Sorta-RFC-ish: Virus in MP3? (was Re: mp3 flood uploads)

16 views
Skip to first unread message

Don Bruder

unread,
Mar 18, 2004, 11:46:22 AM3/18/04
to
In article <6Mj6c.404$Fo4....@typhoon.sonic.net>,
Don Bruder <dak...@sonic.net> wrote:

> In article <4059BCC4...@att.net>, Michael <NoS...@att.net> wrote:
>
> > Bill Garber wrote:
> > >
> > (snip(
> > > They may also contain viruses.
> > > I thought my views should be expressed here. Thanks.
> > >
> > > Bill @ GarberStreet Enterprizez };-)
> > > Web Site - http://garberstreet.netfirms.com
> > > Email - willy4...@comXcast.net
> > > Remove - SPAM and X to contact me
> >
> >
> > Virus in a sound file. If the thing could ever work, that would be a
> > neat trick.
>
> Just because it *SAYS* ".mp3" doesn't neccesarily mean that it actually
> *CONTAINS* an MP3... It would take me something like 15 seconds to
> rename my "Eudora Pro" program file to "Tom Sawyer.mp3", but that
> wouldn't make it play a Rush tune when I double-clicked it...
>
> On a Mac, a file claiming to be an MP3 could be an excellent virus/worm
> propogation method, since many folks simply double-click to make it play
> - The computer worries about deciding "is it an application or a
> datafile", and based on that decision, either runs it, or goes looking
> for an application that knows how to use it. If done properly (one way
> that leaps to mind is to plug the viral code into the ID3 tag intended
> to contain cover art, and write the .mp3 file with a JMP or BRA
> instruction starting at the first byte of the file, targeted to jump
> into the executable portion hiding in the ID3 tag) it would even be
> playable from within an application (like if it were played by being put
> on a playlist in an application, rather than double-clicked), though it
> might seem to have a small glitch at the beginning due to the "corrupted
> data block" of the JMP instruction.
>
> Erk...
> I just realized I'm one of the white-hats! And worse, as a Mac user, I
> just scared myself! That scenario is all too possible...

Following-up on myself here to drag this over into a Mac-oriented group.

Sitting here with the idea I posted above bouncing around in my head has
led me to the conclusion that this would indeed be a viable "social
engineering" virus transport mechanism on the Mac - as proof of how well
they can work, look at all the people being infected by the
Bagel/Beagle/whatever-it-is virus over on the Wintel side of the fence
recently - Despite the fact that you had to actually *WORK* at it a bit
to infect yourself! First hunt down the attachment, then unzip it (using
a password, no less!), then actually run it.

Imagine how much more effective the MP3 file trojaned in the manner I
described would be in the Mac model of "Double-click it, and if it's an
application, it runs, or the OS starts up a program that knows how to
handle it if it's a data file". No "hoops" to jump through. And good
camo. Especially if it contained an actual playble MP3. The proper
"Finder flags" would of course have to be set to cause it to be treated
as an app when double-clicked, but that's trivial in comparison to the
other coding that it's going to carry. The thing could be a serious
menace, I would think.

The reason I pulled this thread over to c.s.m.p.m is to get a sanity
check from some other Mac folks. Am I paranoid? Or is what I describe
reasonably possible? As a hobby Mac programmer (Mainly for pre-X
systems), it seems to me that it could be done fairly easily, at least
under Classic. Trying to write a playable MP3 file that looks like a
MACH-0 executable to be run on X might be more difficult, perhaps even
impossible. I don't know enough about X to say with any certainty.

I'm requesting comments in the age-old tradition. No, I'm not saying
that doing this would be a good idea. Only that it *IS* an idea, and
that, at first glance, I don't think it would be very hard to do. As
such, I'm wondering if we need to start regarding MP3s as a potential
trojan/worm/virus threat to be on the lookout for over here in Mac-land.

So, what do you think, Mac folk?

--
Don Bruder - dak...@sonic.net - New Email policy in effect as of Feb. 21, 2004.
I respond to Email as quick as humanly possible. If you Email me and get no
response, see <http://www.sonic.net/~dakidd/main/contact.html> Short
form: I'm trashing EVERYTHING that doesn't contain a password in the subject.

Kevin McMurtrie

unread,
Mar 20, 2004, 3:17:37 AM3/20/04
to
In article <ynk6c.411$Fo4....@typhoon.sonic.net>,
Don Bruder <dak...@sonic.net> wrote:

[snip]

A MacBinary header is needed for an application to set the file creator
and type. Without that, the file extension is used and the file is
harmless.

There are a couple of obvious OS X exploits, though:

First, bonehead browsers (Internet Explorer, OmniWeb, Safari) try to
guess the content type by examining part of the file's contents. Any
plain text attachment can be used to hijack those browsers.

Second, an OS X application is actually a directory with '.app' trailing
the name. This is possibly the dumbest thing that I've ever seen Apple
do recently. Not only is it cumbersome and extremely resource
intensive, but it is a glaring security hazard. Try this on the command
line:

open /Applications/iChat.app

That's the path of a directory, not an executable, yet it executes
iChat. Now imagine what happens when your favorite TAR/ZIP/UU/sit/yenc
decoder utility tells Finder to display the directory it just
decompressed and it's actually a virus in the '.app' structure.

Michael Ash

unread,
Mar 20, 2004, 4:52:01 AM3/20/04
to
> First, bonehead browsers (Internet Explorer, OmniWeb, Safari) try to
> guess the content type by examining part of the file's contents. Any
> plain text attachment can be used to hijack those browsers.

Do you have a demonstration? I had problems getting Mac browsers to
correctly download .dmg files from a server that was giving their content
type as text, so I rather doubt this claim.

> Second, an OS X application is actually a directory with '.app' trailing
> the name. This is possibly the dumbest thing that I've ever seen Apple
> do recently. Not only is it cumbersome and extremely resource
> intensive, but it is a glaring security hazard. Try this on the command
> line:
>
> open /Applications/iChat.app
>
> That's the path of a directory, not an executable, yet it executes
> iChat. Now imagine what happens when your favorite TAR/ZIP/UU/sit/yenc
> decoder utility tells Finder to display the directory it just
> decompressed and it's actually a virus in the '.app' structure.

I don't see how this could be exploited. Your favorite decoder utilities
don't tell the Finder to open the directories they decompress. They tell
the Finder to *show* the directories, which is not the same thing at all.
I can't see how you could convince something to automatically execute your
code with this "problem".

To answer the original question; you could, I think, pretty easily
construct an application that was also a valid MP3 using CFM and Carbon. A
CFM app can contain all of its executable code in the resource fork
(although it normally doesn't) and so you could put anything you wanted,
such as a completely valid MP3 with no tricks, into the data fork which is
what your MP3 player will read. An MP3 player could probably open it, but
it will show up as an application and double-clicking it will launch it.
You'd have to compress it with something Mac-aware, of course, so that you
don't lose the resource fork and so that it shows up as executable on the
other side of its journey.

Watson A.Name - "Watt Sun, the Dark Remover"

unread,
Mar 20, 2004, 5:54:38 AM3/20/04
to

"Don Bruder" <dak...@sonic.net> wrote in message
news:ynk6c.411$Fo4....@typhoon.sonic.net...

[big snip]

And we thought that Mr. Bill had given us the shaft.. I'm just glad
that only 10% of the PCs out there are Macs. At least that might help
slow down the worm somewhat. ;-)

I remember when many of the virus infections on floppies were on Macs.
:-(

Paul Mitchum

unread,
Mar 20, 2004, 7:23:54 AM3/20/04
to
Don Bruder <dak...@sonic.net> wrote:

> Imagine how much more effective the MP3 file trojaned in the manner I
> described would be in the Mac model of "Double-click it, and if it's an
> application, it runs, or the OS starts up a program that knows how to
> handle it if it's a data file". No "hoops" to jump through. And good
> camo. Especially if it contained an actual playble MP3.

A file with the extention .mp3 will be sent to iTunes (or whatever
player you have configured). If it's an executable, iTunes will play
something really strange sounding. :-)

You could name a file like this: file.mp3.command ..and people who set
their Finder to not show extensions might be fooled into thinking it was
an mp3, when in fact it's a shell script.

So if you're getting lots of files in emaill, from people you don't
know, and you're foolish enough to think they might be worthwhile, you
should at least go to Finder -> Preferences -> Advanced and check 'Show
all file extensions.' Then you'll have a better idea of how the Finder
will deal with them.

> The proper "Finder flags" would of course have to be set to cause it to be
> treated as an app when double-clicked, but that's trivial in comparison to
> the other coding that it's going to carry. The thing could be a serious
> menace, I would think.

The Finder flags would be stripped from any file not sent as MacBinary.
And in Mac OS X, the Finder cares more about the file extension than the
Finder flags or Mac file type signature.

> The reason I pulled this thread over to c.s.m.p.m is to get a sanity
> check from some other Mac folks. Am I paranoid?

Yes. :-)

> Or is what I describe reasonably possible?

That depends on what you're describing. The file extension trick has
caused all kinds of havoc in the Windows world, so it's not only
possible, it's happened (albeit not with fake MP3 files). A trojan MP3
seems absurd, however.

Gregory Weston

unread,
Mar 20, 2004, 8:12:54 AM3/20/04
to
In article <mcmurtri-F1BDDA...@corp-radius.supernews.com>,
Kevin McMurtrie <mcmu...@dslextreme.com> wrote:

> Second, an OS X application is actually a directory with '.app' trailing
> the name.

First, this is usually true, but not inherently so.

> This is possibly the dumbest thing that I've ever seen Apple
> do recently.

Second, Apple didn't do it; NeXT did. And for a few very good reasons.

> Not only is it cumbersome and extremely resource intensive,

Third, it is neither.


> but it is a glaring security hazard. Try this on the command
> line:
>
> open /Applications/iChat.app
>
> That's the path of a directory, not an executable, yet it executes
> iChat.

It does _exactly_ what the open command is documented to do.


> Now imagine what happens when your favorite TAR/ZIP/UU/sit/yenc
> decoder utility tells Finder to display the directory it just
> decompressed and it's actually a virus in the '.app' structure.

I have a hunch that most people doing such things are not going to
invoke system() do do it.

Chuck Harris

unread,
Mar 20, 2004, 8:48:29 AM3/20/04
to
Paul Mitchum wrote:

> You could name a file like this: file.mp3.command ..and people who set
> their Finder to not show extensions might be fooled into thinking it was
> an mp3, when in fact it's a shell script.
>

If you are dealing with folks that have their Finder set up to not show
extensions, you can just say:

file.command

and tell them it is an mp3 file. Social engineering works very well on
some people.

The ultimate is the Arkansas hill-billy virus, where you are asked
kindly to mail the virus (note) to everyone you know, and to then
reformat your disk drive. If you make it into a chain letter
and mention bad luck for breaking the chain, you will probably get
1% of the recipients to follow the instructions.

-Chuck Harris

Spehro Pefhany

unread,
Mar 20, 2004, 8:55:42 AM3/20/04
to

At first blush it appears they'd have to mail it to at least 100
people for the virus to spread, using your numbers, but it's likely
that the friends of the spreaders would include a disporportionate
number of similarly gullible people.

My favorite spam this week was one titled "barely legal teens". Then
inside, they had:

>They got Vicodin, Hydrocodone, and Norco.. 3 of the best painkillers
>out!..and other popular products..
>FREE overnight FedEx...This site will save you alot of money on meds...

Such chutzpah!

Best regards,
Spehro Pefhany
--
"it's the network..." "The Journey is the reward"
sp...@interlog.com Info for manufacturers: http://www.trexon.com
Embedded software/hardware/analog Info for designers: http://www.speff.com

John Woodgate

unread,
Mar 20, 2004, 9:14:50 AM3/20/04
to
I read in alt.binaries.schematics.electronic that Paul Mitchum
<use...@mile23.com.r3m0v3> wrote (in <1gaxhyp.3rgk8f1d7ys7yN%usenet@mile
23.com.r3m0v3>) about 'Sorta-RFC-ish: Virus in MP3?', on Sat, 20 Mar
2004:

>A file with the extention .mp3 will be sent to iTunes (or whatever
>player you have configured). If it's an executable, iTunes will play
>something really strange sounding. :-)

It is now essential for all geeks to try to write an executable that
*also* plays a tune. (;-)

MP3 not compulsory: all formats permitted.
--
Regards, John Woodgate, OOO - Own Opinions Only.
The good news is that nothing is compulsory.
The bad news is that everything is prohibited.
http://www.jmwa.demon.co.uk Also see http://www.isce.org.uk

John Woodgate

unread,
Mar 20, 2004, 9:18:10 AM3/20/04
to
I read in alt.binaries.schematics.electronic that Spehro Pefhany
<spef...@interlogDOTyou.knowwhat> wrote (in <tijo50hhh1f1ehlb8m247fcg9
okd7...@4ax.com>) about 'Sorta-RFC-ish: Virus in MP3?', on Sat, 20 Mar
2004:

>My favorite spam this week was one titled "barely legal teens". Then
>inside, they had:
>
>>They got Vicodin, Hydrocodone, and Norco.. 3 of the best painkillers
>>out!..and other popular products..
>>FREE overnight FedEx...This site will save you alot of money on meds...

Well if they had creatine, arginine, nicotine .... the Subject line
would just be mis-spelt. (;-)

Chuck Harris

unread,
Mar 20, 2004, 10:03:16 AM3/20/04
to
John Woodgate wrote:

>
> Well if they had creatine, arginine, nicotine .... the Subject line
> would just be mis-spelt. (;-)

Woof!

-Chuck Harris

Gregory Weston

unread,
Mar 20, 2004, 11:47:14 AM3/20/04
to
In article <w30p7GDa...@jmwa.demon.co.uk>,
John Woodgate <j...@jmwa.demon.contraspam.yuk> wrote:

> I read in alt.binaries.schematics.electronic that Paul Mitchum
> <use...@mile23.com.r3m0v3> wrote (in <1gaxhyp.3rgk8f1d7ys7yN%usenet@mile
> 23.com.r3m0v3>) about 'Sorta-RFC-ish: Virus in MP3?', on Sat, 20 Mar
> 2004:
> >A file with the extention .mp3 will be sent to iTunes (or whatever
> >player you have configured). If it's an executable, iTunes will play
> >something really strange sounding. :-)
>
> It is now essential for all geeks to try to write an executable that
> *also* plays a tune. (;-)
>
> MP3 not compulsory: all formats permitted.

Not a problem. No more of a problem than, say, the "obese" executable
that runs not only on 68k and PPC Macs, but also DOS and Windows. I did
that in 1996 just to mess with some peoples' minds.

Tom Harrington

unread,
Mar 20, 2004, 7:33:04 PM3/20/04
to
In article <tijo50hhh1f1ehlb8...@4ax.com>,
Spehro Pefhany <spef...@interlogDOTyou.knowwhat> wrote:

> My favorite spam this week was one titled "barely legal teens". Then
> inside, they had:
>
> >They got Vicodin, Hydrocodone, and Norco.. 3 of the best painkillers
> >out!..and other popular products..
> >FREE overnight FedEx...This site will save you alot of money on meds...
>
> Such chutzpah!

My fave this week was a message from "The Atomicbird.com team", warning
that they were going to shut down my email account at atomicbird.com due
to unspecified improper use, and telling me to open the attachment to
find details. However, since I _am_ the atomicbird.com "team", I was
skeptical that I had anything to worry about. :-)

Of course, other people who don't run their own domains might not find
this one to be so obvious.

--
Tom "Tom" Harrington
Macaroni, Automated System Maintenance for Mac OS X.
Version 2.0: Delocalize, Repair Permissions, lots more.
See http://www.atomicbird.com/

Bo Lindbergh

unread,
Mar 20, 2004, 8:15:09 PM3/20/04
to
Proof of concept: <http://www.scoop.se/~blgl/virus.mp3.sit> (52 KB)

Download and unstuff to get a Carbon/CFM application that runs on both
Mac OS 9 and Mac OS X. The PowerPC code fragment is stored as a general
encapsulated object inside the ID3 information. It tries to locate iTunes
and tell it to open the file as audio, displays an alert, and then quits.
(If you're paranoid, create a throwaway account to test it with.)

Interesting things I discovered: iTunes 2 on Mac OS 9 and iTunes 4 on
Mac OS X both ignore file types; they will open the file, taste it,
find valid ID3 information followed by an MPEG data stream, and happily
proceed to play it.


/Bo Lindbergh

Paul Mitchum

unread,
Mar 20, 2004, 9:21:24 PM3/20/04
to
Bo Lindbergh <bl...@hagernas.com> wrote:


YOU ARE THE ALPHA GEEK.

Tim

unread,
Mar 25, 2004, 2:54:57 PM3/25/04
to
Apropo this discussion, does anyone know how to positively identify
executable files on the Mac? My app opens files received over the
net, generally from trusted parties, but I thought at least to add
base level of protection of not opening executables. On OSX, I am
using LaunchServices, kLSItemInfoIsApplication flag. On OS9, I know
that applications are identified with filetype 'APPL' but there are
other executables (e.g., Control Panels). It looks like maybe
FinderFlag kHasBundle would identify more reliably?

I know there are a whole range of executables which support scripting,
and I can't easily protect against that (can I?). I wonder, is above
logic going to do any good at all, or would it be so trivial to bypass
with scripting, that I would better not to risk any false sense of
security.

ward mcfarland

unread,
Apr 9, 2004, 6:32:34 AM4/9/04
to
Michael Ash <mik...@mikeash.com> wrote:

> To answer the original question; you could, I think, pretty easily
> construct an application that was also a valid MP3 using CFM and Carbon. A
> CFM app can contain all of its executable code in the resource fork
> (although it normally doesn't) and so you could put anything you wanted,
> such as a completely valid MP3 with no tricks, into the data fork which is
> what your MP3 player will read. An MP3 player could probably open it, but
> it will show up as an application and double-clicking it will launch it.
> You'd have to compress it with something Mac-aware, of course, so that you
> don't lose the resource fork and so that it shows up as executable on the
> other side of its journey.


The issue was raised, so someone tried it and apparently succeeded!

<http://www.intego.com/news/pr40.html>

Kaldari

unread,
Apr 9, 2004, 11:59:17 AM4/9/04
to
It looks like Intego has successfully launched a FUD campaign to sell
their security software based on your proof-of-concept:

http://www.intego.com/news/pr40.html
http://www.wired.com/news/mac/0,2125,63000,00.html?tw=wn_tophead_2
http://www.macnn.com/news/24162
http://apple.slashdot.org/article.pl?sid=04/04/08/1922237&mode=thread&tid=126&tid=172

At least now we can be confident that Apple will release a security
update sooner rather than later :)

Simon Fraser

unread,
Apr 9, 2004, 12:20:55 PM4/9/04
to
In article <b906e880.04040...@posting.google.com>,
kal...@angelblade.com (Kaldari) wrote:

I doubt it. They might add a few warnings to applications that try to
open such files from mail etc (I think I read that Mail.app already
does this), and perhaps a warning in the Finder, but I think the risk
from such files is overrated.

One issue that I haven't seen commented on anywhere is that you have to
have downloaded this trojan mp3 file with the resource fork intact for
it to be in a runnable state. A normal FTP or HTTP transfer of the file
from a server will not bring over the resource fork, and therefore
leave you with a safe file.

Because of this, I don't think such a file could be easily spread via
iTunes. To get a malicious file to get through Usenet, the poster would
have had to either compress it as a .zip or .sit archive before
posting, or would have to post in in AppleDouble format and hope that
people are using usenet clients that can reassemble resource forks of
AppleDouble attachments. My hunch is that most sending agents (mail
clients, news readers) would ignore the resource forks of .mp3 files by
default.

You'd have to get the file in a compressed format that understands
resource forks (e.g. .sit, or the Panther .zip), then uncompress it
before having a dangerous file.

So the thing to be wary of here is downloading mp3 files which are
compressed as Stuffit or zip archives.

Simon

--
Simon Fraser <mailto:sm...@smfr.org> <http://www.smfr.org/>
(Professional driver on closed road)

Frédérique & Hervé Sainct

unread,
Apr 9, 2004, 1:07:44 PM4/9/04
to
Don't you think that a definitive solution could be a simple applescript
(say associated to a "download" or an "attachment" folder) that would
filter incoming files and flag anything containing '.mp3' and being an
application?

Herve

--
Frédérique & Hervé Sainct, h.sa...@laposte.net
Frédérique's initial is missing in front of the above address
l'initiale de Frédérique manque devant l'adresse email ci-dessus

Benjamin Riefenstahl

unread,
Apr 9, 2004, 1:00:56 PM4/9/04
to
Hi Simon,

Simon Fraser <sm...@smfr.org> writes:
> A normal FTP or HTTP transfer of the file from a server will not
> bring over the resource fork, and therefore leave you with a safe
> file.

The server just needs to package the resource fork into MacBinary
format. Any browser will unpack that format automatically and create
the original resource fork.

benny

nirs

unread,
Apr 9, 2004, 4:59:19 PM4/9/04
to
Why use the hard way? There is a much simpler way to make any
application file looks like
.txt .jpg .zip .pkg - anything!

You need to set a custom icon, and then change the extension in a very
simple way - no programming skills needed and no special tools. 3
clicks using the finder and another built in application. Then you
pack your virus in a internet-enabled disk image, so the file will
keep its custom icon.

It looks like a normal file, it can be any application. Most users
will try to open it if you give it the right name and icon.

See few examples applscripts pretending to be other files:
http://forums.ort.org.il/files/307/1970653/8208371.zip
http://forums.ort.org.il/files/307/1970675/9181348.zip
http://forums.ort.org.il/files/307/1970679/1587186.zip

These examples does not pretend to be another file when you open them,
but that cold be easy to add...

Enjoy.

Miro Jurisic

unread,
Apr 9, 2004, 7:02:32 PM4/9/04
to
In article <smfr-95DB75.0...@news-40.sjc.giganews.com>,
Simon Fraser <sm...@smfr.org> wrote:

> One issue that I haven't seen commented on anywhere is that you have to
> have downloaded this trojan mp3 file with the resource fork intact for
> it to be in a runnable state. A normal FTP or HTTP transfer of the file
> from a server will not bring over the resource fork, and therefore
> leave you with a safe file.

I commented on this and several other related questions in my followup on
boingboing.net.

meeroh

--
If this message helped you, consider buying an item
from my wish list: <http://web.meeroh.org/wishlist>

Reply all
Reply to author
Forward
0 new messages