By now, assuming you pay any attention to the Macintosh media in between your weekly doses of TidBITS, you’ve undoubtedly heard of the hubbub brewing around the announcement last Thursday of the first Trojan horse to target Mac OS X. The news came from Intego, the developers of a variety of security software, including the anti-virus program VirusBarrier, which Intego updated to detect hypothetical malicious software using this new technique.
Should we laud Intego’s integrity in alerting the Macintosh community to this possible pestilence, or should we revile the company for a self-serving PR move that has the potential to cause untold headaches for the entire Macintosh world? I’ll reveal my hand here – if Intego wants to do public service announcements, they shouldn’t use a press release to submit their findings, and they should stop selling a product that stands to benefit directly from both the increased paranoia they’ve caused and a potential plague of copycat Trojans.
Just the Facts, Ma’am — Toward the end of March 2004, a discussion took place on the Usenet group comp.sys.mac.programmer.misc about the potential for embedding malicious code inside an MP3 file. After some back and forth, programmer Bo Lindbergh posted a proof-of-concept file that is an MP3 and plays in iTunes, but is actually also an application. Bo’s proof-of-concept merely popped up a dialog box, but it obviously could execute any sort of code. It’s a clever hack that takes advantage of both the way Carbon applications work and the ID3 tag portion of the MP3 file format to run executable code from within a legitimate MP3 file. It’s worth noting that all of the programming techniques used by Bo’s proof-of-concept are perfectly legitimate, and the only vulnerability this exposes is the ability of a programmer to disguise an application as a document. Nothing new there, and it’s well worth reading the technical commentary posted on BoingBoing by Miro Jurisic (a top-tier Macintosh programmer known for winning the MacHax Group’s Best Hack Contest at MacHack on multiple occasions).
On 20-Mar-04, Intego said that an unnamed person reported this proof-of-concept Trojan to Intego, Symantec, Network Associates, and Apple. Intego evaluated the code and added some code to VirusBarrier to detect it. So far so good. But then, despite some "initial hesitation," Intego decided to put out a press release trumpeting how the update to VirusBarrier detects "the first Trojan horse for Mac OS X." Open bottle, extract genie.
Needless to say, the press release was immediately covered by a variety of news sites (I’ve included a selection of links below; it’s amusing to compare them, and be sure to see the hilarious Joy of Tech cartoon at the end). As usual, that means a few sites confirmed the story, investigated the technical claims, and queried security experts, whereas many others merely reprinted or pointed to Intego’s press release. The massive coverage instantly generated a ton of confusion and misunderstandings. Many people thought Mac OS X was immune from such malevolent code (false, and the proof-of-concept works equally well in Mac OS 9), which led to the conclusion that Intego was promulgating a hoax (equally false). Other misapprehensions that quickly resulted were that this was a virus (false, Trojans don’t self-replicate) and that it was in some way related to Apple’s success in the music world (inane, and at best a non-sequitur). Intego itself generated other confusions, such as the implication that what was being identified was an actual Trojan horse (false) rather than just a method by which a Trojan horse could be created. Intego is also culpable for classic FUD (Fear, Uncertainty, and Doubt) tactics by advertising that the same technique could be used with GIF and JPEG files, and QuickTime movies (true, but irrelevant).
<http://apple.slashdot.org/article.pl?sid=04/04/ 08/1922237&mode=thread&tid=126& amp;tid=172>
Clear and Present Terminology — Let’s step back and look at what the terms for the various types of malicious software really mean. Viruses are pieces of executable code that that can’t stand alone, but must be inserted into and operate within a "host file," usually an application. Most importantly, viruses self-replicate, inserting their code into other files as a way of moving from one file to another, and one computer to another. Although worms also replicate themselves, they don’t require a host file and exist as standalone files.
A Trojan is a horse of a different color. Like worms, Trojans are standalone programs, but they don’t self-replicate. Instead, they’re designed to deceive an unwary user into downloading them and launching; as a rule, they can be identified precisely (which allows warnings of "If you see a file called ‘Trojan Horses’ that purports to provide a directory of farriers in the Middle East, don’t run it or it will delete all the files on your hard disk!"). Without detracting from the clever technique that Bo Lindbergh came up with, Trojans are trivially easy to write. That’s because all they have to do is deceive you long enough for a double-click. Once you double-click, the Greeks leap from the horse and it’s all over for Troy and your computer. (In case you’re not up on your Homer, we can thank Odysseus for the original Trojan Horse.)
Bo’s proof-of-concept was primarily interesting for what it did after it was double-clicked: it acted like a normal MP3 document. Also interesting was the fact that it could be dragged into iTunes and played like any other MP3 file. But despite having the data fork of a legitimate MP3 file, it was in fact an application, and the Finder’s Get Info window properly identified it as such. In essence, the proof-of-concept was more deceptive after the fact, which, had it been an actual Trojan horse, might have made it somewhat harder to detect. But as it was neither malicious nor deceptive, the proof-of-concept simply was not a Trojan horse. That said, it was a questionable move to post such a proof-of-concept in public.
Think Like Intego — So why did Intego decide to issue a press release about what the company dubbed the MP3Concept Trojan? Obviously, I wasn’t privy to the discussions (or I would have told them in no uncertain terms what a terrible idea this was), but it seems likely that the decision was in the end based on the positive benefits it would have for Intego. After all, promoting corporate interests is what PR is all about.
The reasoning is easy to follow. With just a little effort in the press release, Intego could both catapult the company into the spotlight of the Macintosh media and engender a sense of paranoia in the Macintosh community that would result in sales of VirusBarrier. For examples of how the wording of the press release supports this goal, consider this: "While the first versions of this Trojan horse that Intego has isolated are benign, this technique opens the door to more serious risks." The sentence manages to imply that Intego discovered the Trojan (it was actually reported to them by a user) and at the same time states that there are multiple versions of the Trojan. As far as I’ve been able to determine, and Intego did not answer my direct question to this point, at the time when this press release was sent out, there was only Bo Lindbergh’s proof-of-concept.
Then there’s this section: "Due to the use of this technique, users can no longer safely double-click MP3 files in Mac OS X. This same technique could be used with JPEG and GIF files, though no such cases of infected graphic files have yet been seen." That’s classic FUD aimed at scaring less-sophisticated users into believing that they cannot so much as double-click an MP3, JPEG, or GIF file without risking untold digital horrors. Unless, that is, they’re running Intego’s VirusBarrier.
So Intego gains massive press coverage, and even if it turned negative, there’s always the aphorism, "I don’t care what you say about me as long you spell my name right." Intego also sees increased sales of VirusBarrier, lending a direct financial bonus to the announcement. If nothing else, Intego’s behavior was crass, very much along the lines of the anti-virus companies whose software identifies worm-generated email but, instead of deleting it, wastes even more time and resources by bouncing it back to the forged address with an advertisement for the anti-virus software. Although those companies haven’t yet been taken to task for such tactics, Intego may suffer a significantly damaged reputation from this decision.
Intego calls itself an "i-security company" and talks on its About page about how it is committed to "protecting your computer from security threats of all kinds." Ignoring the utterly cynical thought that Intego would wish ill upon those who were not its customers, by releasing the announcement of MP3Concept, Intego violated that basic goal of protecting computers from security threats of all kinds. That’s because the publicity that surrounded both the initial press release and Intego’s followup Q&A document about MP3Concept significantly lowers the bar for creating Trojan horses using the MP3Concept approach. I would be surprised if actual MP3Concept Trojans hadn’t been released into the wild now, given that most people writing malicious software generally just modify techniques and code from others. So by providing details about how MP3Concept works, how it could affect GIF and JPEG files, and more, Intego almost ensured that some disaffected programmer would implement it. Do you feel that Intego’s announcement has helped protect your Mac from security threats?
Intego would certainly argue that the information would have gotten out anyway. That may be true, since the information about the proof-of-concept was protected only by obscurity. But the Internet is an awfully big place these days, and just because some piece of information is available doesn’t mean it will automatically be introduced to hundreds of thousands of Macintosh users. Lots of programmers discover ways of abusing operating systems that they either don’t act on or don’t publicize. Intego chose to go public.
What Should Intego Have Done? It’s said that hindsight is always 20/20, but in this case, I think it’s clear how Intego should have responded. First, I think Intego should absolutely have updated the virus definitions for VirusBarrier to identify and delete any Trojan horses using the MP3Concept technique. That’s entirely in line with the mission of protecting computers from security threats of all kinds, and I have nothing against Intego using this information to improve its products.
However, Intego should next have verified that the right people at Apple had received the information, assuming that a Macintosh developer like Intego would have better contacts within Apple than a random user. Intego said the reporting user had also alerted Apple, but we all know that Apple is a very large company, and sending an email message to a general feedback address is a lot different from making sure Apple’s security team was aware of the problem. The Apple Product Security page provides a email address to which such security vulnerabilities should be reported.
Intego could also have alerted an independent security organization like the CERT Coordination Center to the vulnerability. That would have allowed CERT to verify the vulnerability, alert Apple again, and publish the information in a controlled fashion. Then, had the information become public, Intego wouldn’t have been tainted by a blatant conflict of interest and could still have announced that VirusBarrier had been updated to deal with the problem.
What Should You Do? The cat’s out of the bag, and thanks to Intego’s self-serving behavior, the Macintosh world is a less trusting place than it was this time last week. So what’s your actual vulnerability to Trojans (or worms, because self-replicating code could be added) using the MP3Concept technique? I hope that, apart from a few quick copycats from programmers without the skill or creativity to produce anything worthwhile, we won’t see many implementations, which means that most people won’t have to worry about anything most of the time. Also reassuring is the fact that downloading a raw MP3, JPEG, or GIF file from an FTP or Web site (or one of the file sharing networks) is unlikely to expose you to an MP3Concept Trojan horse because Macintosh resource forks aren’t transmitted when such files are downloaded unless the file is first encoded in a StuffIt archive, MacBinary file, BinHex file, or on a disk image.
That said, I encourage you to be cautious about files you receive in email, since email programs will use the AppleDouble or BinHex encodings to ensure that a file’s resource fork is protected. Luckily, good email programs like Eudora and Mail refuse to let you launch an application attached to a message without prompting you first; if you ever see a query from your email program about executing an attachment, cancel the launch and investigate the source of the attachment.
If you regularly receive files in email and download files from Web sites of unknown reputation, I recommend that you run and regularly update an anti-virus application. On a technical basis, I don’t know of any particular differences between Symantec’s Norton AntiVirus, McAfee’s Virex, and Intego’s VirusBarrier, but I can’t encourage supporting Intego after this incident. Symantec’s Norton AntiVirus costs $70 from Symantec, though I instead generally recommend the $130 Norton SystemWorks bundle (which also includes Norton Utilities, Dantz’s Retrospect Express, and Aladdin’s Spring Cleaning). McAfee’s Virex doesn’t seem to be as readily available as Norton AntiVirus, but remember that you get it for free with a $100 .Mac membership, which is a good deal.
I don’t currently know what methods Norton AntiVirus and Virex use to identify potential MP3Concept Trojans, but according to some Usenet discussions, VirusBarrier merely looks for any CFM executable whose name ends with a common filename extension. As a result, it apparently incorrectly identifies some plug-ins for Adobe Photoshop Elements and Adobe InDesign CS as being Trojan horses. Oops.
One final point to drive home: regular backups (and not just duplicates) can protect you from a multitude of evils ranging from an overeager anti-virus application to a malicious Trojan horse.
What Happens Next? Intego’s media maelstrom elicited a statement from Apple, which is unusual for security vulnerabilities. As the Apple Product Security page states, "For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available." In response to our query, an Apple representative said, "We are aware of the potential issue identified by Intego and are working proactively to investigate it. While no operating system can be completely secure from all threats, Apple has an excellent track record of identifying and rapidly correcting potential vulnerabilities."
I’d be a little surprised if Apple actually had been working on this issue before Intego’s announcement, since the proof-of-concept doesn’t do anything illegal. Had it not been described in the Usenet posting, it would have been deceptive, sure, but a custom icon and a misleading name are also deceptive, and there’s nothing Apple can do to prevent them. I’ve seen a number of ideas for ways Apple could modify the Mac OS to reduce the likelihood of a user launching a Trojan, including putting a subtle halo around the icons of applications (thus reducing the deceptive nature of Trojans masquerading as documents) and requiring user assent to the first launch of any newly downloaded application. Neither of these approaches would be complete protection, but they might lower the likelihood of someone running a Trojan without warning. Whether or not Apple was working on this issue ahead of time, I’m sure Apple programmers are evaluating it now, and it’s entirely likely that Apple will release a security update in the near future to address MP3Concept’s method of deceiving users.
In the end, the only real solution to the overall problem of malicious code would likely be a major rearchitecting of Mac OS X in such a way that prevents applications from causing damage. I doubt Apple would go to such lengths because of the cost of such a wholesale change, particularly given the minimal actual damage to Macs caused by malicious software so far.