Koobface worm targets Mac users on Facebook, Twitter

Malicious Java applet shows that Apple's smart to dump Oracle's technology, says researcher

A new variant of the Koobface worm that targets Mac OS X and Linux as well as Windows is spreading through Facebook, MySpace and Twitter, security researchers warned today.

Antivirus firms first reported the malware, dubbed "Boonana," on Wednesday when Intego and SecureMac, two Mac-only security vendors, warned Mac OS X users that the worm was aimed at them.

Boonana spreads via messages posted to social networking or microblogging sites. Those messages bait the trap with the subject "Is this you in the video?" and a link to a malicious site. People who bite and click the link are then prompted to run a Java applet.

That applet is key to the malware's cross-platform capabilities, said Symantec in a note posted to its research blog.

"The [malware] is written in Java, which is a platform independent language," said Symantec researcher Jeet Morparia. "Individual modules contain Java compiled files, which are packaged in a Java runtime executable. As long as a computer has the Java Runtime Environment (JRE) installed on it, which is often the case across all the platforms, the threat can execute itself."

Intego and Symantec noted that the worm includes several components, including an IRC connector used by the hacker to issue commands to hijacked computers, a keylogger to steal usernames and passwords, and a rootkit to hide it from security software.

Functionally, Boonana works the same as the better-known Koobface Windows worm. Koobface has been actively infecting Windows PCs for more than two years, although virulent forms used in large-scale attacks didn't appear until early 2009.

Koobface, an anagram of Facebook, is best-known for infecting PCs through spammed messages on the giant social networking service.

According to Symantec, Boonana includes a component that reads browser cookies of users logged into Facebook, then posts additional bogus messages and links on the site using those Facebook accounts.

A Facebook spokesman downplayed the threat, saying in an e-mail reply to a request for comment that it was a "small-scale attack." As is its practice, Facebook has blocked access to accounts compromised by Boonana in an attempt to quell the malware outbreak.

Marc Fossi, the director of Symantec's security response team, echoed Facebook, saying that his group had tracked a number of infection attempts, but that the number was "not in epidemic proportions."

The important element in Boonana, Fossi continued, is its cross-platform infection ability, courtesy of Java, which is installed on many Windows, Mac and Linux machines. Such threats are rare, he added, as he cited the one example he was familiar with. "I recall [just] one piece of malcode from a few years back that affected Windows and OS X, but I believe it was proof of concept and didn't really go anywhere," he said.

Mac OS X has bundled an Apple-maintained version of Java for years, but last week the company announced it was "deprecating," or dropping it, from OS X. Java is also out as a development platform for the upcoming Mac App Store, according to Apple's guidelines, and will probably not find a home in the next version of Mac OS X, dubbed "Lion" by CEO Steve Jobs during a sneak peak on Oct. 20.

For Dino Dai Zovi, a noted Mac vulnerability and exploit researcher -- and the co-author of the Mac Hacker's Handbook -- Apple's ditching Java can't come too soon.

"Most Mac users do not need or even use Java, and [deprecating it] will make them safer than having a large window of vulnerability in a plug-in that is being actively attacked in the wild through exploits that can easily be adapted to target Mac OS X," Dai Zovi said in an e-mail reply to questions about Java.

"It's not worth the risk of having it enabled," he added.

Fossi agreed. "It probably isn't a bad idea" for Apple to drop Java, he said.

Apple's operating system rival has said it's seen an "unprecedented wave" of Java exploits in the last nine months. Last week, Microsoft's malware group announced that Java exploits had skyrocketed recently, booming from less than half a million in the first quarter of 2010 to more than 6 million in the third quarter.

Robert McMillan of the IDG News Services contributed to this story.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityWindowsWeb 2.0 and Web AppsIntegosoftwaretwitterMalware and Vulnerabilitiesoperating systemsFacebookMac OSsymantec

More about AppleFacebookIDGIntegoLinuxMicrosoftOracleSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place