Re: Can iTunes run AppleScript as well as Trojan code?
Re: Can iTunes run AppleScript as well as Trojan code?
- Subject: Re: Can iTunes run AppleScript as well as Trojan code?
- From: Graff <email@hidden>
- Date: Tue, 13 Apr 2004 13:36:25 -0400
On Apr 13, 2004, at 3:25 AM, Mark Douma wrote:
On Apr 09, 2004, at 12:52 AM, Graff wrote:
The part about it opening in iTunes and acting like an MP3 looks to
be a side affect of the file having proper ID3 tags. According to
what I've read this type of trojan can't do anything at all to
iTunes, it's when you try to open the file directly through the
Finder or some other launcher program that the trojan comes into
effect. The ID3 tags are just there to further throw you off.
While I could be wrong, in my understanding, the ID3 tags are there to
contain or "wrap around" the actual CFM PPC executable code, which
(must?/usually) resides in the data fork of of a single-file dual-fork
CFM type application. The resource fork of the application contains
the 'cfrg' (Code Fragment Directory) resource which contains a pointer
to the where the executable code is stored. Ordinarily, this points to
the very beginning of the data fork. In the case of this "trojan",
however, you can see in this image:
http://homepage.mac.com/mdouma46/virus.gif that the PPC code is
simply shifted 64 bytes forward, and the 'cfrg' resource is changed to
reflect this. Since ID3 tags can basically consist of anything, that's
a way for the PPC code to exist in the data fork, yet for the file to
be a "legit" MP3 file and play correctly in iTunes.
Right, but they could have made the file a gif or a jpeg or some other
type of file and it still would work. It doesn't hinge on iTunes, it
hinges on the way the Finder interprets the file type and extension.
- Ken
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.