Ok ok so all this hoohaa about a Macintosh trojan. “Oh my God, don’t click those MP3s, someone has finally hacked the Mac!” is what I hear.
Not really, folks. Calm down, and here is what is happening.
First off, you might have heard this is a new exploit. No. This “trick” could have been done in 1984. Simply put, this trojan horse is a normal “original” style macintosh application, with code in the code resource and data (in this case, the mp3 tune) in the data fork.
Old Mac OS applications (or current Carbon applications) look like one file to you and me, but are really two. New applications, like iPhoto, are “bundles” and while they look like applications to you and me, are really folders of code and the resources needed for the application. Both serve the same purpose, but are implemented differently.
“But this file is an mp3 file!” Well yes, the data fork is mp3, but the resource fork is an application. In fact, if you select this “mp3” and select “Get Info” you’ll be shown it is an application.
Applications can do anything to your computer (given permission) once you launch them. In essence, this trojan is tricking you to launch it by appearing to be an mp3.
How does it do it when the file extension is .mp3? Well, on the Mac, there are several ways for an application to tell MacOS that it is an application. One is by the file extension, and this is new to OS X. The older, and still used way, is some data put on the file itself called the type and creator. The type tells Mac OS what type of file it is, and if that type is ‘APPL’ then the Mac sees it as an application.
The icon for an application is embedded inside the application, thus all you need to do is write a mean application, name it with a .mp3 extension, put a iTunes icon for the application icon and wham, you have a trojan.
But I bet you heard the code is embedded inside the mp3! oh no! Well, yes, the bad code is. But unless an application like iTunes loads this and executes it as code, it is benign. Most of the Windows viruses come from poor applications like IE and Outlook actually executing this code. Nothing on the Mac does to my knowledge.
So what happens is you double click this mp3 and a resource in the application tells the mac where to find the real code, inside of the data fork. The fact that an mp3 is seems to be just a way to scare people into buying their software.
So the virus code gets executed, iTunes is launched by the virus and plays the file in the data fork while it goes off and does bad things to your machine.
The point here is folks: This is not new, this attack has been around since 1984 and just like before, trust your sources. If you get a random email with an mp3, don’t run it!
Or, have iTunes import the mp3 but don’t double click it. This will import the song and play it, but not execute the virus.
If you are in question, select the file in the Finder, choose Get Info from the File menu and at the top it will say “Application” or “mp3 file”
I stripped the resource fork off of the trojan application, which left just the mp3 data fork, and the file opened on a dummy user account with no errors nor virus activity.
Thus, as I have said, playing an mp3 or viewing a jpeg cannot hurt your system. Double clicking a file appearing to be a mp3 or a jpeg can. Double check files people send you with Get Info or with some utility like Virex, but don’t fall victim to the sky is falling mentality of a recent press release seemingly designed to stir up sales.