magmatic.com - Squawk Box

There is a report that a Mac OSX Trojan is spreading via email, social media and networking sites. The delivery method uses Java, which has the added advantage to the attacker of being platform specific. The link usually states "is this you in this video" but has been seen in various forms.

Currently Microsoft has reported a raise in malware related to Java. Since it is widely used and is not platform specific it would only be logical to use for malicious activity. (Flash and Acrobat is choose for these reasons. Secure Mac has labeled the virus trojan.osx.boonana.a and is offering a free removal tool. Users can also use Java Preferences.app to limit the effects including amount of cache available and redistricting java apps using Verify Mixed Security Code that controls sand-boxing. Additionally setting related to allowing users to grant permissions and handling of signed/unsigned content.

If Java is not used then it should be disabled in Safari. Check back as more information becomes available.

Update on Wednesday, October 27, 2010 at 04:42PM by

drStrangeP0rk

Intego has provided more details regarding the malware reported and has tagged is OSX/Koobface.A. If you are infected the varient they have studied installs and invisible folder in the users home directory. In terminal perform ls -a to view invisible files. Look for a folder .jnana, if you have one then you are infected. The best defense option is to disable Java, notify users and check Java Preferences.app in /Utilities. Here you can set how an untrusted applet are handled.

The code within the sample we have is not sophisticated enough to really represent a high level of Mac Programming skill but Mac users should expect more. The Windows files match various Koobface worm signatures in that it attempts to steal sensitive information from the users computer. The Mac code connects to a server to load additional files which in Koobface fashion alters the DNS lookups of various sites, executes a web server and IRC server.

Some of the variants of Koobface include the following:

Worm:Win32/Koobface.gen!F, [Facebook]Microsoft Virus Definition
Net-Worm.Win32.Koobface.a, which attacks MySpace
Net-Worm.Win32.Koobface.b, which attacks Facebook.
WORM_KOOBFACE.DC, which attacks Twitter.
W32/Koobfa-Gen, which attacks Facebook, MySpace, hi5, Bebo, Friendster, myYearbook, Tagged, Netlog, Badoo and fubar.
W32.Koobface.D

MacOSX is becoming a enticing target for malware developers, no longer is security by obscurity an option.

In addition to checking the Intego link above vist http://www.zdnet.com/blog/security/koobface-for-mac-os-x-squirming-on-facebook/7579 for a write up.

Update on Friday, October 29, 2010 at 05:29PM by

drStrangeP0rk

Intego has posted an update related to OSX/Koobface.A an their assessment appears to be technically on the money. Most importantly Mac administrators and users need to prepare for malware directed at Apple products. AS the platform has increased in popularity so will the desire of malicious actors to compromise users systems usually with the goal of high jacking their high-speed connection for use in a botnet. I suggest that you stay informed by visiting their blog. More importantly their product, VirusBarrier along with WashingMachine are excellent products which I highly recommend.

This seems like a very primitive attempt to create Koobface Mac zombies, but as we know when in comes to criminals; if at first you don't succeed try, try again!"