AAPL Stock: 118.3 ( + 0.49 )

Printed from

Variant of "Boonana"/"Koobface" trojan surfaces

updated 03:10 am EDT, Thu November 4, 2010

Collects user info; removal tool available

The SecureMac team along with ESet Security have identified a new variant of the trojan horse malware they call "Boonana" (Intego and other firms refer to it as a form of the Windows trojan "Koobface," for reasons SecureMac disputes) that uses even crueler trickery in an attempt to convince users to install it. In addition, the companies has identified new servers actively collecting keylogged data such as user names and passwords. Though easy to prevent infection or remove if infected, the refined setup and misleading nature may fool novice users.

Now called trojan.osx.boonana.b, the variant like its previous version is actually able to run on all three major platforms because of its exploit of a multi-platform vulnerability in Java. Turning off Java in the web browser is an effective way to prevent the Trojan from even trying to install, but users should also be suspicious because although advertising itself as a video, the Trojan asks for the administrative password to install itself in order to work.

The new version may appear as a message on Facebook or other social networks, or as an email, and in some cases advises the recipient that "as you are on my friends list, I thought I would let you know I have decided to end my life. For reasons that will be clear please visit my video on this site. Thanks for being my friend. :(" with a link to a video (purported to be on YouTube or Facebook or other popular video sites).

If the user clicks the link, a Java applet installer is launched asking for administrative access and to "allow" other applets from the same server. Should the user still go forward, SecureMac says "the installer then modifies system files to bypass the need for passwords, allowing outside access to all files on the system. Additionally, the trojan sets itself to run invisibly in the background at startup, and periodically checks in with command and control servers to report information on the infected system. While running, the trojan horse hijacks user accounts to spread itself further via spam messages." The company has identified a total of three sites updating the code of the variant and collecting information from the infected machines.

SecureMac says that as of yesterday, the malware servers were still up and running, thus increasing the risk of the variant being more successful at spreading than the previous version, which was malformed and never carried much risk of being successful in its attacks. SecureMac offers a free removal tool and requires Mac OS X 10.5 or higher (manual removal instructions for users on earlier systems is included).

[Details on the wording of the variant and graphic via ESet Security]

by MacNN Staff



    Comment buried. Show
  1. wrenchy

    Joined: Dec 1969


    Here come the viruses.

    Welcome to the world of Anti-Virus and malware protection Mac Fans. You want increased market share for OSX? Then you'll have to deal with the rest of the baggage.

    Where's the smugness now? It's only going to get worse from here.

    If an iPad can get hacked from clicking a button on a website, what else can happen??

    Suck it iBoys.

  1. Hillbilly Geek

    Joined: Dec 1969


    gee, wrenchy

    you sound... tense. Take an Apple, it's good for the digestion.

  1. facebook_Michael

    Via Facebook

    Joined: Nov 2010


    these attacks only work on simple-minded...

    folk who have no clue.

    Nothing can protect them from social engineering attacks like this.

    @wrenchy, this isn't even close to the tons of c*** that can attack Windows.

  1. nitram_again

    Joined: Dec 1969


    Turn off Java

    I went to turn off Java in Safari only to discover I'd done it already some time ago. No ill effects noted so far.

  1. MacnnReader

    Joined: Dec 1969


    Wrenchy is a bitter boy

    The fact that i can get malware on Windows without doing anything but go to a compromised web site is not my fault. The fact that I can only get malware on a mac by putting in my admin password is not my fault. Go home and get some therapy dude.

  1. MacScientist

    Joined: Dec 1969


    Although there appears to be not much here,

    the most important question is sidestepped. That question is "Is there any evidence that this Java malware can do anything on a Mac if it is properly installed."

  1. testudo

    Joined: Dec 1969



    these attacks only work on simple-minded...folk who have no clue.

    Nothing can protect them from social engineering attacks like this.

    Right. Just like most of the attacks on Windows. But most Mac users skip over that fact...

  1. Mr. Strat

    Joined: Dec 1969


    Let the myths continue

    Here we go Macs become more popular...yada...yada...yada...

    It ain't about market share. It's about how S***** Windows is designed.

    I take the same stance as before on this one - Ooooo...I'm scared!

  1. IxOsX

    Joined: Dec 1969


    Wrenchy the buried

    @Wrenchy: Is nice to see that exists, "windows only" people using this forums. By the way! Have you any OSX machine? Just curious. But there is one thing I advise you before speak about Virus and Security on non Windows Systems, learn some computer architecture and kernel security. After that check the global picture and have an exempt conclusion. If you keep your words, then you have a big problem.

  1. charlituna

    Joined: Dec 1969


    i wonder

    what this new one click facebook login 'feature' will do to help out such sites. Because right now I can change my facebook log in and lock out such malware. But as I understand it, with this new feature, if I do that, it will change for everything I ever logged in. Hopefully there are details that haven't been explained that cover how they are preventing such attacks. Not that I would fall for them but I can't say that about my family (especially my mother)

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented