New variant of cross-platform Boonana malware discovered

Filed Under: Apple, Linux, Malware, Windows

Windows, Linux, Mac OS X under attack
Last week we spoke about the Boonana cross-platform malware, using a malicious Java applet to deliver a cross-platform attack that attempts to download further malware to computers running Windows, Unix and Mac OS X.

Since then some we have seen variants of the original Boonana attack. The samples we have seen have been functionally the same, with the hackers behind them seemingly having obfuscated their code to try and waltz around detection.

Their attempts haven't been good enough to get past Sophos's products so far (including our new free anti-virus for Mac home users), and we haven't had to update our generic detection method.

In the samples we have analysed to date, the attack specifically targets Windows and Mac OS X systems, and just happens to infect other platforms that run Java. Depending upon the flavour of Unix, it doesn't usually complete its 'life cycle' if you're not running Windows or Mac OS X systems.

Of course, we will update our detection of Troj/Boonana should we see new variants that require it.

In the meantime, watch this video I made last week demonstrating the original version of this attack on Windows, Mac OS X and Ubuntu:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

, , , ,

You might like

6 Responses to New variant of cross-platform Boonana malware discovered

  1. Paul · 1445 days ago

    So basically, no protection under Linux aside from declining install, correct?

    It seems like it might be an odd question to ask, but you never know these days.

    • pducklin · 1445 days ago

      Sophos Anti-Virus for Linux detects it too.

      Our Windows/Mac/Linux products all include on-access scanners (i.e. block-and-prevent malware), and all share the same set of malware identities. So if the Mac product detects it, the Linux one does, too.

      An injury to one is an injury to all :-)

      • Paul · 1445 days ago

        Fair enough... but what about the Linux home users?

        I know they aren't as common as Windows desktop users, but do you guys offer free security for them... or is just the lucky Mac users?

        Sorry, I don't mean to sound mean... I just want to check up, that's all.

        • pducklin · 1445 days ago

          Not a mean question at all! A great question! And the answer is...

          ...no. Sorry. Just the lucky Mac users.

          At least, just Mac so far. Of course, our marketing department will see your request, so you never know :-)

          • Paul · 1444 days ago

            Well, I'm also hoping for a free home version for Windows as well... but I figure it's less likely, haha.

            But here's to hoping.

    • mike · 1444 days ago

      yes... the funny thing is only the fools will fall for this. as with a majority of *nix a good portion of these malware you have to legitimately allow it to execute on your system. All in all its not really a trojan that can execute on a physical machine at all more or less a "Virtual" machine virus. Please SOPHOS restrain yourself from sensationalist posts.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.