Jason California
10-28-2010, 12:13 PM
Critical security risk posed by new 'Boonana' Trojan horse for OS X
by Topher Kessler
Font size (http://www.cnet.com/profile/tkessler/)
Print
E-mail
Share
84 comments (http://reviews.cnet.com/8301-13727_7-20020892-263.html?tag=nl.e795#comments)
Yahoo! Buzz (http://buzz.yahoo.com/buzz?publisherurn=&guid=http%3A%2F%2Freviews.cnet.com%2F8301-13727_7-20020892-263.html%3Ftag%3Dyahoobuzz)
Share (http://reviews.cnet.com/8301-13727_7-20020892-263.html) 452 1diggdigg
http://i.i.com.com/cnwk.1d/i/tim//2010/04/27/BioHazardRed.png
A new Trojan horse malware that affects Mac (http://www.cnet.com/apple-mac.html) OS X has been uncovered by Macintosh Security site SecureMac (http://www.securemac.com/). The Trojan is called "trojan.osx.boonana.a" and is being disguised as a video and distributed through social-networking sites like Facebook.
The Trojan horse appears as a link on people's Facebook pages that may have the text "Is this you in this video?" in the link. When the link is clicked, the Trojan will run a Java applet that will download other files to the computer and run an installer automatically.
The Trojan will run in the background and appears to report system information to servers on the Internet, which can be a big breach of personal information. The Trojan also will attempt to spread itself by sending messages from the user account to other people through spam e-mail messages.
As with most Trojans, this will require you to enter your password to install the software and make modifications to the system, so be sure you never supply your password unless you specifically open an installer file and know and trust where that installer came from.
Unlike others in the past, this current Trojan was built in Java, and is cross-platform compatible so it can run in both Windows and in multiple versions of OS X, including the latest Snow Leopard release.
Expect antivirus and malware scanner software companies to release updated malware definitions to tackle this threat, but meanwhile be sure to verify with your friends that videos on their social media sites are legitimate. Additionally, if you run a video from an e-mail or Facebook site and it asks for a password, do not supply it with anything, quit the installer, and remove the video from your system.
The installer cannot do anything to your system if you do not supply your password, so unlike a virus that can self-propagate, this should be relatively easy to remove by just deleting the file. Once the Trojan is installed, however, removing its components will be a lot more difficult.
SecureMac has a removal tool for people who have installed this Trojan, so if you are unsure about whether your system is compromised, then we recommend you run the removal tool to be on the safe side: SecureMac Trojan Removal Tool (http://macscan.securemac.com/files/BTRT.dmg).
For more information on this new threat, see the SecureMac Boonana security bulletin (http://www.securemac.com/boonana-bulletin.php).
UPDATE: Security firm Intego has released a security bulletin (http://www.intego.com/news/trojan-horse-os-x-koobface-a-affects-mac-os-x.asp) of its own, mentioning they have been monitoring this threat for a while; In contrast to the bulletin by SecureMac, they call the threat level posed by this trojan relatively low given its flawed implementation in OS X. Nevertheless, it has potential to be developed into a more serious threat, so people should be aware of it and avoid it.
http://reviews.cnet.com/8301-13727_7-20020892-263.html?tag=nl.e795
http://blog.trendmicro.com/wp-content/uploads/2010/03/ZEROflow.jpg
A major website being compromised and serving up malware is bad news in itself. However, when that attack is using a previously undiscovered and unpatched zero-day vulnerability, the problem becomes even greater.
The official website of the Nobel Peace Prize was compromised and used to serve an exploit targeting a zero-day vulnerability in Mozilla Firefox. On their blog, Mozilla (http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/) has acknowledged the vulnerability and said they will issue a patch as soon as it has been tested. The said vulnerability causes a “drive-by download”, where a malicious file is downloaded and run without the user being aware of what happened.
The Nobel site appears to have been compromised with a malicious PHP Script, which we detect as JS_NINDYA.A (http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_NINDYA.A). However, for some reason or another the cybercriminal behind this attack has chosen to limit the scope of the vulnerability. Using browser headers, the exploit checks both the Firefox version and the operating system used.
According to Mozilla, the underlying flaw is present in both Firefox 3.5 and 3.6, but only recent versions of 3.6 were targeted by JS_NINDYA.A. In addition, if the user is running newer versions of Windows (such as Vista, Windows 7, Server 2008, and Server 2008 R2), the exploit will not be triggered either.
The exploit downloads a backdoor onto user systems, detected as BKDR_NINDYA.A (http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_NINDYA.A). It connects to one of remote malicious servers, which is used by a cybercriminal to send various commands to the system. These commands include shutting down the affected system, as well as deleting all files on the system. Saying this could cause problems would be an understatement.
We detect both the script and the payload used in these attacks, as noted above. The URLs used by the backdoor are blocked, in case this attack is used in other sites. As for the Firefox vulnerability, the latest Firefox 4 beta versions are confirmed to be safe from these exploits. Mozilla has also recommended the NoScript (https://addons.mozilla.org/en-US/firefox/addon/722/) extension to mitigate future attacks until a patch is issued.
Read more: http://blog.trendmicro.com/firefox-zero-day-found-in-compromised-nobel-peace-prize-website/#ixzz13gcIdv2x (http://blog.trendmicro.com/firefox-zero-day-found-in-compromised-nobel-peace-prize-website/#ixzz13gcIdv2x)
by Topher Kessler
Font size (http://www.cnet.com/profile/tkessler/)
Share
84 comments (http://reviews.cnet.com/8301-13727_7-20020892-263.html?tag=nl.e795#comments)
Yahoo! Buzz (http://buzz.yahoo.com/buzz?publisherurn=&guid=http%3A%2F%2Freviews.cnet.com%2F8301-13727_7-20020892-263.html%3Ftag%3Dyahoobuzz)
Share (http://reviews.cnet.com/8301-13727_7-20020892-263.html) 452 1diggdigg
http://i.i.com.com/cnwk.1d/i/tim//2010/04/27/BioHazardRed.png
A new Trojan horse malware that affects Mac (http://www.cnet.com/apple-mac.html) OS X has been uncovered by Macintosh Security site SecureMac (http://www.securemac.com/). The Trojan is called "trojan.osx.boonana.a" and is being disguised as a video and distributed through social-networking sites like Facebook.
The Trojan horse appears as a link on people's Facebook pages that may have the text "Is this you in this video?" in the link. When the link is clicked, the Trojan will run a Java applet that will download other files to the computer and run an installer automatically.
The Trojan will run in the background and appears to report system information to servers on the Internet, which can be a big breach of personal information. The Trojan also will attempt to spread itself by sending messages from the user account to other people through spam e-mail messages.
As with most Trojans, this will require you to enter your password to install the software and make modifications to the system, so be sure you never supply your password unless you specifically open an installer file and know and trust where that installer came from.
Unlike others in the past, this current Trojan was built in Java, and is cross-platform compatible so it can run in both Windows and in multiple versions of OS X, including the latest Snow Leopard release.
Expect antivirus and malware scanner software companies to release updated malware definitions to tackle this threat, but meanwhile be sure to verify with your friends that videos on their social media sites are legitimate. Additionally, if you run a video from an e-mail or Facebook site and it asks for a password, do not supply it with anything, quit the installer, and remove the video from your system.
The installer cannot do anything to your system if you do not supply your password, so unlike a virus that can self-propagate, this should be relatively easy to remove by just deleting the file. Once the Trojan is installed, however, removing its components will be a lot more difficult.
SecureMac has a removal tool for people who have installed this Trojan, so if you are unsure about whether your system is compromised, then we recommend you run the removal tool to be on the safe side: SecureMac Trojan Removal Tool (http://macscan.securemac.com/files/BTRT.dmg).
For more information on this new threat, see the SecureMac Boonana security bulletin (http://www.securemac.com/boonana-bulletin.php).
UPDATE: Security firm Intego has released a security bulletin (http://www.intego.com/news/trojan-horse-os-x-koobface-a-affects-mac-os-x.asp) of its own, mentioning they have been monitoring this threat for a while; In contrast to the bulletin by SecureMac, they call the threat level posed by this trojan relatively low given its flawed implementation in OS X. Nevertheless, it has potential to be developed into a more serious threat, so people should be aware of it and avoid it.
http://reviews.cnet.com/8301-13727_7-20020892-263.html?tag=nl.e795
http://blog.trendmicro.com/wp-content/uploads/2010/03/ZEROflow.jpg
A major website being compromised and serving up malware is bad news in itself. However, when that attack is using a previously undiscovered and unpatched zero-day vulnerability, the problem becomes even greater.
The official website of the Nobel Peace Prize was compromised and used to serve an exploit targeting a zero-day vulnerability in Mozilla Firefox. On their blog, Mozilla (http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/) has acknowledged the vulnerability and said they will issue a patch as soon as it has been tested. The said vulnerability causes a “drive-by download”, where a malicious file is downloaded and run without the user being aware of what happened.
The Nobel site appears to have been compromised with a malicious PHP Script, which we detect as JS_NINDYA.A (http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_NINDYA.A). However, for some reason or another the cybercriminal behind this attack has chosen to limit the scope of the vulnerability. Using browser headers, the exploit checks both the Firefox version and the operating system used.
According to Mozilla, the underlying flaw is present in both Firefox 3.5 and 3.6, but only recent versions of 3.6 were targeted by JS_NINDYA.A. In addition, if the user is running newer versions of Windows (such as Vista, Windows 7, Server 2008, and Server 2008 R2), the exploit will not be triggered either.
The exploit downloads a backdoor onto user systems, detected as BKDR_NINDYA.A (http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_NINDYA.A). It connects to one of remote malicious servers, which is used by a cybercriminal to send various commands to the system. These commands include shutting down the affected system, as well as deleting all files on the system. Saying this could cause problems would be an understatement.
We detect both the script and the payload used in these attacks, as noted above. The URLs used by the backdoor are blocked, in case this attack is used in other sites. As for the Firefox vulnerability, the latest Firefox 4 beta versions are confirmed to be safe from these exploits. Mozilla has also recommended the NoScript (https://addons.mozilla.org/en-US/firefox/addon/722/) extension to mitigate future attacks until a patch is issued.
Read more: http://blog.trendmicro.com/firefox-zero-day-found-in-compromised-nobel-peace-prize-website/#ixzz13gcIdv2x (http://blog.trendmicro.com/firefox-zero-day-found-in-compromised-nobel-peace-prize-website/#ixzz13gcIdv2x)