Malware Type
Secure Mac: Trojan horse [.] that affects Mac OS X, including Snow Leopard (OS X 10.6), the latest version of OS X. The trojan horse, trojan.osx.boonana.a, is spreading through social networking sites, including Facebook, disguised as a video. The trojan is currently appearing as a link in messages on social networking sites with the subject "Is this you in this video?"
General File Information
File jnana.tsa (v 11.7) and jnana.jar (v 11.8)
MD5 7a04e9185daf9551edd90e7bff2daa8e and 2533F62C321117C46D6DF6122C3009BD (unpacked)
File size : 171980 bytesType: PDF
Distribution: Facebook
Source: kernelmode.info (many thanks to xhandsome) and www.kaldata.com (many thanks to Васил)
Read about versions here Malware Diaries: Jnana, Boonana: as many names as variants? Image from Malware Diaries
Download
- Download jnana.tsa - trojan version 11.7 7a04e9185daf9551edd90e7bff2daa8e packed and unpacked versions as a password protected archive (contact me if you need the password)
- Download jnana.jar - trojan version 11.8 2533F62C321117C46D6DF6122C3009BD unpacked version as a password protected archive (contact me if you need the password)
Post Updates
Nov 13, 2010 ESET Discovers Fresh Boonana Variant Trojan.osx.boonana.b (note only Trojan.osx.boonana.a is available for download)
Automated Scans
jnana.tsaSubmission date: 2010-11-15 04:44:14 (UTC)
26/ 43 (60.5%)
AhnLab-V3 2010.11.07.00 2010.11.07 Java/Boonana
AntiVir 7.10.13.164 2010.11.07 JAVA/Dldr.Alboto.A
Avast 4.8.1351.0 2010.11.07 Java:Boonana-A
Avast5 5.0.594.0 2010.11.07 Java:Boonana-A
AVG 9.0.0.851 2010.11.07 Java/Downloader.AK
BitDefender 7.2 2010.11.08 Java.Trojan.Boonana.B
ClamAV 0.96.2.0-git 2010.11.08 Trojan.Java.Boonana-5
DrWeb 5.0.2.03300 2010.11.08 Trojan.Jnana.1
F-Secure 9.0.16160.0 2010.11.08 Java.Trojan.Boonana.B
GData 21 2010.11.08 Java.Trojan.Boonana.B
Ikarus T3.1.1.90.0 2010.11.08 Trojan-Downloader.Java.Alboto
Kaspersky 7.0.0.125 2010.11.08 Trojan-Downloader.Java.Alboto.a
McAfee 5.400.0.1158 2010.11.08 Boonana
McAfee-GW-Edition 2010.1C 2010.11.07 Boonana
Microsoft 1.6301 2010.11.07 Trojan:Java/Boonana
NOD32 5599 2010.11.07 Java/Boonana.A
PCTools 7.0.3.5 2010.11.08 Trojan.Jnanabot
Sophos 4.59.0 2010.11.08 Troj/Boonana-A
Symantec 20101.2.0.161 2010.11.08 Trojan.Jnanabot
TrendMicro 9.120.0.1004 2010.11.08 JAVA_JNANA.A
TrendMicro-HouseCall 9.120.0.1004 2010.11.08 JAVA_JNANA.A
ViRobot 2010.10.4.4074 2010.11.08 Dropper.S.Agent.171980
VBA32 3.12.14.2 2010.11.12 Trojan-Downloader.Java.Alboto.a
Sunbelt 7314 2010.11.15 Trojan.Java.Boonana.a (v)
PCTools 7.0.3.5 2010.11.15 Trojan.Jnanabot
Emsisoft 5.0.0.50 2010.11.15 Trojan-Downloader.Java.Alboto!IK
MD5 : 7a04e9185daf9551edd90e7bff2daa8e
Analysis Links
Links:
Oct 26th, 2010 SecureMac Security Bulletin Initial analysis of trojan.osx.boonana.a
Oct 27, 2010 Krebs on Security Koobface Worm Targets Java on Mac OS X
Linux
Oct 30, 2010 Malware Diaries Koobface: the cross-platform version
Oct 30, 2010 Linux Java-Based Trojan Might Have Been an Accident
Nov 2, 2010 Malware Diaries New version of jnana AKA Koobface
Analysis excerpt
Read the full analysis Oct 26th, 2010 SecureMac Security Bulletin Initial analysis of trojan.osx.boonana.a
Oct 27, 2010 Krebs on Security Koobface Worm Targets Java on Mac OS X
Linux
Oct 30, 2010 Malware Diaries Koobface: the cross-platform version
Oct 30, 2010 Linux Java-Based Trojan Might Have Been an Accident
Nov 2, 2010 Malware Diaries New version of jnana AKA Koobface
Analysis excerpt
Read the full analysis Oct 26th, 2010 SecureMac Security Bulletin Initial analysis of trojan.osx.boonana.a
Secure Mac:
"The initial infection vector of the Boonana trojan is through a message on social networking sites similar to "Is this you in this video?" which includes a link to an external site. Upon clicking the link, a java applet will attempt to load in the user's web browser.
The web browser will then prompt the user to allow content signed by an untrusted certificate to run.
When the user accepts the certificate, the applet loads." Read more at Oct 26th, 2010 SecureMac Security Bulletin Initial analysis of trojan.osx.boonana.a
Network activity
Ubuntu 9.10 generating loads of traffic (video from Oct 30, 2010 Malware Diaries Koobface: the cross-platform version
Java and to some degree .Net are the main choices because they have been consistently pegged as the “safe” choice to go with for mid-level project managers in the corporate world. No one was ever fired for choosing Java or Microsoft.
ReplyDeleteHowever, there are many large distributed applications these days that run primarily with technologies like Python, PHP, et al. Even companies like Google and Yahoo are heavily invested in these technologies. Java may be the main choice for enterprise development now, but it’s days are numbered as the only stalwart option to go with.
Let’s face it, many of these so called “enterprise applications” could easily have been written much faster and with less overhead using technologies like Python, PHP, et al.
OpenCL Training