Koobface for Mac OS X squirming on Facebook

Koobface for Mac OS X squirming on Facebook

Summary: Security researchers have found the first version of the Koobface malware targeting Mac OS X users on Facebook, MySpace and Twitter.

SHARE:

Security researchers have found the first version of the Koobface malware targeting Mac OS X users on Facebook, MySpace and Twitter.

"This threat is a Mac OS X version of the Koobface worm, which is served as part of a multi-platform attack via a malicious Java applet," according to an alert from Intego.

SEE: Apple: Mac users should run multiple anti-virus

This new Koobface variant, currently spreading via links in messages on social networking sites, users malicious web sites to attempt to trick Mac OS X users into viewing a video file.

follow Ryan Naraine on twitterAccording to Intego, these sites attempt to load a Java applet.  There is no automatic infection because users are alerted via the standard Mac OS X Java security alert.

Users can deny or allow the applet access to their computers. If they click Deny, the applet will not run, and no infection will occur. If they click Allow, however, the applet will run, and will attempt to download files from one or more remote servers.

SEE: How Snow Leopard can save Mac OS X from malware attacks

If the user is tricked into running the Java applet, malicious files are downloaded into an an invisible folder (.jnana) in the current user’s home folder.

These files include elements designed to infect Mac OS X, Windows and Linux. The Java applet should also download an installer that will then launch and attempt to install the malware. While Intego has evidence of several infections in the wild, we are not currently able to go beyond this step, as either the malicious malware has bugs preventing it from running correctly, or the servers it contacts are not active or are not serving the correct files.

The company said the malware is capable of operating exactly likethe Koobface worm running on Windows. "It runs a local web server and an IRC server, acts as part of a botnet, acts as a DNS changer, and can activate a number of other functions, either through files initially installed or other files downloaded subsequently," Intego said.

The company rates the threat as "low" because the current Mac OS X implementation is flawed but warned Mac OS X users that the malicious hackers behind Koobface is now tinkering with a Mac version to expand the base of victims.

* Image via Newlaunches.com.

Topics: Operating Systems, Apple, Hardware, Software, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

101 comments
Log in or register to join the discussion
  • RE: Koobface for Mac OS X squirming on Facebook

    Bah! When I see it....I'll believe it.
    james347
    • But Mac users don't run AV so

      You'll never see it. It's not that it isn't there, you just won't be alerted to it.
      John Zern
      • RE: Koobface for Mac OS X squirming on Facebook

        @John Zern

        We don't, that's news to me. My Virus Barrier keeps bugging me to update. But how could that be "Mac users don't run AV"?
        jakenhauser23
      • My Fault. I should have said

        [i]But [b]most[/b] Mac users don't run AV software[/i].

        You're actually the first person here that I've noticed that actually said they run it on their Mac.
        (My neice actually told me her college professor told her to get a Mac because they're not capable of being infected, so with advice like that...)
        John Zern
      • It's there hiding on my MAC - really?

        @John Zern

        FTA "[i]There is no automatic infection because users are alerted via the standard Mac OS X Java security alert.[/i]"

        Oh I guess you think everyone is stupid enough to by pass security and run everything a Web site tries to invoke.

        Get a life John...
        jacarter3
      • @jacarter3: Why shouldn't he?

        [i]Oh I guess you think everyone is stupid enough to by pass security and run everything a Web site tries to invoke.[/i]

        You do realize, don't you, that nearly 100% of all web infections on Windows happen to people who do [b]exactly[/b] what you described above? So while not [b]everyone[/b] is that stupid, the evidence does support the conclusion that many, many, many people truly are stupid enough to ignore the warnings that an OS presents to its users and [b]will[/b] download and run malware on their computers.
        NonZealot
      • RE: Koobface for Mac OS X squirming on Facebook

        @John Zern
        Of course I'll be alerted, because Java apps run in a sandbox, and have to explicitly ask permission to access my Mac.

        Take a look at this: http://blog.intego.com/wp-content/uploads/2010/10/koobface1.jpg

        When I see the message asking me if I want to run some Java applet with a signature that can't be verified, I click Deny.

        No anti-malware software needed.
        stevenjklein
      • Cue the double standards and the arrogant egos...

        @jacarter3

        [i]Oh I guess you think everyone is stupid enough to by pass security and run everything a Web site tries to invoke.[/i]

        Oh, I see, so when it's Windows UAC asking to allow or cancel, everyone is stupid enough to bypass security; but when it's Apple's controls, because they are Mac users, they are inherently smarter?

        Doubt it...remember, the majority of people who purchase Apple are because they 1) bought into marketing hype, or 2) bought because their peers have an Apple product (and I'm talking computer, phone, mp3 player)...they didn't buy out of need or necessity. (yes, I will admit that in some industries/functions, Macs are the better choice. But it has [i][b]nothing[/i][/b] to do with security)

        Stay tuned, more of this sort will show up...just like Charlie Miller said (who knows a thing or two about Macs), as soon as it starts to pay off to hack Macs, people will.
        SonofaSailor
      • RE: Koobface for Mac OS X squirming on Facebook

        @stevenjklein

        You click "Deny" (wait, Mac has what basically amounts to as UAC? Really? {/sarcasm}, but the majority of computer users, be they Windows or Mac WON'T click Deny.

        Do not apply your technical ability and knowledge to the average user, it just doesn't work, especially for "Macs are compeletely safe" users who don't know better.
        PollyProteus
      • My life is more informed, jacarter3

        then yours, apparently.

        The Standard Alert doesn't distinguish between a trojan and some applet designed to run and play silly music for a clip or something, unlike AV software that says will let you know.
        John Zern
      • RE: Koobface for Mac OS X squirming on Facebook

        @Sonofasailor

        "The United States has the dubious honor of being the country with the most botnet infections. Microsoft identified 2.2 million computers compromised by botnet malware in the U.S. during the second quarter of the year, four times more than Brazil, where 550,000 botnet infections were identified."

        http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=227800051

        Care to explain this? Microsoft is the OS company of choice for botnets...so tell me why you're here bashing MacOS?
        cyberslammer2
      • Thank you, numbnut, for once again applying the iPhone idealogy...

        @cyberslammer2

        ya know, the "if we point our finger at someone else, it negates the flaw with our own product" defense
        SonofaSailor
      • RE: Koobface for Mac OS X squirming on Facebook

        @John Zern
        Actually, if you read above you will see that even without antivirus you have to explicitly give it permission to run.
        RedVeg
      • I don't know, cyberslummer2, why are you

        here at all? You're really nothing but an unknowledgeable troll, as you're not very good at that, commenting negativelly on anything MS related, no matter what.

        My take is you have now right to comment on much of anything, except maybe the color of your basement "bedroom".
        John Zern
      • Wait up there Johnny boy...

        @John Zern <br><br>"<i>The Standard Alert doesn't distinguish between a trojan and some applet designed to run and play silly music for a clip or something, unlike AV software that says will let you know.</i>"<br><br>Won't I "see" the alert? Won't I see that the package is unsigned? If I give permission to run the applet, does it matter if it's Mac OS-X or Windows? How do you know that Mac AV code is scanning for exploits originating on Windows? If Mac AV applications are scanning for any Windows based exploit code, shouldn't they scan for every frakking one of them? If they scan for all of the thousands of Windows based exploit code, won't that make my Mac as poorly performing as Windows 7?<br><br>Ooooohhhh...<br><br>Now I see why all Windows shills think all Macs need AV applications. And whatever happened to George Ou that proclaimed Windows was safe enough to run "naked" without AV?

        Still laughing and you may flame on and on and on...
        jacarter3
      • You're forgetting some important points

        @SonofaSailor <br><br><i>"Oh, I see, so when it's Windows UAC asking to allow or cancel, everyone is stupid enough to bypass security; but when it's Apple's controls, because they are Mac users, they are inherently smarter?</i>"<br><br>A large number of Mac users, like me, came from disenfranchised Windows users. Even more, like me, use both operating systems regularly. Even more, like me, have heard of the dangers and understand why these security measures that require consent are put into the system.<br><br>Very very few of them are stupid enough not to give permission to "<i>some applet designed to run and play silly music for a clip or something</i>." But these users exist and use every OS. And eventually they learn.<br><br>I do believe that people buying a Mac are more likely to learn about their computers than (not "then" John..) than someone buying the cheapest PC from the Compuhut. Mainly because most Apple vendors provide free training to all their customers. My Apple dealer does and it's the first thing my wife did after getting her MacBook.<br><br>And speaking of double standards, many poster detractors here have claimed I am too stupid to manage computers and infrastructure but now claim I should NOT expect everyone to be as smart as me. So which is it exactly?
        jacarter3
    • Yet there are 20 Vulnerabilities MS has not fixed

      @james347
      Why? Please explain that Loverock.

      MS 20 Vulnerabilities that have not been patched:
      http://www.zerodayinitiative.com/advisories/upcoming/

      ZDI-CAN-533, 2009-07-23 (461 days ago)
      ZDI-CAN-543, 2009-08-06 (447 days ago)
      ZDI-CAN-598, 2009-10-27 (365 days ago)
      ZDI-CAN-672, 2010-02-02 (267 days ago)
      ZDI-CAN-706, 2010-03-12 (229 days ago
      ZDI-CAN-767, 2010-04-06 (204 days ago)

      Hooay!
      daikon
      • And in Linux, so what's you point? Hooay!

        ;)
        John Zern
      • John Zern, Mocks the United States Army Battle Cry

        Way to go John Zern.

        Riding with Penguins in a World of Glass and Fruit, Freedom.
        Hooay!
        daikon
      • As do you

        Linux Rocks.
        John Zern