Posted by: David Harley | September 20, 2013

Trust Me, I’m a Data File

Hat tip to my friend and sometime co-author Robert Slade, for bringing to my attention a Dilbert cartoon somewhat relevant to some of the recent conversation about Apple’s iPhone fingerprint scanning technology, despite its age.

Meanwhile, Kevin Townsend – whom I’d also regard as a friend despite all the occasions when I’ve disagreed with him publicly, usually about AMSO – also drew my attention to something interesting. In an article on Mac Trojans Easy to Write says Researcher he cites a blog by Tripwire’s Ken Westin in which he describes a technique for disguising a malicious app masquerading as a different type of file by concealing the .app extension with a Unicode homoglyph. I’m not sure that too many people nowadays think that it isn’t possible to write an OS X Trojan – in fact, even back in the days when Macs were supposed to be impregnable, every suggestion of Mac malware generated a chorus of ‘that’s not a virus, it’s a trojan’, as if somehow that made all the difference. Apps disguising themselves as data files predates OS X, and in fact Amphimix, often assumed to be the first OS X malware,  passed itself off as an MP3. And that’s not actually the camouflage technique used by OSX/Leverage, which opens a JPEG within the app bundle to appear like a picture. But it’s quite interesting (I haven’t tried it out, though). In fact, useful though Unicode is, it’s quite often been used to facilitate an attack, or at least to generate confusion.

David Harley
Small Blue-Green World
ESET Senior Research Fellow

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: