Monday, November 15, 2010

Nov 14 Java/Boonana-A Facebook OSX Trojan

Malware Type

Secure Mac: Trojan horse [.] that affects Mac OS X, including Snow Leopard (OS X 10.6), the latest version of OS X. The trojan horse, trojan.osx.boonana.a, is spreading through social networking sites, including Facebook, disguised as a video. The trojan is currently appearing as a link in messages on social networking sites with the subject "Is this you in this video?"

  General File Information

File jnana.tsa (v 11.7) and jnana.jar (v 11.8)

MD5  7a04e9185daf9551edd90e7bff2daa8e and 2533F62C321117C46D6DF6122C3009BD (unpacked)
File size : 171980 bytesType:  PDF
Distribution: Facebook
Source: (many thanks to xhandsome) and
(many thanks to Васил)                       

Read about versions here Malware Diaries: Jnana, Boonana: as many names as variants?   Image from Malware Diaries


Nov 13, 2010 ESET Discovers Fresh Boonana Variant Trojan.osx.boonana.b (note only Trojan.osx.boonana.a is available for download)

Automated Scans

Submission date: 2010-11-15 04:44:14 (UTC)
26/ 43 (60.5%)
AhnLab-V3     2010.11.07.00     2010.11.07     Java/Boonana
AntiVir     2010.11.07     JAVA/Dldr.Alboto.A
Avast     4.8.1351.0     2010.11.07     Java:Boonana-A
Avast5     5.0.594.0     2010.11.07     Java:Boonana-A
AVG     2010.11.07     Java/Downloader.AK
BitDefender     7.2     2010.11.08     Java.Trojan.Boonana.B
ClamAV     2010.11.08     Trojan.Java.Boonana-5
DrWeb     2010.11.08     Trojan.Jnana.1
F-Secure     9.0.16160.0     2010.11.08     Java.Trojan.Boonana.B
GData     21     2010.11.08     Java.Trojan.Boonana.B
Ikarus     T3.     2010.11.08     Trojan-Downloader.Java.Alboto
Kaspersky     2010.11.08     Trojan-Downloader.Java.Alboto.a
McAfee     5.400.0.1158     2010.11.08     Boonana
McAfee-GW-Edition     2010.1C     2010.11.07     Boonana
Microsoft     1.6301     2010.11.07     Trojan:Java/Boonana
NOD32     5599     2010.11.07     Java/Boonana.A
PCTools     2010.11.08     Trojan.Jnanabot
Sophos     4.59.0     2010.11.08     Troj/Boonana-A
Symantec     20101.2.0.161     2010.11.08     Trojan.Jnanabot
TrendMicro     2010.11.08     JAVA_JNANA.A
TrendMicro-HouseCall     2010.11.08     JAVA_JNANA.A
ViRobot     2010.10.4.4074     2010.11.08     Dropper.S.Agent.171980
VBA32    2010.11.12    Trojan-Downloader.Java.Alboto.a
Sunbelt    7314    2010.11.15    Trojan.Java.Boonana.a (v)
PCTools    2010.11.15    Trojan.Jnanabot
Emsisoft    2010.11.15    Trojan-Downloader.Java.Alboto!IK
MD5   : 7a04e9185daf9551edd90e7bff2daa8e

Analysis Links

Oct 26th, 2010 SecureMac Security Bulletin Initial analysis of trojan.osx.boonana.a
Oct 27, 2010 Krebs on Security Koobface Worm Targets Java on Mac OS X

Oct 30, 2010 Malware Diaries Koobface: the cross-platform version
Oct 30, 2010 Linux Java-Based Trojan Might Have Been an Accident
Nov 2, 2010 Malware Diaries New version of jnana AKA Koobface

Analysis excerpt
Read the full analysis Oct 26th, 2010 SecureMac Security Bulletin Initial analysis of trojan.osx.boonana.a
Secure Mac:
"The initial infection vector of the Boonana trojan is through a message on social networking sites similar to "Is this you in this video?" which includes a link to an external site. Upon clicking the link, a java applet will attempt to load in the user's web browser.
The web browser will then prompt the user to allow content signed by an untrusted certificate to run.

When the user accepts the certificate, the applet loads." Read more at  Oct 26th, 2010 SecureMac Security Bulletin Initial analysis of trojan.osx.boonana.a

Network activity

Ubuntu 9.10  generating loads of traffic (video from Oct 30, 2010 Malware Diaries Koobface: the cross-platform version 

1 comment:

  1. Java and to some degree .Net are the main choices because they have been consistently pegged as the “safe” choice to go with for mid-level project managers in the corporate world. No one was ever fired for choosing Java or Microsoft.

    However, there are many large distributed applications these days that run primarily with technologies like Python, PHP, et al. Even companies like Google and Yahoo are heavily invested in these technologies. Java may be the main choice for enterprise development now, but it’s days are numbered as the only stalwart option to go with.

    Let’s face it, many of these so called “enterprise applications” could easily have been written much faster and with less overhead using technologies like Python, PHP, et al.

    OpenCL Training