Print 117 comment(s) - last by JKflipflop98.. on Nov 6 at 8:52 PM

Mac users are now at risky of getting a nasty virus.  (Source: Listmania)

If it you approve, you are a sad noob, and your Mac is infected.  (Source: Intego)
Mac: Hi PC, I'm not feeling so hot today... PC: Oh, I know ALL about that. I think you have a virus!

Security experts by and large agree that security via obscurity is not a wise model for protecting customers over the long term.  That's exactly the model Apple has employed successfully for some time now.  However, its luck finally appears to be running short.

Hot on the heels of a newly discovered iOS exploit that allows access to locked iPhones, new reports [1] [2] from security research firms 
SecureFirm and Intego reveals that a new trojan is targeting Mac users using a vulnerability in OS X's Java player.

According to the 
Intego report the new malware, trojan.osx.boonana.a, is really a reworked version of the Koobface malware, which has attacked Windows in the past.  The malware acts as a worm when it spreads and as a trojan when it is infecting your computer.

Users may encounter the worm via links posted on Facebook, MySpace, Twitter, and other websites.  When clicking the link, the applet attempts to run.  Users can stop the infection before it starts by denying the applet permission to run when OS X's Java player pops up a dialogue.

If they allow the applet to run, they may get another warning if they have a Mac antispyware program like VirusBarrier X6’s Anti-Spyware installed.  If they don't get the warning, or choose to disregard it, the applet will attempt to make a connection with a remote server and installs a rootkit, backdoor, command and control, and other elements.  These files are copied to an invisible folder -- .jnana -- in the user's home directory.

If the virus is allowed to carry out its infection process, the unsuspecting Mac user may find themselves part of a botnet.  When they log on social networks, the virus will post links to spread the infection.  It may also send spam e-mail via their logged-in accounts

Other variants of this virus target Windows and Linux, making it a rare true cross-platform virus.  All these viruses share the fact that they use the Java player as a route of attack.  According to 
Intego, other OS X-specific versions of the virus have shown up, but most are broken or try to connect to offline servers.

The malware could become potentially more dangerous in the future if it is able to eliminate the warnings from the Java player and/or change the name/location of the infection directory, making it hard for virus removal software to find it.

While it does not appear that this virus takes advantage of any unique flaws in Apple's version of Java, some security experts say that Apple's Java player may have more vulnerabilities than Window's.  That's because Apple makes its own Java player, which according to an e-mailreportedly attributed to Apple Chief Executive Steve Jobs, is always a version behind the official Linux/Windows builds from Sun and Oracle.

Apple is reportedly considering ditching its Java player in future versions of OS X, such as OS X 10.7 "Lion".  Similarly it's considering rejecting Flash, another multimedia web technology.  Ultimately these efforts may eliminate some routes of attack, but now that Apple is being targeted it must realize -- there is 
always a back door.


Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Hold on....
By JackBurton on 10/28/2010 8:49:48 AM , Rating: 2
Does this trojan need root access to install? If so, I don't see the problem here. Just deny access and you're fine. NO ONE should be running as root, just like NO ONE should be running as an admin on a Windows machine.

RE: Hold on....
By SkullOne on 10/28/2010 8:55:53 AM , Rating: 4
That's the million dollar problem to which there is no fix. They will run it and give it admin access if it asks because people are too stupid NOT to do it.

Social engineering at its best.

RE: Hold on....
By Luticus on 10/28/2010 9:03:18 AM , Rating: 5
Most Mac users I know operate under the assumption that they CAN'T get viruses, and therefore when they get the "do you want to run this" box they'll be lulled into a false sense of security and just say yes.

Sad really.

It is, however, the same reason UAC isn't as effective as it could be.

RE: Hold on....
By Flunk on 10/28/2010 10:35:12 AM , Rating: 2
Because idiots turn it off?

In all seriousness you're exactly right.

RE: Hold on....
By bitterman0 on 10/28/2010 1:21:28 PM , Rating: 5
Look, no matter how many prompts to confirm doing something you have to click through, if you are bent on not thinking what you are doing, they are not going to stop you.

Most "home users" don't really care to learn why their computer wants them to click this or that. They just automatically click "OK", or "Yes", or whatever to make the thing go away. Why? Because they were numbed by all those "legitimate" warnings they have experienced before and learned early that a "Cancel" or "No" click will do them no good in getting what they wanted.

RE: Hold on....
By lolmuly on 10/29/2010 4:53:47 PM , Rating: 2
I personally like getting more prompts, makes me feel like I have more control.

I use online armor free firewall set up to be super paranoid, and spybot tea-timer to watch for registry changes...

asks me when global hooks are set,
asks me when something tries to access the key log,
asks me when a registry change happens,
asks me when something wants to set itself to autorun,
asks me when a process tries to start,
asks me when one process tries to start another,
asks me when something tries to upload/download,

The power it gives me is wonderful ^^

RE: Hold on....
By omnicronx on 10/28/2010 9:13:34 AM , Rating: 2
Its a Java bug, so I would assume yes. Although I think it occurred without the users knowledge before apple released a security patch, now it will pop up a warning showing you there is an unauthorized applet trying to run.

With OSX you are almost always running as root, but just like nix, you have to enter your password for most things that alter anything at the system level.

RE: Hold on....
By bitterman0 on 10/28/2010 1:07:58 PM , Rating: 3
I think it occurred without the users knowledge before apple released a security patch, now it will pop up a warning showing you there is an unauthorized applet trying to run

In my experience, the JVM running in a browser would always pop up a warning if a Java Applet requests permissions to access local resources (such as the filesystem). This happens regardless of the Applet being signed with a valid security certificate. It was like that since the inception of Applet business, actually. Unless Apple made a mistake in their version of JVM, I would assume the warning was there, users simply clicked through it without reading or taking a moment to contemplate the reason why a Java Applet wants to access local resources (which may present itself as legitimate, by the way, since the application is called "Photo Album").

With OSX you are almost always running as root, but just like nix, you have to enter your password for most things that alter anything at the system level.

Can't vouch for OS X, really, but I believe what you are thinking about is a mechanism called sudo. A really neat utility, if you ask me, and while it behaves somewhat similar to UAC from the end-user viewpoint, it is fundamentally different because unlike UAC the user is not really root. Furthermore, sudo can grant very specific permissions to very specific users, so the privilege elevation process does not have to end up at the root level every time.

Personally, from the systems administrator standpoint, I prefer su to sudo. Although, while having some overlap in their functionality, those are two very different privilege elevation mechanisms.

RE: Hold on....
By Flunk on 10/28/2010 10:17:07 AM , Rating: 2
No, it doesn't require root access.

RE: Hold on....
By AstroGuardian on 10/28/2010 10:32:36 AM , Rating: 2
What? Are you out of your mind? NO ONE should be running as an admin on a Windows Machine? How come? Is it possible? Even for admins?

RE: Hold on....
By gstrickler on 10/31/2010 6:50:31 PM , Rating: 2
Yes. To get infected by this trojan, the user must:
1. Click "allow" to allow the applet to run (despite the warning that the certificate is invalid)
2. Click "allow" to allow the the applet to run the installer
3. Enter the name and password of an administrator so it can actually install.

This is true, even if the current user is an administrator. Even after all of that, the trojan is fails to install on some systems because it's poorly written. And, of course, if the user has additional anti-malware software installed, they'll get even more warnings.

Therefore, this is just a standard trojan, it does not contain a privilege elevation exploit or otherwise bypass any security settings. has admitted as much, but since they're more interested in using scare tactics to sell their software than in proving useful information, they've buried the info about it requiring the user to deliberately give it administrator access near the bottom of another document elsewhere on their web site.

On the opposite end, Intego has been honest about this from the beginning, classifying it as low risk. It's low risk because it isn't a "drive-by", remote, or other type of passive infection, it requires deliberate actions by the user including entering an administrator password for the trojan to do it's dirty work.

Given the above, I would encourage Mac users to avoid securemac and use Intego or ClamAV for additional anti-malware protection.

"Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town." -- Charlie Miller

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki