Koobface for Mac OS X squirming on Facebook

Security researchers have found the first version of the Koobface malware targeting Mac OS X users on Facebook, MySpace and Twitter.
Written by Ryan Naraine, Contributor on


Security researchers have found the first version of the Koobface malware targeting Mac OS X users on Facebook, MySpace and Twitter.

"This threat is a Mac OS X version of the Koobface worm, which is served as part of a multi-platform attack via a malicious Java applet," according to an alert from Intego.

SEE: Apple: Mac users should run multiple anti-virus

This new Koobface variant, currently spreading via links in messages on social networking sites, users malicious web sites to attempt to trick Mac OS X users into viewing a video file.

According to Intego, these sites attempt to load a Java applet.  There is no automatic infection because users are alerted via the standard Mac OS X Java security alert.

Users can deny or allow the applet access to their computers. If they click Deny, the applet will not run, and no infection will occur. If they click Allow, however, the applet will run, and will attempt to download files from one or more remote servers.

SEE: How Snow Leopard can save Mac OS X from malware attacks

If the user is tricked into running the Java applet, malicious files are downloaded into an an invisible folder (.jnana) in the current user’s home folder.

These files include elements designed to infect Mac OS X, Windows and Linux. The Java applet should also download an installer that will then launch and attempt to install the malware. While Intego has evidence of several infections in the wild, we are not currently able to go beyond this step, as either the malicious malware has bugs preventing it from running correctly, or the servers it contacts are not active or are not serving the correct files.

The company said the malware is capable of operating exactly likethe Koobface worm running on Windows. "It runs a local web server and an IRC server, acts as part of a botnet, acts as a DNS changer, and can activate a number of other functions, either through files initially installed or other files downloaded subsequently," Intego said.

The company rates the threat as "low" because the current Mac OS X implementation is flawed but warned Mac OS X users that the malicious hackers behind Koobface is now tinkering with a Mac version to expand the base of victims.

* Image via Newlaunches.com.

Editorial standards