Friday, April 09 2004 @ 08:48 PM UTC
Contributed by: Admin
There is a lot of discussion in various forums on the Net regarding this Trojan. Is there a way to preserve us from that in a generic way apart of buying an anti-virus program ?
The Trojan in question works by including executable code inside a "comment" or "meta" tag in the data file (e.g. a part of the file that is not interpreted by reader applications as being part of the data format in itself in order to be correctly interpreted).
The file is then set an 'APPL' HFS type and the resource fork contains the necessary 'cfrg' resource to tell the code loader where to jump in the file to start execution.
In the particular case of MP3 files, the file will start with 'ID3...' and a few bytes later you will see (in the example we got at offset 0x40) 'Joy!peffpwpc...' : the signature of a PEF executable.
The corresponding 'cfrg' resource need of course to point to the offset 0x40 for the code to load correctly.
The Trojan works because the Finder gives priority to the HFS type info and not to the file signature as given by the "file" tool, to decide how to handle the document: get info in Finder will report the file as an application, when file virus.mp3 in Terminal.app will report a valid MP3 file...
We quickly wrote an small tool (available here in source code) to scan files and directories and report any mismatch between extension, file type as reported by the file tool and the HFS type. (you will need libmagic to be able to link it). Feel free to enhance it, in particular you should extend its extensions database to fit your needs...
In particular, for the MP3 Trojan, the tool will report: ERROR NON EXECUTABLE WITH 'APPL' FILE TYPE 'virus.mp3'