or Connect
AppleInsider › Forums › Software › Mac OS X › Java-based Trojan horse targets computers running Apple's Mac OS X
New Posts  All Forums:Forum Nav:

Java-based Trojan horse targets computers running Apple's Mac OS X

post #1 of 94
Thread Starter 
A newly discovered Trojan horse spreading through social networking sites targets Apple's Mac OS X operating system, including the latest version, 10.6 Snow Leopard, by baiting users into clicking a link.

The Trojan, dubbed trojan.osx.boonana.a, appears as a link in messages that read "Is this you in this video?" Clicking the infected link, according to SecureMac, runs a Java applet that attempts to downloads files to the computer, including an installer that launches automatically.

But another antivirus firm, Intego, also issued a notice Wednesday suggesting that the Trojan, a Mac version of the "Koobface" worm, carries a "low risk." The security firm said that the current Mac OS X implementation is flawed, though it admitted the threat exists and is likely to become a more legitimate concern in the future.

The installer reportedly modifies the system and allows remote access to all files on the system, and checks in with control servers to report information from the infected system. The Trojan also automatically runs in the background at startup, and attempts to hide its activities across multiple files.

The virus then spreads by posting messages to social networking sites like Facebook, MySpace and Twitter.

"This is a sobering reminder that hackers are turning their efforts toward Mac OS X as Apple's marketshare grows, and users should be vigilant in protecting their computers and taking precautions when surfing the web," said Nicholas Ptacek, a security researcher at SecureMac.

The Java-based Trojan is said to be cross-platform and includes files that affect both Mac OS X and Microsoft Windows. The security firm noted there have been recent Trojan horses that targeted Windows, but this new threat is cross-platform. SecureMac has released a free tool to remove trojan.osx.boonana.a, while Intego's VirusBarrier X6 and X5 detect and remove the malware.

Last week, Apple said it may remove the Apple-produced Java runtime from future versions of Mac OS X, perhaps starting with next year's 10.7 Lion. The Java runtime shipping in Mac OS X 10.6 Snow Leopard and Mac OS X 10.5 Leopard will be supported through the support cycles of those products.

An e-mail claimed to be sent by Apple Chief Executive Steve Jobs suggested that Java updates issued by Apple are always behind the official builds created by Sun and Oracle. Some have speculated that Oracle could release its own builds of Java for the Mac instead at some point in the near future.
post #2 of 94
And this is (one reason) why Apple is getting rid of Java and Flash on Macs, kids.
post #3 of 94
Why would anyone click "Allow" in this context?

post #4 of 94
Quote:
Originally Posted by CIM View Post

And this is (one reason) why Apple is getting rid of Java and Flash on Macs, kids.

yeah, great, better remove it than fix it. What's the next thing which they will have to remove then? Safari?! jeez..
sent from my... internet browser of choice.
Reply
sent from my... internet browser of choice.
Reply
post #5 of 94
exactly how does this "installer" then "modify the system" without specific admin/password permission like all other installs? or maybe it can't.

SecureMac and other security software firms keep flogging these "threats" that never materialize in fact. obviously to sell their stuff to suckers. and AI and other hit-hungry blogs play right along with this.
post #6 of 94
Quote:
Originally Posted by CIM View Post

And this is (one reason) why Apple is getting rid of Java and Flash on Macs, kids.

Wrong. This has nothing to do with problems with Java. The writers probably use Java as it's cross-platform, but they could just as easily used platform-specific code.

Quote:
Originally Posted by AppleInsider View Post

The virus

Trojan != virus

The only way of protecting an OS against Trojans is making it so that the OS will only run signed code and all apps must be checked first by the OS vendor before being available to the wider public, a la iOS.

Trojans are malware that work by tricking the user into running them/installing them. They do not work by exploiting OS vulnerabilities or security holes.
it's = it is / it has, its = belonging to it.
Reply
it's = it is / it has, its = belonging to it.
Reply
post #7 of 94
Quote:
Originally Posted by CIM View Post

And this is (one reason) why Apple is getting rid of Java and Flash on Macs, kids.

Java is one of the safest environments in existence, so this comment makes no sense. It's way safer than native code on iOS, let alone your typical Safari browser bug requiring no plugin. But nothing's perfect.

That's also why all iOS content is signed and required to come from Apple... do we want THAT on the Mac?
post #8 of 94
Quote:
Originally Posted by Phone-UI-Guy View Post

Why would anyone click "Allow" in this context?

Why not, if they didn't understand the concept of a digital signature? It's all well and good that OSX warns you that something might be up, but by using poorly understood terminology, they increase the risk that a user will blow through the warning signs.
Please don't be insane.
Reply
Please don't be insane.
Reply
post #9 of 94
Quote:
Originally Posted by Mr. H View Post

Trojan != virus

The only way of protecting an OS against Trojans is making it so that the OS will only run signed code and all apps must be checked first by the OS vendor before being available to the wider public, a la iOS.

Trojans are malware that work by tricking the user into running them/installing them. They do not work by exploiting OS vulnerabilities or security holes.

Or to put it in layman's terms...You are the hole!
post #10 of 94
Quote:
Originally Posted by Booga View Post

Java is one of the safest environments in existence, so this comment makes no sense. It's way safer than native code on iOS, let alone your typical Safari browser bug requiring no plugin. But nothing's perfect.

That's also why all iOS content is signed and required to come from Apple... do we want THAT on the Mac?

Yes!!
post #11 of 94
Quote:
Originally Posted by Mr. H View Post

... Trojans are malware that work by tricking the user into running them/installing them...

... a la Google Pack.
post #12 of 94
Quote:
Originally Posted by Alfiejr View Post

exactly how does this "installer" then "modify the system" without specific admin/password permission like all other installs? or maybe it can't.

SecureMac and other security software firms keep flogging these "threats" that never materialize in fact. obviously to sell their stuff to suckers. and AI and other hit-hungry blogs play right along with this.

Yeah. I mean, why would anyone enter their password to verify an installation when they didn't initialize it (and only wanted to check out a video). If it requires a password, then what is the problem? If it doesn't require a password, since this is a cross-platform trojan, Oracle needs to get on top of their security. Or I guess we can wait for an update to Snow Leopard that blocks this trojan...

Still, it's good that this is just another trojan. You don't have to worry about getting infected unless you actively do something stupid.
post #13 of 94
So this malware asks for my ok to install? Yawn. Next.
post #14 of 94
Does it need user's password to do the initial install? The article was very vague in this aspect.
post #15 of 94
Quote:
Originally Posted by Alfiejr View Post

exactly how does this "installer" then "modify the system" without specific admin/password permission like all other installs? or maybe it can't.

How does any malware modify the system? Either by the user entering the password or by some security hole like a buffer overflow. You seem to imply that things like execution of arbitrary code due to buffer overflows (or other security flaws) do not exist, when they are being reported almost weekly for some piece of software.
post #16 of 94
Quote:
Originally Posted by Phone-UI-Guy View Post

Why would anyone click "Allow" in this context?


Quote:
Originally Posted by Alfiejr View Post

exactly how does this "installer" then "modify the system" without specific admin/password permission like all other installs? or maybe it can't.

SecureMac and other security software firms keep flogging these "threats" that never materialize in fact. obviously to sell their stuff to suckers. and AI and other hit-hungry blogs play right along with this.

One of the big differences between Mac users and Windows users that I've noticed is that Windows users are far more likely to click "Allow" or "Ok" or whatever button in a dialog box just to get rid of it without actually reading it. They are so used to so many of these things popping up in Windows they are conditioned to click through as quickly as possible so they can get back to work. I've even seen users enter their login and password in a dialog box that pops up even though they don't know which of their applications is asking for authentication (usually it's Outlook or IM, but it's hard to tell in the window that pops up).

Time and again coworkers (we use Windows ) will try to show me a problem they are having with their computer, and when I look over their shoulder they will click OK on anything that pops up in front of them. When I make them first stop and actually read the warning, much of the time that tells them what the problem is...if only they had stopped to read it the first time!

The problem is that those same Windows users carry over that same bad habit when they switch to Macs.
post #17 of 94
And if you run Little Snitch you'll get two warnings, the one shown above and one from Little Snitch asking you if you want to allow the trojan to connect to an external server.

Just say no.
post #18 of 94
I use FireFox as my browser, with the add-ons AdBlock Plus, FlashBlock, Ghostery , BetterPrivacy and NoScript all running on top of OSX and therefore have no worries at this point.
Believe nothing, no matter where you heard it, not even if I have said it, if it does not agree with your own reason and your own common sense.
Buddha
Reply
Believe nothing, no matter where you heard it, not even if I have said it, if it does not agree with your own reason and your own common sense.
Buddha
Reply
post #19 of 94
Quote:
Originally Posted by CIM View Post

And this is (one reason) why Apple is getting rid of Java and Flash on Macs, kids.

You sound like an idiot...removing java from the OS X install has NOTHING to do with the security of Java. If there is a security hole here, it's the fault of the OS, not the plug-in.
post #20 of 94
Quote:
Originally Posted by Wiggin View Post

One of the big differences between Mac users and Windows users that I've noticed is that Windows users are far more likely to click "Allow" or "Ok" or whatever button in a dialog box just to get rid of it without actually reading it. They are so used to so many of these things popping up in Windows they are conditioned to click through as quickly as possible so they can get back to work. I've even seen users enter their login and password in a dialog box that pops up even though they don't know which of their applications is asking for authentication (usually it's Outlook or IM, but it's hard to tell in the window that pops up).

Time and again coworkers (we use Windows ) will try to show me a problem they are having with their computer, and when I look over their shoulder they will click OK on anything that pops up in front of them. When I make them first stop and actually read the warning, much of the time that tells them what the problem is...if only they had stopped to read it the first time!

The problem is that those same Windows users carry over that same bad habit when they switch to Macs.

This is sooo true. At least dialogs in OS X seem to be less frequent and less wordy
post #21 of 94
As long as people can be suckered into clicking on links designed to do harm to their computer, this will continue.

"Make something 'idiot-proof', and they'll just build a better idiot."

Proud AAPL stock owner.

 

GOA

Reply

Proud AAPL stock owner.

 

GOA

Reply
post #22 of 94
Quote:
Originally Posted by fishstick_kitty View Post

If there is a security hole here, it's the fault of the OS, not the plug-in.

Nope, the security hole is the user, as Johnny Mozzarella said.
it's = it is / it has, its = belonging to it.
Reply
it's = it is / it has, its = belonging to it.
Reply
post #23 of 94
Adobe Flash and Acrobat have also been the source of Mac trojans. There will always be vulnerabilities in 3rd party software. I have not yet heard of anything taking advantage of security holes in OS X (other then Hackers, but we are talking about viruses here). Fortunately Macs are sand-boxed well enough that a trojan shouldn't be able to do more then the infected app can do. I wouldn't be surprised if OS X even sandboxes the documents directory separately (like the iPhone) for each application in the future (Lion maybe?) to make this even less of an issue.
post #24 of 94
It looks like in the near future I may have to purchase antivirus, no?
post #25 of 94
Quote:
Originally Posted by Dr Millmoss View Post

Why not, if they didn't understand the concept of a digital signature? It's all well and good that OSX warns you that something might be up, but by using poorly understood terminology, they increase the risk that a user will blow through the warning signs.

Excellent point.
post #26 of 94
Quote:
Originally Posted by Alfiejr View Post

exactly how does this "installer" then "modify the system" without specific admin/password permission like all other installs? or maybe it can't.

SecureMac and other security software firms keep flogging these "threats" that never materialize in fact. obviously to sell their stuff to suckers. and AI and other hit-hungry blogs play right along with this.

Good point. How can a program that does malicious things that you _deliberately_ install be considered a trojan? Sounds like this is a misclassification by these "security firms".
post #27 of 94
Quote:
Originally Posted by Joe hs View Post

It looks like in the near future I may have to purchase antivirus, no?

No.

Quote:
Originally Posted by esummers View Post

Adobe Flash and Acrobat have also been the source of Mac trojans. There will always be vulnerabilities in 3rd party software.

Quote:
Originally Posted by esummers View Post

Good point. How can a program that does malicious things that you _deliberately_ install be considered a trojan? Sounds like this is a misclassification by these "security firms".

Do people not read threads before posting in them? You seem not to understand what a Trojan is, but if you'd read the thread you may be enlightened.

To expand on what's been said already, think about the name: Trojan. Where does that name come from? Answer: the Trojan Horse. The whole point of a Trojan is that it makes the user think they want it, so the user installs it and runs it, but then it does unpleasant things. But you gave it your password, you gave it permission to run, it's your fault that it just pilfered all your contacts or deleted all your files etc etc. Trojans do not exploit OS or 3rd party software vulnerabilities, they exploit user vulnerabilities.
it's = it is / it has, its = belonging to it.
Reply
it's = it is / it has, its = belonging to it.
Reply
post #28 of 94
Quote:
Originally Posted by Mr. H View Post

No.

I see now, you have to manually install it too allow for it to affect your system. Not much of a Trojan is it?
post #29 of 94
Quote:
Originally Posted by Joe hs View Post

I see now, you have to manually install it too allow for it to affect your system. Not much of a Trojan is it?

Oh jeez is this a wind up?
it's = it is / it has, its = belonging to it.
Reply
it's = it is / it has, its = belonging to it.
Reply
post #30 of 94
LOL, so the security firms are trying to sell users of macosx virus scanners, haha, 10 years now I have been using macs, never got infected with a virus or trojan. Man I tell ya, there are suckers and idiots born by the minute, I mean, from last I recall, under macosx, you're required to input your username and password to perform an install right?

Sounds like the USER is the security flaw. Oh and I do not use virus scanners on my mac.
post #31 of 94
Quote:
Originally Posted by Mr. H View Post

Oh jeez is this a wind up?

This is me not reading the article because I'm using my iPhone.
post #32 of 94
Quote:
Originally Posted by CIM View Post

And this is (one reason) why Apple is getting rid of Java and Flash on Macs, kids.

It is not getting rid of Java, check your sources.
post #33 of 94
Quote:
Originally Posted by SpamSandwich View Post

As long as people can be suckered into clicking on links designed to do harm to their computer, this will continue.

"Make something 'idiot-proof', and they'll just build a better idiot."

A professor in school used to say this. It's so true.

I develop medical software for hospitals, and no matter how "idiot proof" we make our software, invariably the help desk gets calls with issues that only a truly dumb person could have.
post #34 of 94
Quote:
Originally Posted by Mr. H View Post

Nope, the security hole is the user, as Johnny Mozzarella said.

Yes and no. I mean the user is the one who initiates the installation, but Apple will be able to patch this so even if the user tells it to install, a secondary wall of protection will keep it from doing so.
post #35 of 94
Quote:
Originally Posted by chronster View Post

A professor in school used to say this. It's so true.

I develop medical software for hospitals, and no matter how "idiot proof" we make our software, invariably the help desk gets calls with issues that only a truly dumb person could have.

Ugh. This kind of remark never fails to creep me out. Maybe you're not doing as good a job developing the software as you think you are. Ever consider that?
Please don't be insane.
Reply
Please don't be insane.
Reply
post #36 of 94
Quote:
Originally Posted by chronster View Post

Yes and no. I mean the user is the one who initiates the installation, but Apple will be able to patch this so even if the user tells it to install, a secondary wall of protection will keep it from doing so.

Sure, OS X could be patched to protect users from their own stupidity in this instance, but the only way for the OS to protect users from all Trojans including ones that don't exist yet, is to go the iOS route of code signing and app vetting.
it's = it is / it has, its = belonging to it.
Reply
it's = it is / it has, its = belonging to it.
Reply
post #37 of 94
Quote:
Originally Posted by Doorman. View Post

It is not getting rid of Java, check your sources.

Really?

Quote:
As of the release of Java for Mac OS X 10.6 Update 3, the Java runtime ported by Apple and that ships with Mac OS X is deprecated. Developers should not rely on the Apple-supplied Java runtime being present in future versions of Mac OS X.

Apple is my source.
post #38 of 94
Quote:
Originally Posted by Joe hs View Post

It looks like in the near future I may have to purchase antivirus, no?

You just reminded me that I have to do my weekly Full System Scan for my Windows PC
post #39 of 94
Quote:
Originally Posted by Wiggin View Post

One of the big differences between Mac users and Windows users that I've noticed is that Windows users are far more likely to click "Allow" or "Ok" or whatever button in a dialog box just to get rid of it without actually reading it. They are so used to so many of these things popping up in Windows they are conditioned to click through as quickly as possible so they can get back to work. I've even seen users enter their login and password in a dialog box that pops up even though they don't know which of their applications is asking for authentication (usually it's Outlook or IM, but it's hard to tell in the window that pops up).

Time and again coworkers (we use Windows ) will try to show me a problem they are having with their computer, and when I look over their shoulder they will click OK on anything that pops up in front of them. When I make them first stop and actually read the warning, much of the time that tells them what the problem is...if only they had stopped to read it the first time!

The problem is that those same Windows users carry over that same bad habit when they switch to Macs.

Well I tend to do that only with the programs that I know and trust. Anything else that I didn't install or don't remembering installing I will simply deny it.
post #40 of 94
Quote:
Originally Posted by fishstick_kitty View Post

You sound like an idiot...removing java from the OS X install has NOTHING to do with the security of Java. If there is a security hole here, it's the fault of the OS, not the plug-in.

Maybe. How many other OSes are affected by this exploit?
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Java-based Trojan horse targets computers running Apple's Mac OS X