Koobface Worm Variant Targets Mac OS X

A variant of the Koobface worm notorious for wreaking havoc on Facebook, Twitter and other social networks running on Windows is doing the same for the Mac OS X.

Like its predecessors, the new Koobface variant, dubbed "Boonana" by security researchers at Intego and Secure Mac, spreads rapidly on social networking sites such as Facebook, Twitter and MySpace. However, what differentiates the malware is that it combines attack methods, spreading like a worm but installing a Trojan horse with numerous functionalities.

During the multifaceted attack, users are enticed with the subject line "Is this you in the video?" coupled with a malicious link embedded in the message. Users who click on the link will be treated to a video, while a dropper file is automatically downloaded in the background. The dropper file then launches a .jar file containing numerous encrypted class files, which are stored in an invisible .jnana folder in the user's home folder. The class files are decrypted by a Cplib_x86_win _module, which ultimately controls the execution of the malicious functions.

Before becoming infected, Mac OS X users will be prompted with a security alert, requesting permission to download the applet. If the user clicks Deny, the applet will not run and no malware will be installed, security researchers at Intego, a Mac-focused security vendor, wrote in a blog post.

Sponsored post

However, if the user clicks Allow, the applet will run and attempt to download a multitude of malicious files from remote servers. The malware then functions similarly to the Koobface worm running on Windows.

Trojan Contains A Slew Of Malicious FunctionsOnce installed, the Trojan has the ability to self-update, connect to remote command and control centers, record a user's key strokes, decrypt packaged files in Windows and Mac platforms, and read cookies of the logged on users and post malicious links to a user's social networking profile.

Symantec security researchers say that the Java applet, a platform independent application, is what gives the Koobface variant its cross-platform capabilities.

"It's worth noting that the choice of language to code the Trojan is also cleverly chosen. The Trojan is written in Java, which is a platform independent language," said Symantec researcher Jeet Morparia in a blog post Thursday. "Individual modules contain Java complied files, which are packaged in a Java runtime executable. As long as a computer has the Java Runtime Environment (JRE) installed on it, which is often the case across all the platforms, the threat can execute itself."

Morparia said that that the multiplatform attack indicates that the Mac is becoming increasingly popular, as hackers continuously look for new ways to achieve profitability.

"The popularity of other systems, for example Mac OS X, has captured the attention of malware writers," he said. "They are constantly trying to expand their scope beyond Windows and maximize their infection base by infecting other popular operating systems."