NEWS FROM THE LAB - Saturday, April 10, 2004

The Macintosh MP3 issue Posted by Mikko @ 11:58 GMT

After years of silence, things are happening on the Macintosh platform. A new trojan known as MP3Concept was found recently. This is not a virus, and it has not been seen in the wild, ie. IT'S NOT SPREADING AND INFECTING MACINTOSHES. We're talking about a proof-of-concept example...but an interesting one; partly because it's on a Mac, partly because it's an MP3 file.

Macintosh used to have lots of viruses. In fact, during late 1980s viruses we're considered to be largly a Macintosh problem, not a PC problem. Nowadays of course situation is exactly the opposite, with less than 100 known Macintosh-only viruses and around 90,000 PC viruses (and a couple of hundred macro viruses which work under Microsoft Office in both Mac and Windows).

In fact, with the release of the new Mac OS X, several expert-techie type of users have migrated to the new Macintosh laptops. Partly because the machines are really nice and look cool, partly because they come with 16:9 wide screens, partly because they are faster than the PC counterparts and partly because the operating system nowadays actually runs on top of unix.

Apple Powerbook G4 17 inch (c) Appel 2004

Viruses and MP3 audio files have had a long relationship. There are tons of PC viruses which use filenames like SONG.MP3.PIF and try to fool the user to click on them, expecting to get a song. We've also had several vulnerabilities in common MP3 players such as WinAMP and Windows Media Player. But we haven't seen a "real" MP3 virus.

And this new Mac thing is not a virus either.

In fact, this whole thing has been blown way out of proportion. What happened was that two weeks ago there was discussion in newsgroup comp.sys.mac.programmer.misc about how resources forks operate under Mac, and a Swedish programmer called Bo Lindbergh posted example code to illustrate the issue. The original thread is accessible right here.

After a week or so, it became news. In fact, there's a headline called "The first Trojan horse virus to target Apple's latest operating system was discovered this week" on CNN.COM! Obviously this is not right.

What the MP3Concept trojan does is that when the MP3 file is opened under Mac OS 9 or Mac OS X, it is executed as an application because of fake resources inserted in it. The actual code is stored in the ID3 tag of the file, and it will display a message like this:

MP3Concept screenshot, source: http://www.intego.com/news/pr41.html

The audio data in the example MP3 file that was distributed actually contains man's laughter. Yeah, that's interesting, although it has no importance whatever. So we've extracted the laughter to a WAV file which you can listen to by clicking here.

Do note that F-Secure does not have a Macintosh antivirus. We used to, though. F-Secure was actively distributing and developing a Macintosh antivirus product between 1991 and 1998, but nowadays we only do Windows and Linux.