Printed from http://www.electronista.com

Variant of "Boonana"/"Koobface" trojan surfaces

updated 03:10 am EDT, Thu November 4, 2010

Collects user info; removal tool available

The SecureMac team along with ESet Security have identified a new variant of the trojan horse malware they call "Boonana" (Intego and other firms refer to it as a form of the Windows trojan "Koobface," for reasons SecureMac disputes) that uses even crueler trickery in an attempt to convince users to install it. In addition, the companies has identified new servers actively collecting keylogged data such as user names and passwords. Though easy to prevent infection or remove if infected, the refined setup and misleading nature may fool novice users.

Now called trojan.osx.boonana.b, the variant like its previous version is actually able to run on all three major platforms because of its exploit of a multi-platform vulnerability in Java. Turning off Java in the web browser is an effective way to prevent the Trojan from even trying to install, but users should also be suspicious because although advertising itself as a video, the Trojan asks for the administrative password to install itself in order to work.

The new version may appear as a message on Facebook or other social networks, or as an email, and in some cases advises the recipient that "as you are on my friends list, I thought I would let you know I have decided to end my life. For reasons that will be clear please visit my video on this site. Thanks for being my friend. :(" with a link to a video (purported to be on YouTube or Facebook or other popular video sites).

If the user clicks the link, a Java applet installer is launched asking for administrative access and to "allow" other applets from the same server. Should the user still go forward, SecureMac says "the installer then modifies system files to bypass the need for passwords, allowing outside access to all files on the system. Additionally, the trojan sets itself to run invisibly in the background at startup, and periodically checks in with command and control servers to report information on the infected system. While running, the trojan horse hijacks user accounts to spread itself further via spam messages." The company has identified a total of three sites updating the code of the variant and collecting information from the infected machines.

SecureMac says that as of yesterday, the malware servers were still up and running, thus increasing the risk of the variant being more successful at spreading than the previous version, which was malformed and never carried much risk of being successful in its attacks. SecureMac offers a free removal tool and requires Mac OS X 10.5 or higher (manual removal instructions for users on earlier systems is included).

[Details on the wording of the variant and graphic via ESet Security]





By Electronista Staff
Post tools:

TAGS :

toggle

Comments

    Comment buried. Show
  1. wrenchy

    Forum Regular

    Joined: Nov 2009

    -30

    Here come the viruses.


    Welcome to the world of Anti-Virus and malware protection Mac Fans. You want increased market share for OSX? Then you'll have to deal with the rest of the baggage.

    Where's the smugness now? It's only going to get worse from here.

    If an iPad can get hacked from clicking a button on a website, what else can happen??

    Suck it iBoys.

  1. Hillbilly Geek

    Fresh-Faced Recruit

    Joined: Aug 2006

    +10

    gee, wrenchy

    you sound... tense. Take an Apple, it's good for the digestion.

  1. facebook_Michael

    Via Facebook

    Joined: Nov 2010

    +9

    these attacks only work on simple-minded...

    folk who have no clue.

    Nothing can protect them from social engineering attacks like this.

    @wrenchy, this isn't even close to the tons of c*** that can attack Windows.

  1. nitram_again

    Fresh-Faced Recruit

    Joined: Nov 2001

    +2

    Turn off Java

    I went to turn off Java in Safari only to discover I'd done it already some time ago. No ill effects noted so far.

  1. MacnnReader

    Fresh-Faced Recruit

    Joined: Oct 2010

    +7

    Wrenchy is a bitter boy

    The fact that i can get malware on Windows without doing anything but go to a compromised web site is not my fault. The fact that I can only get malware on a mac by putting in my admin password is not my fault. Go home and get some therapy dude.

  1. MacScientist

    Junior Member

    Joined: Feb 2000

    0

    Although there appears to be not much here,

    the most important question is sidestepped. That question is "Is there any evidence that this Java malware can do anything on a Mac if it is properly installed."

  1. testudo

    Forum Regular

    Joined: Aug 2001

    -8

    @Michael

    these attacks only work on simple-minded...folk who have no clue.

    Nothing can protect them from social engineering attacks like this.


    Right. Just like most of the attacks on Windows. But most Mac users skip over that fact...

  1. Mr. Strat

    Junior Member

    Joined: Jan 2002

    +2

    Let the myths continue

    Here we go again...as Macs become more popular...yada...yada...yada...

    It ain't about market share. It's about how S***** Windows is designed.

    I take the same stance as before on this one - Ooooo...I'm scared!

  1. IxOsX

    Fresh-Faced Recruit

    Joined: Feb 2009

    +1

    Wrenchy the buried

    @Wrenchy: Is nice to see that exists, "windows only" people using this forums. By the way! Have you any OSX machine? Just curious. But there is one thing I advise you before speak about Virus and Security on non Windows Systems, learn some computer architecture and kernel security. After that check the global picture and have an exempt conclusion. If you keep your words, then you have a big problem.

  1. charlituna

    Fresh-Faced Recruit

    Joined: Sep 2009

    +1

    i wonder

    what this new one click facebook login 'feature' will do to help out such sites. Because right now I can change my facebook log in and lock out such malware. But as I understand it, with this new feature, if I do that, it will change for everything I ever logged in. Hopefully there are details that haven't been explained that cover how they are preventing such attacks. Not that I would fall for them but I can't say that about my family (especially my mother)

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Sound Blaster Roar Bluetooth speaker

There could very well be a new king of the hill for Bluetooth speakers, with Sound Blaster's recent entry into the marketplace. Bringi ...

Kenu Airframe Plus

Simple, stylish and effective, the Kenu Airframe + portable car mount is the latest addition to Kenu's lineup. Released earlier this y ...

Plantronics Rig Surround 7.1 headset

Trying to capture the true soundscape of video games can be a daunting task. Looking to surround-sound home theater options, users hav ...

Sponsor

toggle

Most Commented

 
toggle

Popular News