Cross-platform Boonana Trojan targets Facebook users

Filed Under: Apple, Facebook, Java, Linux, Malware, Social networks

The Boonana Trojan has been making the headlines in the last 24 hours. The reason why the threat, which has been compared to Koobface - but is technically not a member of that malware family, has been getting so much attention is that it doesn't just infect Windows, but targets Mac OS X and Linux computers too.

The Boonana Trojan horse appears to have been spread via Facebook in messages asking "is this you in this video".

IMPORTANT! PLEASE READ. Hi <username>. Is this you in this video here : <link>

Clicking on the link takes you to an external website that displays an image of a woman (grabbed from the Hot Or Not website).

Lady's picture

Visitors to the webpage who want to see more are prompted to give permission for an applet called JPhotoAlbum.class to be run from inside a Java Archive (JAR) called JNANA.TSA.

Warning message

Warning message

Whether you are running Windows, Mac OS X or Linux on your computer, if you give permission for the highly obfuscated Java app to run then the malware will sneakily download a variety of programs from the internet which it will then execute on your computer.

Files which can be downloaded include:

applet_hosts.txt
cplibs.zip
jnana_12.0.tsa
jnana.pix
OSXDriverUpdates.tar
pax_wintl.crc
pax_wintl.zip
rawpct.crc
rawpct.zip
rvwop.crc
rvwop.zip
VfxdSys.zip
WinStart.zip

Sophos detects various components of the attack as Troj/Boonana-A, Troj/KoobStrt-A, Troj/KoobInst-A, Troj/KoobCls-A, Troj/Agent-PDY, Troj/DwnLdr-IOX, and Troj/DwnLdr-IOY. In addition, Sophos's web protection blocks access to the malicious webpages.

Don't forget to always be careful about what links you click on, even if they appear to have been shared by someone you know on Facebook.

And if you're a user of Linux or Mac OS X, don't think that the malware problem only exists on Windows. Malicious hackers are becoming increasingly interested in targeting other platforms, and if users of your operating system have a reputation for being dismissive about the risk of malware on your preferred OS, the bad guys may consider you a soft target.

Finally, if you're a Facebook user, you could do a lot worse than join the 30,000+ other people who have become members of the Sophos Facebook community, sharing advice and warnings about new threats.

, , , , ,

You might like

7 Responses to Cross-platform Boonana Trojan targets Facebook users

  1. Janne Lahteenmaki · 1420 days ago

    What? There exists a unsigned java applet on some suspicious website on the internet that could be downloaded and installed and it does bad things to your computer? And you may find a link to it on a Facebook? I want to hear what kind of people would go through that much trouble to run rm -rf *. :) Unbelievable.

  2. Bender · 1420 days ago

    The most interesting thing is that it doesn't exploit any weaknesses, it exploits the users so it's not really surprising. Even the best OS won't defend itself if the user is an idiot...

  3. aussiebear · 1419 days ago

    "And if you're a user of Linux or Mac OS X, don't think that the malware problem only exists on Windows. Malicious hackers are becoming increasingly interested in targeting other platforms, and if users of your operating system have a reputation for being dismissive of malware warnings on your preferred OS, the bad guys may consider you a soft target."

    => What a load of FUD. You have to specifically click "allow" so the Java applet to execute for it to infect. If you click on "deny", nothing happens.

    On a Linux box, the "infection" is temporary. (Presuming you're stupid enough to execute any random code without a thought). Upon reboot, its gone.

    Stop spreading nonsense if you haven't verified things yourself.

  4. joe · 1419 days ago

    You know what is interesting is this really isn't possible to exploit on GNU/Linux. Reason being it takes a user to be too dumb to use a computer. Even the dumb MS Windows users who have been moved to GNU/Linux who don't know they user GNU/Linux won't fall for this. It takes a two second explanation to new GNU/Linux users how to maintain their system.

    You don't download stuff from random websites and you always accept the security updates from the update manager. So users aren't getting infected and won't be infected on GNU/Linux. Yes- they will be on MS Windows and Mac OS X. Because on these platforms the list of things users have to be aware of and do is so long that it would take a computer science degree and a full time job to to protect oneself.

    Users on MS Windows have to manually update a ton of different applications because no single update system exists: Java, Flash, Reader, MS Office, MS Windows, iTunes, QuickTime, RealPlayer, Adobe Photo Shop/Paint Shop Pro/or whatever they use, a dozen Instant Messaging Clients, anti-virus, and who knows what else they might use on a regular basis.

    On GNU/Linux all the equivalent or same programs are updated through one update management program so a user only has to be familiar with one screen. They don't get confused about was is safe and what is not safe. They also aren't confused about what programs are safe to install and what aren't. You have one source to obtain software generally for 99.95% of your applications. The Ubuntu Software center for instance or maybe http://thinkpenguin.com/software. Anything else and you should be calling a techy or some support penguin support company like THINKPENGUIN 1-888-39-THINK, Open-PC, or whoever manufactured your computer for support.

  5. CommonCourtesy · 1415 days ago

    Fanboys, you missed the point. The point is to remind people that there are bad guys out there, no matter what your favorite OS is and that no one is safe. Sure, right now you have to give permission. But who's to say some saavy clown isn't trying to work around that right now?

    Just dismount that tall stallion of yours and take this article for what it is--another reminder to pay attention.

  6. jazzyjeph · 1347 days ago

    Sophos what is your problem with Linux users ? you
    deliberately spread FUD why ? @ CommonCourtesy
    "Fanboys" ? you see you are as bad as Sophos
    because what you are doing there is known as
    "trolling" no input just you having a go at Linux
    users. 3 out of 10, must try harder.

  7. Cathal Garvey · 1293 days ago

    Wow, the Linux community is looking pretty awful going by this post.

    The attack is clearly described; yes, it's a social engineering attack and requires user permission. But users, even experienced ones, are human and given to error. Of *course* GNU/Linux is more secure than MS and Apple, there's no real question of that. But it's not Ironclad, and it never will be; that's just impossible without bricking the thing entirely.

    I use Linux. I love Linux, and I'd recommend it to others in a flash. But I'm aware that there are ways that my computer can be infected with malware; one of them is me. Another is third-party software like Flash. Another is using a crappy password.

    There are risks inherent in using a computer, and it's good to remind people of risks. Thanks for the post NakedSecurity, I rather like to be reminded of what to look out for.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.