Mac users hit with Windows-style 'Koobface' Trojan

Multi-platform attack targets Windows and Apple

A week after a security company warned Mac users of the slowly growing risk of malware attack, a new Mac OS X Trojan-worm based on Koobface has been discovered circulating via Facebook and Twitter.

The malware appears in security bulletins puts out by two Mac anti-malware companies, SecureMac, which has dubbed it trojan.osx.boonana.a, and Intego, which describes it as OSX/Koobface.A, which would make it a variant of the common Koobface worm that afflicted Facebook in 2008.

The interesting feature of the worm-cum-Trojan is its design and delivery, which resembles the sort of malevolence that is utterly standard in Windows world.

Using an "Is this you in this video?" link on Facebook, Twitter and other social media as the lure, infection starts with a Java applet downloading remote malware that sets itself to run automatically at startup. This then hijacks the user's email software in order to spam further links, and modifies the system's password settings.

From the point of infection, the Mac can be remotely monitored and any files on it are at risk of being stolen.

One unusual aspect of the malware is that its Java architecture allows it to hit Mac, Windows and Linux users. In-browser exploits using Java are common in Windows, and not unheard of in Macs either, but doing both at the same time is a rare approach. This hints that integrated malware could become more common in future.

"This is a sobering reminder that hackers are turning their efforts toward Mac OS X as Apple's market share grows, and users should be vigilant in protecting their computers and taking precautions when surfing the web," said SecureMac researcher, Nicholas Ptacek.

As with any Java exploit, the simplest defence it to turn off Java in the browser. That will cause problems when browsing come websites, however.

At the time of going to press, Techworld could not confirm that any of the Mac security products from vendors better known for their PC security suites protected against Boonana-a. Intego and SecureMac have put out warnings and it is likely that the Koobface connection will allow them to update in due course.

"While Intego has evidence of several infections in the wild, we are not currently able to go beyond this step, as either the malicious malware has bugs preventing it from running correctly, or the servers it contacts are not active or are not serving the correct files," said an analysis put out by Intego researchers.

"Technically, it propagates as a worm, is installed via a Trojan Horse, and installs a rootkit, backdoor, command and control, and other elements," the statement added.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal TechsecurityIntegotwitterFacebook

More about AppleFacebookIntegoLinuxMacs

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts