Gnutella Forums  

Go Back   Gnutella Forums > Current Gnutella Client Forums > LimeWire+WireShare (Cross-platform) > Technical Support > General Mac OSX Support
Register FAQ The Twelve Commandments Members List Calendar Arcade Find the Best VPN Today's Posts

General Mac OSX Support For general issues regarding Mac OS X users


Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old April 8th, 2004
A reader, not an expert
 
Join Date: January 11th, 2003
Location: Canada
Posts: 4,613
stief has a spectacular aura about
Default Hey--we almost got our first trojan on OSX!

Slashdot is discussing a way a trojan can be disguised as an .mp3 file. Shamely (thanks Phillipe), it's only theoretical at this point
Quote:
Nothing to see here, move along... It appears that this is merely a proof of concept virus, hence, it is utterly benign. It was not made with any malicious intent, but to demonstrate one way that OS X could be exploited. The discussion group is concerned with making OS X more secure, not less. Somehow, Intego got wind of it and blew it out of proportion, but I suppose it is theoretically possible that future viruses could be modeled on it. However I'm sure that Apple could, even more quickly, release a security update that fixes this
posted by faux plastic on slashdot

And here I thought trojans were for protection. pfft. Where can I buy a windows machine?

Last edited by stief; April 8th, 2004 at 03:44 PM.
Reply With Quote
  #2 (permalink)  
Old April 8th, 2004
ursula's Avatar
Cleaning Lady
 
Join Date: May 17th, 2002
Location: koyaanisqatsi
Posts: 2,334
ursula is a great assister to others; your light through the dark tunnel
Default

This...

This... !

THIS IS A VERY FUNNY POST !!!!!!!!!!

Reply With Quote
  #3 (permalink)  
Old April 8th, 2004
A reader, not an expert
 
Join Date: January 11th, 2003
Location: Canada
Posts: 4,613
stief has a spectacular aura about
Default

I really enjoy reading slashdot. The posters there are knowledgeable, informed, irreverent, uninhibited and funny. I was just reading about the trojan on the Apple discussion boards (link soon to be inactive), and what a stuffy contrast!

Cheers.
Reply With Quote
  #4 (permalink)  
Old April 8th, 2004
et voilà's Avatar
+Modérateur à ses heures+
 
Join Date: July 26th, 2002
Location: Le Québec
Posts: 2,904
et voilà is a great assister to others; your light through the dark tunnel
Cool

Hip hip hip, HOURRA! This indicates that the os x platform is becoming a widely used platform, great
Reply With Quote
  #5 (permalink)  
Old April 8th, 2004
murasame's Avatar
The Soulforged
 
Join Date: February 12th, 2004
Location: Paris, France
Posts: 1,758
murasame is a great assister to others; your light through the dark tunnel
Default

Ok mec, I can agree to the fact that this means OSX is becoming more popular, which is a good thing of course, but, uh do you reeeally think that us OSX users becoming as afraid as Windozers of getting their machine infected with a bunch of deadly, yet popular, viruses and trojans and what have you, a joyous occasion?
I don't know about you guys, but I'd rather learn that the increase of popularity of OSX results in the making of, I don't know, maybe a Quicktime with more codecs, not a big bad virus or something.
__________________
iMac G4 OSX 10.3.9
RAM 256MB
LW 4.10.5 Basic
ADSL anything from 3 to 8Mbps/around 1024kbps

"Raise your can of Beer on high
And seal your fate forever
Our best years have passed us by
The Golden Age Of Leather"
-Blue Öyster Cult-
Reply With Quote
  #6 (permalink)  
Old April 8th, 2004
murasame's Avatar
The Soulforged
 
Join Date: February 12th, 2004
Location: Paris, France
Posts: 1,758
murasame is a great assister to others; your light through the dark tunnel
Default

Hmm, hmm
I read the entire thread and maybe you're right after all.
But I'm still skeptical...
__________________
iMac G4 OSX 10.3.9
RAM 256MB
LW 4.10.5 Basic
ADSL anything from 3 to 8Mbps/around 1024kbps

"Raise your can of Beer on high
And seal your fate forever
Our best years have passed us by
The Golden Age Of Leather"
-Blue Öyster Cult-
Reply With Quote
  #7 (permalink)  
Old April 8th, 2004
A reader, not an expert
 
Join Date: January 11th, 2003
Location: Canada
Posts: 4,613
stief has a spectacular aura about
Default

Salut et voilà

j'ai vu que http://www.macbidouille.com/niouzcon...004-04-08#8261 covered the news, but my poor reading skills there could only pick up that they quoted the Intego press release (which in English looked to me like marketing FUD). Even Macintouch's initial coverage was pretty disappointing. I'm starting to find that Slashdot looks to be the site to monitor for breaking news. C'est vrai?
Reply With Quote
  #8 (permalink)  
Old April 8th, 2004
et voilà's Avatar
+Modérateur à ses heures+
 
Join Date: July 26th, 2002
Location: Le Québec
Posts: 2,904
et voilà is a great assister to others; your light through the dark tunnel
Default

Well really, that news came everywhere fast because it is a mac os x first, and windows users we're so jealous they kept saying we weren't immune which is true, and it happened today. However this is a potential trojan. Not an identified one. The range of infection of this "potential" trojan between mac users seems small to me. However, it affects more people like us who use P2P to share and download non copyrighted music

Normally, potential holes in os code are found by hackers and independant security experts, the fact that Intego found that one and sells an antivirus sure look suspicious to me, and we shall all be vigilent about that. But now that an hole is indentified (not sure if it is verified by independant sources), if someone can use it easily, the trojan will come soon enough I'd say by the summer, if not, it might be a scam to sell software that slows down mac

Bonne soirée à tous

Mise À Jour, Stief the macbidouille.com has a translation in english sister site for the french incompetents http://hardmac.com/niouzcontenu.php?...004-04-08#1882 In summary, the potential trojan can delete user files, but not system files. Also this only affects carbon based apps (like itunes) and a potential fix should be easy for Apple to produce (so fu*ck the AV companies on os x )

En passant macbidouille.com is the most accurate and informed web site on the mac I know, all should read it. English equivalents can't compare to it, but isn't french le langage de la raison

Last edited by et voilà; April 8th, 2004 at 08:14 PM.
Reply With Quote
  #9 (permalink)  
Old April 8th, 2004
A reader, not an expert
 
Join Date: January 11th, 2003
Location: Canada
Posts: 4,613
stief has a spectacular aura about
Default

merci--I be for go read .

btw--looks like this was discussed on the comp.sys.mac.programmer.misc newsgroup and the proof-of-concept posted on the 20th of March. Intego should get a few buck out of it, but for USD 40 more, Mac tinfoilhatters can get a free Virex with a full Dot Mac account. I'll post when Virex updates their DAT's--LOL: looks like Intego scooped them.

Bonne soir---à later.
Reply With Quote
  #10 (permalink)  
Old April 9th, 2004
Novicius
 
Join Date: April 9th, 2004
Posts: 1
Dakidd is flying high
Default

Greetings...

Well, first, three words:

HO-LEEE-CRAP!!!!

Does this thread mean that someone has picked up what I *THINK* may be my original concept and took off running with it???

Back around the 20th of March or thereabouts, I posted a message to usenet that got me thinking, and worrying. It involved the potential transport of a virus/tworm/trojan-like payload in the ID3 tags of an MP3 file. When I posted, it was complete "pie in the sky", with no sort of reality to it whatsoever - pure "thought games". But at least in theory, it seemed like something that could be possible.

Not long after I made the post, before I'd actually accomplished anything more substantial than confirming that it *MIGHT* be *POSSIBLE* under *SOME* circumstances with my experiments in that direction, I got an email containing an attachment. That attachment came from someone I didn't (and still don't) know from Adam - One "Bo Lindbergh". Its content was what he called a "proof of concept virus" - It was an MP3 that played a section taken from one of those "maniacal laughter" soundtracks when loaded into an MP3 player, and at the same time, it was an executable file that did what amounts to saying "If this had been a real virus, you're be infectecd right now. Be glad it was only a test." it confirmed my worst fears for the concept - Not only was it doable, Bo had proven to my satisfaction (and far beyond) that it was *EASILY* doable - I don't think it was 48 hours from my post to the arrival of the proof of concept in my mailbox.

The original post was intended as a thought problem and/or sanity-check - "Hey guys, am I freaking out prematurely, or is this an actual possibility - It sounds logical to me?" What it generated was downright scary. An all-too real trojan/viral threat against Macs that had, apparently, never been considered before. Not my intent at all... In all honesty, I was *HOPING* to get shot down in flames as a complete raving paranoid nutbar. The reality turns out to be that I was neither nuts nor paranoid, and the threat is not only plausible, but entirely practical, and all too real.

Now I'm finding that my "bright idea" has taken on a life of its own, and even prompted one company to develop a "cure" for a "disease" that to my knowledge, doesn't actually exist yet, except as a lone proof-of-concept MP3 file. I've made slashdot, however indirectly, because of it. Not exactly my intent when I first dragged my post out of a newsgroup devoted to electronic schematic diagrams into a mac-related group with every hope that I'd get shot down in a ball of flames, the likes of which haven't been seen since Baron von Richtoffen's Fokker was swatted down.

To the nay-sayers who are claiming that the payload isn't in the ID3 tags - In *THIS* version, that may be true, but I can see absolutely no reason why that couldn't be the case. If one doesn't care about the possibilty of "audio garbage" at the start of the playable MP3 data (and who hasn't downloaded (or even created) at least one MP3 file that has a "glitch" in it somewhere?) it's trivial to set things up so that the first MP3 block is actually a minimal PEF container that does nothing but jump to a predetermined byte-offset within the file - A byte-ofset that is the start of executable code stored in one (or more) of the ID3 tags that can be present. (My original proposal was to store the executable in the ID3 tag normally earmarked for album-cover images - Imagine that - a tag that's designed to hold an arbitrary-length chunk of binary data holding binary data that's malware...)

If properly constructed, such an MP3 file would be playable (with a minor glitch at the beginning of the audio) by any MP3 player, on any platform, that doesn't choke on files containing ID3 information. But if double-clicked from the Finder on a MacOS machine, it fires up as an application, and does whatever the code embedded in the ID3 tag commands. As added camoflauge, I can see no reason why the final action taken by the "payload" couldn't be a command to open and play the MP3 using whatever MP3 player the victim may have on his/her computer, giving even more "authenticity" to the infected file. I can see the logic already - "I double-clicked it, and it said 'Congratulations, sucker! You just got hit with a virus.' It scared me for a second, but then I opened it up in <insert name of user's preferred MP3 player> and it did the same thing. Whew... Big deal. Somebody recorded himself saying 'Congratulations, sucker! You just got hit with a virus.', then passed it out over Gnutella as an MP3 file. Ha-ha. How clever. Very funny. But no big deal, since everybody knows that you can't get a virus from an MP3!"

Yet underneath, lies the sinister truth: While the "music" was playing, some, perhaps all, of your shared MP3 files have been similarly infected, so the next time you hook up to the Gnutella network, you've just become another source for the virus. One only has to pause and think for a moment about the ramifications of that - A Mac virus/trojan. In a file that is compatible across all major platforms (even if it isn't directly EXECUTABLE on all of them) without needing any special handling to preserve any special Mac attributes. Running loose on a transport system that's at least partially designed to keep sources of a file obscured from easy view. And where the occasional "glitched" file is a normal fact of the medium. Put it all together, and it becomes a potential nightmare...

I welcome commentary via email - I'm posting here only because one of your members emailed me with a "please come settle the argument" type message. I don't normally pay much attention to forum sites like this one, so it's unlikely that I'll catch any discussion that happens here.

If you would like to email me on the topic, be aware of the draconian filtering I have in place on my mailbox - see <http://www.sonic.net/~dakidd/main/contact.html> for the method to bypass the filters...

Sorry to be so long-winded, but thanks for reading!

Don
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
I think I downloaded a Trojan ??? scott22 Download/Upload 3 June 11th, 2004 05:40 AM
Trojan in file imstormie2 Tips & Tricks 3 March 11th, 2004 04:40 PM
I think I downloaded a Trojan ??? scott22 Bug Reports 1 October 1st, 2003 11:12 PM
trojan horse 123yebo General Gnutella / Gnutella Network Discussion 7 June 17th, 2002 07:16 PM
*Trojan Horse!! ChronKyrios BearShare Open Discussion 8 March 6th, 2001 08:29 AM


All times are GMT -7. The time now is 12:39 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
SEO by vBSEO 3.6.0 ©2011, Crawlability, Inc.

Copyright © 2020 Gnutella Forums.
All Rights Reserved.