OS X Trojan

Concept

There’s a common attack on Windows systems that uses Windows XP’s known-filetype-hiding “feature” (if such it can be called).

By default, the last extension of the filename is hidden, so that example.doc is shown as just example. Nefarious people have exploited this to mask programs as documents: a file called example.doc.exe is displayed as example.doc and looks innocuous to an unsuspecting user—ideal for virus propagation, for example.

Unfortunately, it turns out that something similar is possible on OS X, too.

OS X uses application bundles, which are really just specially-organised directories. By giving a directory the extension .app, OS X will handle it as an application, and run the code inside the bundle when it’s double-clicked. Significantly, the Finder hides the .app extension for applications.

The obvious exploit is to give your application two extensions, in the hope that it will display only the first.

Nope. Apple have considered that. The Finder recognises the potential trap. example.jpg.app is displayed with its full name, including the .app part.

However, there is a way around this. Unicode contains several characters that look like periods, but aren’t really. By using one of those instead of the first dot, one can fool the OS into thinking that it’s just a normal application.

Demonstration

I have created a proof-of-concept. It looks like a file named monkey.jpg. The application icon is a thumbnail image of a monkey. When run, it opens an image of a monkey, called monkey.jpg, in the Preview application—exactly as a normal JPEG would have done, in order to avoid alerting the user to anything untoward. It then executes some code in the background. In this case, all the code does is to write a file to the desktop, pwned!.txt, explaining what just happened.

Real image and trojan viewed in Finder

Notes

This problem is not as critical as its Windows equivalent because OS X application bundles can’t be transferred as-is in a single file or by email. This makes spreading a lot harder. The bundle must be archived—I have used a Zip archive for this demonstration; a disk image file would also work, but is less credible.

At the same time, however, the absence of exploited vulnerabilities on OS X has led to complacency and poor security practices among users. OS X users are, perhaps, less likely to be suspicious of unknown files than Windows users must be.

OS X displays some image information in blue under the file name for a genuine image file; for the trojan application, there is no such information. In practice, I suspect that most users wouldn’t notice. It also doesn’t help at all in the case of other types of file for which no information is displayed.

Download

Comments

  1. PecosBill

    Wrote at 2005-11-02 09:39 UTC using Firefox 1.0.7 on Windows XP:

    There was a similar discovery a while back with hiding resource code in what otherwise is a data file. I don’t think that Apple ever patched that one but the way to check for this is to set up your download folder to view by list. If there is application code that the system will execute, it will have application as the kind.