Apple is investigating reports that a Trojan horse program has been written for Mac OS X.
Dubbed MP3Virus.gen or MP3Concept, the virus was submitted to Internet security firm Intego on Tuesday as a "proof of concept" or a demonstration of how a weakness in OS X could be exploited by Trojan horse or virus authors with malicious intent. The program is not circulating on the Internet according to Apple and security experts.
Intego announced MP3Concept's existence on Thursday, but the virus's source code suggests it has been in existence since March 20 and Intego CEO Laurent Marteau told NewsFactor that his company received a report of the Trojan Horse from a Mac user on April 6.
If a user opens the MP3Concept MP3 file an executable application hidden in its ID tags will run in the iTunes music program. A dialogue box then pops up reading: "Yep, this is an application. (So what is your iTunes playing now?)"
The MP3Concept is activated only if a user clicks on an infected file in the Finder. If that same file is played from within a music player, such as iTunes, the virus does not activate. If activated, MP3Concept accesses files in the System folder. It has the potential to be modified to delete files or spread by mailing itself to addresses found in the user's address list, according to Intego.
The MP3Concept code appears to be benign, doing no damage to a user's system. But Intego CEO Laurent Marteau told Newsfactor: "We're not sure about that. The code is small but very hard to analyze."
It is thought that the MP3Concept virus may have been developed in response to the popularity of iTunes.
Intego were initially criticized for exaggerating the threat of the Trojan horse. In a press release the company defends its stance saying: "While the first versions of this Trojan Horse that Intego has isolated are benign, this technique opens the door to more serious risks. The exploit that it uses is both insidious and dangerous, and it is our duty as a vendor of Macintosh security solutions to protect our users. We don't believe in waiting until the damage occurs, unlike some of our competitors."
Intego told Dow Jones: "The Trojan's code could be easily modified to cause damage, such as to delete files".
Gartner research director Ray Wagner told MacCentral: "This certainly gives absolute proof that there are vulnerabilities in Mac OS X. In this case it's relatively high-profile because of the use of MP3, but this does not appear to be a terribly big deal."
Network Associates' McAfee Antivirus and Vulnerability Emergency Response Team's Vincent Gullotto told Dow Jones: "If you're on a Mac system today, you are relatively safe from getting infected by a virus. Almost everything is susceptible to some type of attack, whether it be large or small. And there are people out there who are thinking about this all the time."
According to Newsfactor, some security researchers say that a source vulnerability could be the fact that Apple's OS X is based on Berkley Secure Distribution (BSD), a Unix variant but Gartner analyst Ray Wagner disputed that: "The more eyes that look at code, the more chances that vulnerabilities will be caught and fixed by the good guys."
Apple issued a statement on Friday saying: "We are aware of the potential issue identified by Intego and are working proactively to investigate it. While no operating system can be completely secure from all threats, Apple has an excellent track record of identifying and rapidly correcting potential vulnerabilities."
Intego has released an update for its Mac antivirus product that will block MP3Concept, as has Symantec, the maker of Norton antivirus software.