Mac Trojan Horse Discovered: Boonana/Koobface
A trojan horse has been discovered that affects Mac OS X users, dubbed “trojan.osx.boonana.a” or ‘Koobface.’ An infected machine will hijack users social network accounts and attempt to spread the trojan further by sending out spam messages from your username.
Thus far the trojan has been spread through Twitter, Facebook, MySpace, and eMail. Here is the method of operation:
The trojan behaves like a worm, by trying to bait users on various social networks to click a link. The link asks “Is this you in this video?” and, if clicked, will send a user to another website which attempts to load a Java applet, giving the user a standard Mac OS X Java Security Alert and certificate request.
If the Java applet is allowed to load, it will download files to your local machine and then start a background process which attempts to propagate the trojan. You can simply click on “Deny” to prevent any further trouble, which prevents the malicious code from loading.
Intego explains the trojan as follows:
This threat is a Mac OS X version of the Koobface worm, which is served as part of a multi-platform attack via a malicious Java applet. The malware itself is made up of a number of elements, though in order to simplify, we will use the term “Trojan horse” to describe it. (Technically, it propagates as a worm, is installed via a Trojan Horse, and installs a rootkit, backdoor, command and control, and other elements.)
The trojan also effects Windows users. The easiest way for Mac and Windows users to protect themselves from the trojan is to avoid clicking dubious links from untrusted sources and to deny sketchy Java applets. Another option is to disable Java in your web browser.
If you are concerned that you have been affected by the Koobface trojan, you can get a free removal tool through SecureMac, who rates the risk as “Critical.” Currently the download link sends you to MacScan, but this is expected to change when the removal tool is released.