Security Firm Identifies Cross Platform Trojan Horse

| News

Security firm SecureMac has identified a new cross platform trojan horse that targets Mac users and works on Mac OS X systems. The company has dubbed the trojan horse malware package “trojan.osx.boonana.a,” and said it is spreading via social network services such as Facebook disguised as a video with the subject, “Is this you in this video?”

A trojan horse is a term used to describe software (as in maliciously crafted software, or malware) that is disguised as something benign. It requires user interaction to install itself, which almost always means that a Mac user has to give the malware permission to install itself, including entering their password.

Mac Security

Boonana, however, is a java applet disguised as a video, and the installer for the malware launches when users click the video link. That installer, assuming the user gives it permission and a password, then installs system files that SecureMac says bypasses the need for future password. Those files also give the bad guys full access to your Mac, and report to various servers on the Internet.

The software also then seeks to spread itself through e-mail messages and social networking services, in your name.

While first publicly identified by SecureMac, which has updated its antivirus software for the Mac called MacScan to combat the trojan horse, competitor Intego has issued its own statement about Boonana. According to Intego, Boonana is a Mac-compatible version of an older worm called Koobface.

The firm also specified that Boonana, “propagates as a worm, is installed via a Trojan Horse, and installs a rootkit, backdoor, command and control, and other elements.” That’s for the antiviral pedants out there who take exception to the term “trojan horse.”

Intego characterized the risk represented by Boonana as “Low,” calling it a “flawed” implementation. SecureMac rated it as a “Critical” risk.

 

Comments

ilikeimac

I unfriended someone recently whose account was sending me this message. I think my brother’s old Hotmail was sending it out for a while too. Funny thing was that the Facebook one didn’t always send a link with it, and sometimes its Facebook chat “conversations” would break off after I replied, so Facebook may have been blocking some of its payloads anyway.

ilikeimac

On that subject, has anyone else seen Facebook’s security measure that notifies you when someone logs into your account from a geographic location that’s unusual for you? I was travelling out of state last week and it asked me to confirm that it was okay for my account to be accessed from Colorado since I normally log in from Texas. Not a bad idea, but like many security measures it was a pain to deal with just so I could see someone’s photo real quick.

Nemo

To deal with this, you can disable Java in Safari, which I don’t have much use for anyway, and you can set the Preferences in QuickTime Player 7 so that it won’t play movies automatically but requires your permission to play movies.

gslusher

On that subject, has anyone else seen Facebook?s security measure that notifies you when someone logs into your account from a geographic location that?s unusual for you?

I got such a notice about a login from Ankara, Turkey. I couldn’t find any “damage” to my Facebook page, but there’s not much there to damage. I did change my password.

Lee Dronick

To deal with this, you can disable Java in Safari, which I don?t have much use for anyway, and you can set the Preferences in QuickTime Player 7 so that it won?t play movies automatically but requires your permission to play movies.

Good tips Nemo. I would also like to add to uncheck the “Open safe files after downloading” in the General preference pane of Safari. You can always open files manually, but if something downloads automatically or without your permission then you have an opportunity to investigate.

Nom

Another, hopefully obvious, tip.  NEVER change your password from a link provided in such an e-mail - always go to the main entry page (check the URL) and navigate down from there.

Why? A common scam is to send an e-mail asking you to change your password and helpfully provide a bogus URL.  I almost got caught with one of these once, but noticed something suspicious and immediately changed my password via the regular interface and then called the bank’s tech support.  While I was on the phone to the customer service guy, he reported two attempts to access my account!

Bosco (Brad Hutchings)

To deal with this, you can disable Java in Safari, which I don?t have much use for anyway

I guess you don’t use LogMeIn. It’s a pretty useful cross-platform remote computer access tool. Java applet.

jfbiii

Having Java enabled in your browser is an invitation to a security breach. For everyday browsing it should be turned off. It should come turned off by default in Safari, in fact. On the rare occasions I have a real need for something done in Java, I turn it on for that use and then turn it back off.

Lee Dronick

It doesn’t seem to be as bad as has been reported, see Intego’s update

Log-in to comment