3 players, and act as an application 2. This has little to do with Mac OS X using extensions to identify file types. The icon shown by the Finder could be embedded in the file itself, in which case the file would look like an mp3 file regardless of its name. 3. This trick requires using the resource fork, and therefore the file has to be transmitted encoded. Any mp3 file that is transferred as a plain binary file (as opposed to a Mac binary file, with the resource fork), is harmless. 4. The fact that the file can be played in am mp3 player is irrelevant; if the trojan were malicious, the user would be doomed after double-clicking on it regardless of whether the file is a valid audio file.
To summarize, a Mac application can have any icon or name whatsoever, including a name and an icon that make it look like a document. Exactly what happens when you receive such an application (in email or by downloading it in your browser) depends on your settings, but I am not aware of any case in which it will be automatically launched.
Therefore, to activate this Trojan you have to either receive a Mac-encoded attachment and double-click on it in the Finder, or you have to download a Mac-encoded a file (which is then usually decoded to your desktop) and double-click it in the Finder.
The only reason that this is news is that a vendor of anti-virus software took it as an opportunity to generate some advertising, as far as I can tell.
Folks, your Macs are no more threatened now than they were yesterday, last month, or last year — and you’re always better off than Windows…;)
Comments:
I’ve been watching the attacks against Intego with some surprise for the last day or so. If there had been a report on a major Mac news site about the creation of this trojan (whether distributed or simply in concept) and no anti-virus company had any plans about what to do about it, there would have been damning appraisals of Norton et al.
If Intego had issued no press release, but just rolled this into a future update, there would be complaints that developers put Mac software second behind Windows in their development cycles.
I’ve been a Mac guy as long as I can remember, and I have no plan to switch to anything else, but (forgive me) I’m starting to understand why so many mainstream computer pundits think Mac users are all a bit highstrung.
Which is not to say that I think you’re highstrung, GCH. Sorry if I worded my comment that way. I’m just slightly annoyed by the huge amount of hot air being blown around this issue.
I’m not worried about Intego putting something Mac behind something Windows, honestly, or even rolling it into a future release. I’m far more worried about Intego publicizing an old weakness of the Mac OS and labeling it as a virus when it fact it is not — especially in the name of sales.
Yes, it’s a potentially exploitable hole. But, because most “main stream” news organizations rarely bother with background anymore, headlines are trumpeting “Mac virus!” — which, of course, is just plain wrong.
I apologize if hot air is spewing forth here at Foreword, but it seems to me that Intego acted in bad faith and are trying to spin it otherwise. To me, that’s worth a little bluster.
I’m starting to understand why so many mainstream computer pundits think Mac users are all a bit highstrung.
It must be just because all Microsoft users are such level-headed, responsible, tolerant individuals.