Forgot to say this, but the Unsanity folks had previously posted details on a different fake icon method. This uses a “strong binding” resource to change both the icon and the application used to open a document; when the document is a malicious Terminal script, the effect is much the same as hiding an application under a document icon.
In any event, the principle is the same: forcing the Finder to display an icon different from the one ordinarily defined by the normal characteristics of the file. Both methods subvert a useful feature which was implemented with some cost.
Leave a Comment