Big Mac attack? A wake-up call for OS X users

Black Enterprise, Sept, 2004 by Rebecca Rohan

Macintosh users have had some bragging rights over their Windows counterparts for various reasons, not the least of which is "malware"--viruses, worms, and Trojan horses--that is a frequent pain to Windows users. But on March 20, 2004, a "proof of concept" Trojan horse named MP3Concept (file name MP3Virus.Gen) was discovered, paving the way for more serious malware.

The malware is theoretically benign, but is intended to show a particular vulnerability in an operating system or programmed to alert developers and the user community so that they can tighten security. The MP3Concept Trojan embeds MP3 data into an application. Once the application is executed, the Trojan executes and displays the message, "Yep, this is an application. So what is your iTunes playing right now?" After displaying the message, the program launches iTunes and plays the mp3 file.

That first, and harmless, Trojan executes only if the user opens it as an attachment. If the user downloads the file through iTunes, nothing out of the ordinary happens. MP3Concept Trojan does not replicate itself and is therefore not a virus. But someone decided to create a malicious Trojan that went beyond proof of concept. Still not a virus, AS.MW2004.Trojan was discovered May 12, 2004, and its long name, Microsoft Word 2004 OS X Web Install, tells the story: Mac OS X users believe they're getting an installer for a Beta of MS Word 2004. Instead, when executed, a script attempts to delete the user's root directory, which on an OS X system can mean the folder that contains other folders. But for the Mac, if the user is not logged on as "root," nothing happens. Take that as a safety tip.

Symantec's Norton AntiVirus 9.0 for the Mac ($69.95) has a virus definition update for the Trojan, but McAfee has no consumer antivirus product for the Macintosh, Both companies have enterprise products for the Mac.

"This is a new threat targeting the Mac OS X line; there have been a few threats for OS 9," says Nancy Mohler, senior product manager for Symantec. According to Mohler and other experts, there are reports of the malicious Trojan circulating on peer-to-peer file-sharing networks, but no one has submitted a copy of it.

The number of reported attacks is also low, but it's better to practice safety before the big one hits. "You can't take safety for granted, regardless of the operating system platform," says Mohler. "We do see attempts at identity theft." Mohler also warns Mac users that they can spread PC viruses if they have OS 9.

Neel Mehta, a research engineer with Internet Security Systems' X-Force, says, "As more people begin to use Mac OS, we'll see more malware targeting it, If the kind of worms targeting Windows and Linux are written to target Mac, it would have more significance than this piece of malware."

MAC VIRUSES

See both Trojan profiles with illustrations at:

Proof of Concept: http://securityresponse.symantec.com/avcenter/venc/data/mp3concept.html

Malware: http://securityresponse.symantec.com/avcenter/venc