Greetings...

Well, first, three words:

HO-LEEE-CRAP!!!!

Does this thread mean that someone has picked up what I *THINK* may be my original concept and took off running with it???

Back around the 20th of March or thereabouts, I posted a message to usenet that got me thinking, and worrying. It involved the potential transport of a virus/tworm/trojan-like payload in the ID3 tags of an MP3 file. When I posted, it was complete "pie in the sky", with no sort of reality to it whatsoever - pure "thought games". But at least in theory, it seemed like something that could be possible.

Not long after I made the post, before I'd actually accomplished anything more substantial than confirming that it *MIGHT* be *POSSIBLE* under *SOME* circumstances with my experiments in that direction, I got an email containing an attachment. That attachment came from someone I didn't (and still don't) know from Adam - One "Bo Lindbergh". Its content was what he called a "proof of concept virus" - It was an MP3 that played a section taken from one of those "maniacal laughter" soundtracks when loaded into an MP3 player, and at the same time, it was an executable file that did what amounts to saying "If this had been a real virus, you're be infectecd right now. Be glad it was only a test." it confirmed my worst fears for the concept - Not only was it doable, Bo had proven to my satisfaction (and far beyond) that it was *EASILY* doable - I don't think it was 48 hours from my post to the arrival of the proof of concept in my mailbox.

The original post was intended as a thought problem and/or sanity-check - "Hey guys, am I freaking out prematurely, or is this an actual possibility - It sounds logical to me?" What it generated was downright scary. An all-too real trojan/viral threat against Macs that had, apparently, never been considered before. Not my intent at all... In all honesty, I was *HOPING* to get shot down in flames as a complete raving paranoid nutbar. The reality turns out to be that I was neither nuts nor paranoid, and the threat is not only plausible, but entirely practical, and all too real.

Now I'm finding that my "bright idea" has taken on a life of its own, and even prompted one company to develop a "cure" for a "disease" that to my knowledge, doesn't actually exist yet, except as a lone proof-of-concept MP3 file. I've made slashdot, however indirectly, because of it. Not exactly my intent when I first dragged my post out of a newsgroup devoted to electronic schematic diagrams into a mac-related group with every hope that I'd get shot down in a ball of flames, the likes of which haven't been seen since Baron von Richtoffen's Fokker was swatted down.

To the nay-sayers who are claiming that the payload isn't in the ID3 tags - In *THIS* version, that may be true, but I can see absolutely no reason why that couldn't be the case. If one doesn't care about the possibilty of "audio garbage" at the start of the playable MP3 data (and who hasn't downloaded (or even created) at least one MP3 file that has a "glitch" in it somewhere?) it's trivial to set things up so that the first MP3 block is actually a minimal PEF container that does nothing but jump to a predetermined byte-offset within the file - A byte-ofset that is the start of executable code stored in one (or more) of the ID3 tags that can be present. (My original proposal was to store the executable in the ID3 tag normally earmarked for album-cover images - Imagine that - a tag that's designed to hold an arbitrary-length chunk of binary data holding binary data that's malware...)

If properly constructed, such an MP3 file would be playable (with a minor glitch at the beginning of the audio) by any MP3 player, on any platform, that doesn't choke on files containing ID3 information. But if double-clicked from the Finder on a MacOS machine, it fires up as an application, and does whatever the code embedded in the ID3 tag commands. As added camoflauge, I can see no reason why the final action taken by the "payload" couldn't be a command to open and play the MP3 using whatever MP3 player the victim may have on his/her computer, giving even more "authenticity" to the infected file. I can see the logic already - "I double-clicked it, and it said 'Congratulations, sucker! You just got hit with a virus.' It scared me for a second, but then I opened it up in <insert name of user's preferred MP3 player> and it did the same thing. Whew... Big deal. Somebody recorded himself saying 'Congratulations, sucker! You just got hit with a virus.', then passed it out over Gnutella as an MP3 file. Ha-ha. How clever. Very funny. But no big deal, since everybody knows that you can't get a virus from an MP3!"

Yet underneath, lies the sinister truth: While the "music" was playing, some, perhaps all, of your shared MP3 files have been similarly infected, so the next time you hook up to the Gnutella network, you've just become another source for the virus. One only has to pause and think for a moment about the ramifications of that - A Mac virus/trojan. In a file that is compatible across all major platforms (even if it isn't directly EXECUTABLE on all of them) without needing any special handling to preserve any special Mac attributes. Running loose on a transport system that's at least partially designed to keep sources of a file obscured from easy view. And where the occasional "glitched" file is a normal fact of the medium. Put it all together, and it becomes a potential nightmare...

I welcome commentary via email - I'm posting here only because one of your members emailed me with a "please come settle the argument" type message. I don't normally pay much attention to forum sites like this one, so it's unlikely that I'll catch any discussion that happens here.

If you would like to email me on the topic, be aware of the draconian filtering I have in place on my mailbox - see <http://www.sonic.net/~dakidd/main/contact.html> for the method to bypass the filters...

Sorry to be so long-winded, but thanks for reading!

Don