VIDEO: Cross-platform malware runs on Windows, Mac and Linux

Filed Under: Apple, Facebook, Java, Linux, Malware, Social networks, Video, Windows

We made a quick video demonstrating the much-talked about "Boonana" malware threat, also being compared to Koobface as it appears that cybercriminals have been distributing links to it via Facebook, tempting unsuspecting users with the promise of a video.

The reason why this malware is interesting is that it doesn't just affect Windows users, but can hit Mac OS X and Linux users too.

But don't just take my word for it, check out the video.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

You can learn more about this malware threat in the post we made yesterday.

Remember, although there is much more malware affecting the Windows platform than any other operating system, that doesn't make the likes of Mac OS X and Linux immune from threats.

Do you think users of non-Windows operating systems are too laid back about malware? Or are anti-virus companies hyping the threat? Leave a comment below and let us know your thoughts.

, , , , , , ,

You might like

19 Responses to VIDEO: Cross-platform malware runs on Windows, Mac and Linux

  1. At the risk of sounding like I've got my head in the sand, I'm still not moved to install antivirus software on my Mac. Yes, this is cross-platform malicious code. But for pete's sake, how many idiotic steps do you have to take in order to let it in?

    1) Click on suspicious link
    2) Allow Java app to install, despite warning that it's accessing your computer
    3) Start installation of malware
    4) Choose installation location of malware
    5) Type in administrator password

    Seriously, if I'm dumb enough to do all of that, I rather deserve what I'm going to get. Let me know when all of this can happen without my input past step 1. Until then, antiviral software is no substitute for a bit of caution & common sense.

    • Thanks for responding Becky.

      My view is that it's social engineering. If the bad guys trick you into believing that you really want to view what's behind the curtain, you'll pull the curtain back.

      Most of the attacks we see on the Windows platform use social engineering tricks *not* software vulnerabilities to infect computers. I'm not sure the people who buy Macs are that different from the people who buy Windows in this regard.

      We can all be tricked into making poor choices. It's just that Windows users are more likely to be running anti-virus software as a safety net for when they make a bad decision.

      • Lloyd Budd · 1801 days ago

        Most of the attacks we see on the Windows platform use social engineering tricks *not* software vulnerabilities to infect computer

        That assertion surprises me. When you say most, what data are you basing this on? I suspect the majority of attacks employ a combination of vulnerability and tricking the computer operator.

        • The assertion is based upon what SophosLabs sees each day. Most of the malware we see doesn't exploit software vulnerabilities - it's mostly social engineering tricking users into making poor decisions.

          • Lloyd Budd · 1800 days ago

            So not verifiable?

            • I don't have stats to hand. But you could ask any other anti-virus vendor and they'll tell you precisely the same thing.

              Or you could read the analyses that we produce every single day for new malware, and note how few of them mention the exploitation of software vulnerabilities.

              Hope that helps.

              • Lloyd Budd · 1800 days ago

                Hmm, so to put that another way, if one is savvy enough then one doesn't need anti-virus software.

                • In the main, that's true. Never download and run software until you've verified (by hand) it's not malicious, never insert a USB stick into your computer, never visit a website which might be clickjacking your mouse presses to do something you weren't expecting, keep your security patches up-to-date, triple check that you're really on the website you think you're on before you enter any data and that your communications can't be snooped upon.

                  Oh, and make sure that you don't connect your computer to any other computers - just in case your friends and colleagues aren't as diligent as you.

                  Of course, there still are *some* malware attacks that exploit software vulnerabilities - which even these rules won't help you with.

                  Maybe it would just be simpler to run anti-virus software to lessen the load a bit, eh? :)

    • Todd Wittenmeier · 1804 days ago

      Word Sister!

  2. Jen · 1805 days ago

    So in other words, I shouldn't let my Grandparents learn what Facebook is, to connect with the family, because they are not idiotic but in the category of people who just don't know any better. Their minds aren't as keen to the idea of hackers and the little tricks the rest of us know the hackers use.

  3. JamEngulfer221 · 1805 days ago

    So what does this Malware actually do?

    What effects will it have on my Mac Mini?

    • chesterwisniewski · 1805 days ago

      After installation the malware modifies some files in the operating system to allow it to continue on with root (full administrator) access without further prompting. It then makes a copy of itself into a hidden folder and executes a Java applet whenever your computer is booted.

      Once it is running it will connect and communicate with the attackers command and control servers on the internet. It is capable of downloading additional files and executing them without the users permission.

      As we continue to investigate this sample we will post any additional capabilities we discover here on the blog.


  4. Steve Sant · 1805 days ago

    Nice one Graham... although I'm not going to lose any sleep over this, it demonstrates how social engineering is the biggest threat to any system, regardless of how "secure" the platform may be against the usual unpriv. escalation exploits. No system is fool proof... but maybe Macs get taken down less often as less fools use them? <putting on my asbestos trousers>

  5. Lincoln-john · 1804 days ago

    Surely, this is all a matter of education, education, education? I know people that would not think twice about going through the steps listed in order to view - independently of their operating system. I also know people who would immediately smell a rat. Keep up the good work Graham, and having pointed out this to the sensible people that read your blog, it is then our job to make sure Granny understands the risks. It is only in educating users, no matter what os, that we can beat these idiots. And the fools that can't wont be educated deserve everything they get, or loose.

  6. Nick Nikiforakis · 1802 days ago

    I am not sure why this is a big deal...of course it is cross-platform since it is written in Java. There is no point in demonstrating that... you might as well demonstrate that a Java applet runs on all major Operating Systems.

    Call me what you will, but I think this thing is given attention because it may help antivirus companies promote their products than do any real damage to any real users (GoBecky commented on the absurdity of the steps needed for the "infection" to work).

    • Paul Ducklin · 1801 days ago

      As an industry insider (and you may call _me_ what you will :-), let me agree that this Boonana thing isn't especially subtle, and, as you point out, Java apps are supposed to be cross-platform.

      But the steps to infection outlined by GoBecky, absurd as they seem when described that way, are pretty much exactly what anyone does, on any platform (perhaps ignoring the Java part, though that is a detail), when they choose to download and install previously-unknown software. They follow exactly those steps, with the words "malware" crossed out and "piece of software" written in.

      People, and not just Windows users, will jump through some very strangely-shaped internet hoops on occasion. This is learned behaviour, because they try it a few times and nothing goes wrong. Like driving without a seatbelt. It doesn't seem to matter a whole lot. Until it does.

      If you will pardon the self-serving download link, there are a couple of interesting historical examples of software which you'd swear _no-one_ would ever willingly have installed in this (admittedly slightly dated, but no less accurate for it) paper:

      If you don't want to read the whole thing (approx 6 pages), search for "FriendGreetings" and "MarketScore".

  7. Scott · 1800 days ago

    This is not news. I can infect my partner's Mac or my Linux boxes if I jump through enough hoops, just like you have to with this malware. That's in contrast to Windows boxes which can get infected without any user input AT ALL.

  8. FGO · 1800 days ago

    I don't get it. Any computing device and any OS is subject to exploit. No matter how you look at it. Windows, Mac OS, Linux and any other OS is a target and to not accept that is plain foolish. As an IT professional you take advantage of any tool out there to protect your clients. That is your professional obligation. So the folks at Sophos have addressed a real threat to all operating systems and made a solution that is free. Hmmm I wonder why you have a problem with this. You all seem to think that you individually are in control of you clients finger clicking... I don't thin so... Try as hard as you might someone out there is going to run the app and then it is too late and the possibility of the loss of corporate data then becomes real... then try to explain to your CEO/CTO why you chose not to install a free solution to prevent this...


  9. madura · 1754 days ago

    I don't think that fool-proofing systems is the correct way. But hey, antivirus software can think instead of the users and to the right thing. May be that's the case because almost everyone is using a PC these days. But using this as bait for proving that other systems are too open to vulnerabilities and/or exploits as Windows is just garbage. That happens when it comes to business, plus similar attacks can be done through any cross platform technology name it flash, python, javascript but it is the user's concern that whether he/she allow code of programs that he/she is not sure of. I mean, it's like letting someone log in to root of your machine after some conversation! That's bad. Really bad.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley