Security Firm Identifies Cross Platform Trojan Horse

News

Bryan Chaffin

4:56 PM, Oct. 27th ET, 2010

Articles by Author Bryan Chaffin on Twitter Contact Author Bio

Comments (9)

Security firm SecureMac has identified a new cross platform trojan horse that targets Mac users and works on Mac OS X systems. The company has dubbed the trojan horse malware package “trojan.osx.boonana.a,” and said it is spreading via social network services such as Facebook disguised as a video with the subject, “Is this you in this video?”

A trojan horse is a term used to describe software (as in maliciously crafted software, or malware) that is disguised as something benign. It requires user interaction to install itself, which almost always means that a Mac user has to give the malware permission to install itself, including entering their password.

Mac Security

Boonana, however, is a java applet disguised as a video, and the installer for the malware launches when users click the video link. That installer, assuming the user gives it permission and a password, then installs system files that SecureMac says bypasses the need for future password. Those files also give the bad guys full access to your Mac, and report to various servers on the Internet.

The software also then seeks to spread itself through e-mail messages and social networking services, in your name.

While first publicly identified by SecureMac, which has updated its antivirus software for the Mac called MacScan to combat the trojan horse, competitor Intego has issued its own statement about Boonana. According to Intego, Boonana is a Mac-compatible version of an older worm called Koobface.

The firm also specified that Boonana, “propagates as a worm, is installed via a Trojan Horse, and installs a rootkit, backdoor, command and control, and other elements.” That’s for the antiviral pedants out there who take exception to the term “trojan horse.”

Intego characterized the risk represented by Boonana as “Low,” calling it a “flawed” implementation. SecureMac rated it as a “Critical” risk.

Post A Comment or Log-in. Need an account? Register here.

9 Observer Comments

ilikeimac

said on October 27th, 2010 at 4:53 PM (Edited: 10/27/2010 7:04 PM):

I unfriended someone recently whose account was sending me this message. I think my brother’s old Hotmail was sending it out for a while too. Funny thing was that the Facebook one didn’t always send a link with it, and sometimes its Facebook chat “conversations” would break off after I replied, so Facebook may have been blocking some of its payloads anyway.

ilikeimac

said on October 27th, 2010 at 4:58 PM (Edited: 10/27/2010 7:04 PM):

On that subject, has anyone else seen Facebook’s security measure that notifies you when someone logs into your account from a geographic location that’s unusual for you? I was travelling out of state last week and it asked me to confirm that it was okay for my account to be accessed from Colorado since I normally log in from Texas. Not a bad idea, but like many security measures it was a pain to deal with just so I could see someone’s photo real quick.

Nemo

said on October 27th, 2010 at 5:00 PM (Edited: 04/06/2011 11:14 AM):

To deal with this, you can disable Java in Safari, which I don’t have much use for anyway, and you can set the Preferences in QuickTime Player 7 so that it won’t play movies automatically but requires your permission to play movies.

gslusher

said on October 27th, 2010 at 5:38 PM:

On that subject, has anyone else seen Facebook’s security measure that notifies you when someone logs into your account from a geographic location that’s unusual for you?

I got such a notice about a login from Ankara, Turkey. I couldn’t find any “damage” to my Facebook page, but there’s not much there to damage. I did change my password.

Lee Dronick

said on October 27th, 2010 at 5:57 PM (Edited: 10/18/2011 6:20 PM):

To deal with this, you can disable Java in Safari, which I don’t have much use for anyway, and you can set the Preferences in QuickTime Player 7 so that it won’t play movies automatically but requires your permission to play movies.

Good tips Nemo. I would also like to add to uncheck the “Open safe files after downloading” in the General preference pane of Safari. You can always open files manually, but if something downloads automatically or without your permission then you have an opportunity to investigate.

Nom said on October 27th, 2010 at 6:28 PM:

Another, hopefully obvious, tip. NEVER change your password from a link provided in such an e-mail - always go to the main entry page (check the URL) and navigate down from there.

Why? A common scam is to send an e-mail asking you to change your password and helpfully provide a bogus URL. I almost got caught with one of these once, but noticed something suspicious and immediately changed my password via the regular interface and then called the bank’s tech support. While I was on the phone to the customer service guy, he reported two attempts to access my account!

Bosco (Brad Hutchings)

said on October 27th, 2010 at 6:47 PM (Edited: 05/26/2012 12:39 AM):

To deal with this, you can disable Java in Safari, which I don’t have much use for anyway

I guess you don’t use LogMeIn. It’s a pretty useful cross-platform remote computer access tool. Java applet.

jfbiii

said on October 28th, 2010 at 10:04 AM:

Having Java enabled in your browser is an invitation to a security breach. For everyday browsing it should be turned off. It should come turned off by default in Safari, in fact. On the rare occasions I have a real need for something done in Java, I turn it on for that use and then turn it back off.

Lee Dronick

said on October 29th, 2010 at 1:24 PM (Edited: 10/18/2011 6:20 PM):

It doesn’t seem to be as bad as has been reported, see Intego’s update

Post A Comment or Log-in. Need an account? Register here.

Recent Headlines - Updated May 27th

Sat, 10:00 AM: MacOS KenDensed - MacOS KenDensed: Apple’s Patent Lawsuit & Antitrust Shuffle
Fri, 5:58 PM: News - Sotheby’s to Auction Steve Jobs Atari Memo (Photo Gallery)
5:42 PM: Free on iTunes - 3 Free iOS Apps for News Hounds
3:00 PM: Rumor - Nest Thermostat Reportedly Coming to Apple Retail Stores
2:40 PM: Particle Debris - The TV Industry’s Dreadful Little Secret
2:33 PM: News - Mobile Devices Account for 20% of Web Traffic in US, Canada
12:49 PM: News - Apple Now Offering “Free App of the Week” for iOS
12:21 PM: News - Tim Cook Declines $75 Million Dividend Payout
11:25 AM: News - Absinthe 2.0 Provides Untethered Jailbreak for iOS 5.1.1
11:09 AM: Quick Look Review - F18 Carrier Landing (iOS) is a Boatload of Fun
10:51 AM: TMO Appearances - Jeff Gamet talks Cool Apps & Accessories on Not Another Mac Podcast
10:12 AM: Hot Forum Topic - Forum Poll: Which is Your Favorite Photo Sharing Service?

The Mac Observer Reader Specials

Macsales.com SuperSpeed SSDs from $58. Transform your Mac with an SSD Solution of up to 960GB! You won't believe it's the same machine! Once you experience an OWC SSD, no going back! - Macsales.com
Mac RAM Upgrades: MacBook Pro 16GB kits $475, 8GB Kits for $119.99! iMac 16GB RAM Kits (4x 4GB) for $229.99! Mac Pro Memory 32GB Kit for $399.99, 64GB Kit for $889.99! Mac Hard Drives 2TB Seagate SATA II for $249.99! Click Here!
If you're using a Mac, then you've gotta check out PokerOnAMac.com. Online casinos and poker rooms are literally giving away cash and the casino sites at Poker on a Mac do the unthinkable, they actually reward! Join today, the download is free!
Looking to find online casinos for mac? We can help you find the best real money casino sites where you can play your favorite casino games including blackjack and slots.

Buy Stuff, Support TMO via Apple or Amazon
Deals from DealBrothers.com
Reader Specials
Read TMO on Kindle
TMO on Twitter and FaceBook:

Apple Stock Quote (AAPL)

Last trade: $---.-- $---.--
Market cap: $---.--
Discuss in our Apple Finance Board

Quotes are delayed. Currency in USD

Hot Topics

What's the buzz? These articles have TMO readers talking.

Samsung: Apple’s Trial Experts Are “Slavish” Fanboys - 19 Comments
Forrester: Maybe Apple’s TV Isn’t a TV - 9 Comments
The TV Industry’s Dreadful Little Secret - 8 Comments
Analyst: Apple to Offer iPhone 3GS as Pre-Paid Option - 8 Comments
Jonathan Ive Calls Apple’s Current Project the “Most Important” - 7 Comments
Estimated Apple TV Sales to Date: 6.3 Million - 7 Comments

TMO Express

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday. Find out more!

Top Deals From DealBrothers.com

Recent Features

Get the latest installments of TMO Columns, Podcasts, & Blogs.

© The Mac Observer, Inc. -- All rights reserved. All information presented on this site is copyrighted by The Mac Observer, Inc. except where otherwise noted. No portion of this site may be copied without express written consent. Other sites are invited to link to any aspect of this site provided that all content is presented in its original form and is not placed within another frame. The Mac Observer is an independent publication and has not been authorized, sponsored, or otherwise approved by Apple, Inc.