SecureMac has released an initial analysis of the Boonana Trojan Horse and has created a free removal tool as well as administrative instructions to manually remove the affected machines. All of the information including the analysis of the malware is available at the Boonana Trojan Horse security bulletin page.
The initial infection vector of the Boonana trojan is through a message on social networking sites similar to "Is this you in this video?" which includes a link to an external site. Upon clicking the link, a java applet will attempt to load in the user's web browser.
During our testing, the malicious Java applet communicated with a Command & Control server, and presented an installer window at a random time after accessing the malicious site. This installer did not indicate that it had been downloaded from the web which indicates it is avoiding the quarantine flag typically set by programs such as Safari ...
Threat level discussed:
Due to the fact that the Command and Control servers for the malware are still active, gathering information such as IP addresses (most likely for control purposes), as well as the modification of the sudoers file to allow passwordless access, we maintain a threat level rating of critical for trojan.osx.boonana.a. In many cases, especially with botnets, the malware might not initially exhibit malicious behavior, but can become active at any time as the command and control servers are updated. Detailed procedures and instructions are also listed in the report.
Read More
The initial infection vector of the Boonana trojan is through a message on social networking sites similar to "Is this you in this video?" which includes a link to an external site. Upon clicking the link, a java applet will attempt to load in the user's web browser.
During our testing, the malicious Java applet communicated with a Command & Control server, and presented an installer window at a random time after accessing the malicious site. This installer did not indicate that it had been downloaded from the web which indicates it is avoiding the quarantine flag typically set by programs such as Safari ...
Threat level discussed:
Due to the fact that the Command and Control servers for the malware are still active, gathering information such as IP addresses (most likely for control purposes), as well as the modification of the sudoers file to allow passwordless access, we maintain a threat level rating of critical for trojan.osx.boonana.a. In many cases, especially with botnets, the malware might not initially exhibit malicious behavior, but can become active at any time as the command and control servers are updated. Detailed procedures and instructions are also listed in the report.
Read More