Cross-platform Boonana Trojan targets Facebook users

The Boonana Trojan has been making the headlines in the last 24 hours. The reason why the threat, which has been compared to Koobface – but is technically not a member of that malware family, has been getting so much attention is that it doesn’t just infect Windows, but targets Mac OS X and Linux computers too.

The Boonana Trojan horse appears to have been spread via Facebook in messages asking “is this you in this video”.

IMPORTANT! PLEASE READ. Hi <username>. Is this you in this video here : <link>

Clicking on the link takes you to an external website that displays an image of a woman (grabbed from the Hot Or Not website).

Lady's picture

Visitors to the webpage who want to see more are prompted to give permission for an applet called JPhotoAlbum.class to be run from inside a Java Archive (JAR) called JNANA.TSA.

Warning message

Warning message

Whether you are running Windows, Mac OS X or Linux on your computer, if you give permission for the highly obfuscated Java app to run then the malware will sneakily download a variety of programs from the internet which it will then execute on your computer.

Files which can be downloaded include:


Sophos detects various components of the attack as Troj/Boonana-A, Troj/KoobStrt-A, Troj/KoobInst-A, Troj/KoobCls-A, Troj/Agent-PDY, Troj/DwnLdr-IOX, and Troj/DwnLdr-IOY. In addition, Sophos’s web protection blocks access to the malicious webpages.

Don’t forget to always be careful about what links you click on, even if they appear to have been shared by someone you know on Facebook.

And if you’re a user of Linux or Mac OS X, don’t think that the malware problem only exists on Windows. Malicious hackers are becoming increasingly interested in targeting other platforms, and if users of your operating system have a reputation for being dismissive about the risk of malware on your preferred OS, the bad guys may consider you a soft target.

Finally, if you’re a Facebook user, you could do a lot worse than join the 30,000+ other people who have become members of the Sophos Facebook community, sharing advice and warnings about new threats.