This new Koobface variant, currently spreading via links in messages on social networking sites, users malicious web sites to attempt to trick Mac OS X users into viewing a video file.
According to Intego, these sites attempt to load a Java applet. There is no automatic infection because users are alerted via the standard Mac OS X Java security alert.
Users can deny or allow the applet access to their computers. If they click Deny, the applet will not run, and no infection will occur. If they click Allow, however, the applet will run, and will attempt to download files from one or more remote servers.
If the user is tricked into running the Java applet, malicious files are downloaded into an an invisible folder (.jnana) in the current user’s home folder.
These files include elements designed to infect Mac OS X, Windows and Linux. The Java applet should also download an installer that will then launch and attempt to install the malware. While Intego has evidence of several infections in the wild, we are not currently able to go beyond this step, as either the malicious malware has bugs preventing it from running correctly, or the servers it contacts are not active or are not serving the correct files.
The company said the malware is capable of operating exactly likethe Koobface worm running on Windows. "It runs a local web server and an IRC server, acts as part of a botnet, acts as a DNS changer, and can activate a number of other functions, either through files initially installed or other files downloaded subsequently," Intego said.
The company rates the threat as "low" because the current Mac OS X implementation is flawed but warned Mac OS X users that the malicious hackers behind Koobface is now tinkering with a Mac version to expand the base of victims.