Monday, November 15, 2010

Nov 14 Java/Boonana-A Facebook OSX Trojan

Malware Type

Secure Mac: Trojan horse [.] that affects Mac OS X, including Snow Leopard (OS X 10.6), the latest version of OS X. The trojan horse, trojan.osx.boonana.a, is spreading through social networking sites, including Facebook, disguised as a video. The trojan is currently appearing as a link in messages on social networking sites with the subject "Is this you in this video?"

  General File Information

File jnana.tsa (v 11.7) and jnana.jar (v 11.8)

MD5  7a04e9185daf9551edd90e7bff2daa8e and 2533F62C321117C46D6DF6122C3009BD (unpacked)
File size : 171980 bytesType:  PDF
Distribution: Facebook
Source: kernelmode.info (many thanks to xhandsome) and www.kaldata.com
(many thanks to Васил)                       

Read about versions here Malware Diaries: Jnana, Boonana: as many names as variants?   Image from Malware Diaries



Download

Nov 13, 2010 ESET Discovers Fresh Boonana Variant Trojan.osx.boonana.b (note only Trojan.osx.boonana.a is available for download)


Automated Scans

jnana.tsa
Submission date: 2010-11-15 04:44:14 (UTC)
26/ 43 (60.5%)
AhnLab-V3     2010.11.07.00     2010.11.07     Java/Boonana
AntiVir     7.10.13.164     2010.11.07     JAVA/Dldr.Alboto.A
Avast     4.8.1351.0     2010.11.07     Java:Boonana-A
Avast5     5.0.594.0     2010.11.07     Java:Boonana-A
AVG     9.0.0.851     2010.11.07     Java/Downloader.AK
BitDefender     7.2     2010.11.08     Java.Trojan.Boonana.B
ClamAV     0.96.2.0-git     2010.11.08     Trojan.Java.Boonana-5
DrWeb     5.0.2.03300     2010.11.08     Trojan.Jnana.1
F-Secure     9.0.16160.0     2010.11.08     Java.Trojan.Boonana.B
GData     21     2010.11.08     Java.Trojan.Boonana.B
Ikarus     T3.1.1.90.0     2010.11.08     Trojan-Downloader.Java.Alboto
Kaspersky     7.0.0.125     2010.11.08     Trojan-Downloader.Java.Alboto.a
McAfee     5.400.0.1158     2010.11.08     Boonana
McAfee-GW-Edition     2010.1C     2010.11.07     Boonana
Microsoft     1.6301     2010.11.07     Trojan:Java/Boonana
NOD32     5599     2010.11.07     Java/Boonana.A
PCTools     7.0.3.5     2010.11.08     Trojan.Jnanabot
Sophos     4.59.0     2010.11.08     Troj/Boonana-A
Symantec     20101.2.0.161     2010.11.08     Trojan.Jnanabot
TrendMicro     9.120.0.1004     2010.11.08     JAVA_JNANA.A
TrendMicro-HouseCall     9.120.0.1004     2010.11.08     JAVA_JNANA.A
ViRobot     2010.10.4.4074     2010.11.08     Dropper.S.Agent.171980
VBA32    3.12.14.2    2010.11.12    Trojan-Downloader.Java.Alboto.a
Sunbelt    7314    2010.11.15    Trojan.Java.Boonana.a (v)
PCTools    7.0.3.5    2010.11.15    Trojan.Jnanabot
Emsisoft    5.0.0.50    2010.11.15    Trojan-Downloader.Java.Alboto!IK
MD5   : 7a04e9185daf9551edd90e7bff2daa8e

Analysis Links

Links:
Oct 26th, 2010 SecureMac Security Bulletin Initial analysis of trojan.osx.boonana.a
Oct 27, 2010 Krebs on Security Koobface Worm Targets Java on Mac OS X

Linux
Oct 30, 2010 Malware Diaries Koobface: the cross-platform version
Oct 30, 2010 Linux Java-Based Trojan Might Have Been an Accident
Nov 2, 2010 Malware Diaries New version of jnana AKA Koobface


Analysis excerpt
Read the full analysis Oct 26th, 2010 SecureMac Security Bulletin Initial analysis of trojan.osx.boonana.a
Secure Mac:
"The initial infection vector of the Boonana trojan is through a message on social networking sites similar to "Is this you in this video?" which includes a link to an external site. Upon clicking the link, a java applet will attempt to load in the user's web browser.
The web browser will then prompt the user to allow content signed by an untrusted certificate to run.

When the user accepts the certificate, the applet loads." Read more at  Oct 26th, 2010 SecureMac Security Bulletin Initial analysis of trojan.osx.boonana.a

Network activity

Ubuntu 9.10  generating loads of traffic (video from Oct 30, 2010 Malware Diaries Koobface: the cross-platform version 



1 comment:

  1. Java and to some degree .Net are the main choices because they have been consistently pegged as the “safe” choice to go with for mid-level project managers in the corporate world. No one was ever fired for choosing Java or Microsoft.

    However, there are many large distributed applications these days that run primarily with technologies like Python, PHP, et al. Even companies like Google and Yahoo are heavily invested in these technologies. Java may be the main choice for enterprise development now, but it’s days are numbered as the only stalwart option to go with.

    Let’s face it, many of these so called “enterprise applications” could easily have been written much faster and with less overhead using technologies like Python, PHP, et al.






    OpenCL Training

    ReplyDelete