Boonana Trojan Horse
SecureMac Security Bulletin
Posted: October 26th, 2010
Updated: November 4th, 2010
Security Risk: Critical
SecureMac has discovered a new trojan horse in the wild that affects Mac OS X, including Snow Leopard (OS X 10.6), the latest version of OS X. The trojan horse, trojan.osx.boonana.a, is spreading through social networking sites, including Facebook, disguised as a video. The trojan is currently appearing as a link in messages on social networking sites with the subject "Is this you in this video?"
When a user clicks the infected link, the trojan initially runs as a Java applet, which downloads other files to the computer, including an installer, which launches automatically. When run, the installer modifies system files to bypass the need for passwords, allowing outside access to all files on the system. Additionally, the trojan sets itself to run invisibly in the background at startup, and periodically checks in with command and control servers to report information on the infected system. While running, the trojan horse hijacks user accounts to spread itself further via spam messages. Users have reported the trojan is spreading through e-mail as well as social media sites.
The java component of the trojan horse is cross-platform, and includes other files that affect Mac OS X as well as Microsoft Windows. There have been reports of similar behavior in recent trojan horses targeting Microsoft Windows, but they have not included cross-platform capabilities until now. The trojan attempts to hide its internet communications and actions through obfuscated code spread through multiple files, and will attempt to contact additional command servers if the primary servers are unavailable.
This trojan horse is currently in the wild affecting users of both operating systems.
"This is a sobering reminder that hackers are turning their efforts toward Mac OS X as Apple's marketshare grows, and users should be vigilant in protecting their computers and taking precautions when surfing the web," said Nicholas Ptacek, a security researcher at SecureMac.
SecureMac has released a free removal tool to eliminate this threat, which can be downloaded by visiting http://www.securemac.com or downloaded directly from http://macscan.securemac.com/files/BTRT.dmg
Users can protect themselves from infection by turning off Java in their web browser. This can be accomplished in Safari by clicking the Security tab under Safari Preferences, and making sure the "Enable Java" checkbox is unchecked.
SecureMac offers the following tips for safe web browsing habits:
- Watch where you surf. By sticking with safe, well-known websites, you will be less likely to visit a site that will attempt to infect you with a trojan horse. Be especially careful when surfing to links included in messages on social media sites, even if they come from a friend.
- Watch what you download. Download files only from trusted sources and safe sites.
- Use security features in OS X. Turn on the built-in Firewall, and consider security software, especially when a computer is shared by multiple users.
MacScan quickly detects, isolates and removes malware from Macintosh computers using both real-time spyware definition updating and unique detection methods. The software also manages internet-related clutter on your computer. It is designed for Mac OS X version 10.2.4 and later.
Since 1999, SecureMac has been at the forefront of Macintosh system security. The site not only features complete Macintosh Anti-Spyware and Antivirus solutions, but also operates as a clearinghouse for news, reviews and discussion of Apple computer security issues. Users from novice to the most advanced will find useful information at SecureMac that is designed to make their computer experience trouble free.