updated 03:10 am EDT, Thu November 4, 2010
Collects user info; removal tool available
The SecureMac team along with ESet Security have identified a new variant of the trojan horse malware they call "Boonana" (Intego and other firms refer to it as a form of the Windows trojan "Koobface," for reasons SecureMac disputes) that uses even crueler trickery in an attempt to convince users to install it. In addition, the companies has identified new servers actively collecting keylogged data such as user names and passwords. Though easy to prevent infection or remove if infected, the refined setup and misleading nature may fool novice users.
Now called trojan.osx.boonana.b, the variant like its previous version is actually able to run on all three major platforms because of its exploit of a multi-platform vulnerability in Java. Turning off Java in the web browser is an effective way to prevent the Trojan from even trying to install, but users should also be suspicious because although advertising itself as a video, the Trojan asks for the administrative password to install itself in order to work.
The new version may appear as a message on Facebook or other social networks, or as an email, and in some cases advises the recipient that "as you are on my friends list, I thought I would let you know I have decided to end my life. For reasons that will be clear please visit my video on this site. Thanks for being my friend. :(" with a link to a video (purported to be on YouTube or Facebook or other popular video sites).
If the user clicks the link, a Java applet installer is launched asking for administrative access and to "allow" other applets from the same server. Should the user still go forward, SecureMac says "the installer then modifies system files to bypass the need for passwords, allowing outside access to all files on the system. Additionally, the trojan sets itself to run invisibly in the background at startup, and periodically checks in with command and control servers to report information on the infected system. While running, the trojan horse hijacks user accounts to spread itself further via spam messages." The company has identified a total of three sites updating the code of the variant and collecting information from the infected machines.
SecureMac says that as of yesterday, the malware servers were still up and running, thus increasing the risk of the variant being more successful at spreading than the previous version, which was malformed and never carried much risk of being successful in its attacks. SecureMac offers a free removal tool and requires Mac OS X 10.5 or higher (manual removal instructions for users on earlier systems is included).
[Details on the wording of the variant and graphic via ESet Security]