No Wonder Apple hates Java – New Java Trojan Attacks OS X
Oh snap! Time to panic and blow things out of proportion! Another OS X Trojan Horse is on the loose, and this time it’s personal. Personal, in this case, meaning it can get you where it hurts – FACEBOOK! According to SecureMac (which has more than a passing interest in security fear mongering…)
SecureMac has discovered a new trojan horse in the wild that affects Mac OS X, including Snow Leopard (OS X 10.6), the latest version of OS X. The trojan horse, trojan.osx.boonana.a, is spreading through social networking sites, including Facebook, disguised as a video. The trojan is currently appearing as a link in messages on social networking sites with the subject “Is this you in this video?”
When a user clicks the infected link, the trojan initially runs as a Java applet, which downloads other files to the computer, including an installer, which launches automatically. When run, the installer modifies system files to bypass the need for passwords, allowing outside access to all files on the system. Additionally, the trojan sets itself to run invisibly in the background at startup, and periodically checks in with command and control servers to report information on the infected system. While running, the trojan horse hijacks user accounts to spread itself further via spam messages. Users have reported the trojan is spreading through e-mail as well as social media sites.
The java component of the trojan horse is cross-platform, and includes other files that affect Mac OS X as well as Microsoft Windows. There have been reports of similar behavior in recent trojan horses targeting Microsoft Windows, but they have not included cross-platform capabilities until now. The trojan attempts to hide its internet communications and actions through obfuscated code spread through multiple files, and will attempt to contact additional command servers if the primary servers are unavailable.
This trojan horse is currently in the wild affecting users of both operating systems.
“This is a sobering reminder that hackers are turning their efforts toward Mac OS X as Apple’s marketshare grows, and users should be vigilant in protecting their computers and taking precautions when surfing the web,” said Nicholas Ptacek, a security researcher at SecureMac.
SecureMac has released a free removal tool to eliminate this threat, which can be downloaded by visiting http://www.securemac.com or downloaded directly from http://macscan.securemac.com/files/BTRT.dmg
Further updates on the status of this trojan horse can be found at http://www.securemac.com/boonana-bulletin.php, which will be updated as more information becomes available.
Users can protect themselves from infection by turning off Java in their web browser. This can be accomplished in Safari by clicking the Security tab under Safari Preferences, and making sure the “Enable Java” checkbox is unchecked.
SecureMac offers the following tips for safe web browsing habits:
1. Watch where you surf. By sticking with safe, well-known websites, you will be less likely to visit a site that will attempt to infect you with a trojan horse. Be especially careful when surfing to links included in messages on social media sites, even if they come from a friend.
2. Watch what you download. Download files only from trusted sources and safe sites.
3. Use security features in OS X. Turn on the built-in Firewall, and consider security software, especially when a computer is shared by multiple users.
Looks like the virus has a bug that’s preventing it from being a serious risk for most users. I wonder if the programmers coded it using Windows…
“The Java applet should also download an installer that will then launch and attempt to install the malware. While Intego has evidence of several infections in the wild, we are not currently able to go beyond this step, as either the malicious malware has bugs preventing it from running correctly, or the servers it contacts are not active or are not serving the correct files.”
(from http://blog.intego.com/2010/10/27/intego-security-memo-trojan-horse-osxkoobface-a-affects-mac-os-x-mac-koobface-variant-spreads-via-facebook-twitter-and-more/)
Man… this is ridiculous… OMG Security RISK.
I can/could write a Trojan in Objective C, wrap it in an installer, call it “MS Office 2011” or something, give the installer the looks of it and offer it as a torrent or something. If you then install it, entering your admin password, I win.
Threat level ? Minimal. If you are so stupid to give your admin PW to any unverified source… your own fault !!!
The threat is as imminet as saying that: since all households have large kitchen knives they will all someday be “Scream” like serial-killers.
Technically there is a threat. But realistically… not.
Only bad thing… I have to deal with customers explaining why they STILL DON’T NEED AntiVirus protection on a Mac…
Chris Leither: think your customers are right! As you yourself say, it’s still extremely hard to get a virus on the mac and until one becomes widespread then I don’t want crappy AV solutions slowing down my mac.
@Chris – if it makes them feel better, have your customers run ClamXav. I use it because I connect to a Windows network and it picks up emails that have (Windows) viruses. It’s both a conscientious action to make sure I don’t forward any nasty bugs, and a CYA so no one can claim it came from a Mac user.
I always run the Status Bar on Safari (or Opera or FireFox) so I can always see exactly what a link connects with, not what it says it’s connecting. If the two don’t match, or if it’s blank, or worst of all, if it’s a jumble of random characters, ain’t no way I’m clicking it.
Now I’m wondering how many different Alerts(!!!) I’ll be getting from ZD/c|net on this one. Their bloggers will make a living off it for about 3 or 4 more days.
@imajoebob
haha… yeah… but in those cases, my boss rather has me selling some intego software. I mean… if they really WANT some antivirus… AND are willing to pay for it…
I just tell them… everytime… that it is not needed… but if they insist, I sell them EVERYTHING.
Ummm they didn’t turn their attention to the Mac at all. They turned to Java which is cross platform in an effort to dupe Mac users to run this crap.
Luckily for us most Mac users are smart it’s really only going to be those new to computing in general or Windows switchers that are going to be duped into this especially the switchers from Windows Vista who are so used to Okaying everything because their previous OS annoyed the hell out of them.
Way to go Microsoft. Thanks for tarnishing our great reputation you pillocks.
@chris –
Ain’t no real harm in selling them antivirus, so long as you’re not just treating them like a cash cow. And if you’re selling them Dual Barrier it enables them to use a Windows emulator more safely.
aww nono…
I mean… of course you might try to up-sell people or to cross-sell some items, but I never try to milk them. Wouldn’t do any good anyway. If they realized that I was just milking them they’ll never come back. If they do see though, that I sell them exactly what they need… totally different story.