Intego Security Memo: Trojan Horse OSX/Koobface.A Affects Mac OS X Mac – Koobface Variant Spreads via Facebook, Twitter and More

Posted on October 27th, 2010 by

Malware: OSX/Koobface.A
Risk: Low
: Intego has discovered a Mac version of the Koobface worm, which spreads via social networks such as Facebook, MySpace and Twitter. Intego’s Virus Monitoring Center has been examining this malware for some time, and given the low level of risk, has not publicly issued information about it. Since other reports have been made public about this malware, Intego has decided to publish this security memo.

Reports have circulated discussing a Trojan horse, but without understanding either the scope or the functioning of this malware. This threat is a Mac OS X version of the Koobface worm, which is served as part of a multi-platform attack via a malicious Java applet. The malware itself is made up of a number of elements, though in order to simplify, we will use the term “Trojan horse” to describe it. (Technically, it propagates as a worm, is installed via a Trojan Horse, and installs a rootkit, backdoor, command and control, and other elements.)

Users first encounter this malware via links on Facebook, MySpace and Twitter, but links can and do exist from other web sites as well. They are taken to malicious web sites in order to view videos, and these sites attempt to load a Java applet. Users are alerted to this via the standard Mac OS X Java security alert.

Clicking Show Details displays information about the certificate that is attempting to be authorized:

Users can deny or allow the applet access to their computers. If they click Deny, the applet will not run, and no infection will occur. If they click Allow, however, the applet will run, and will attempt to download files from one or more remote servers. At this point, VirusBarrier X6’s Anti-Spyware feature, if activated, will alert users to an outgoing connection by Java. If this occurs, click Deny to block the connection.

If files are downloaded, they are stored in an invisible folder (.jnana) in the current user’s home folder. These files include elements designed to infect Mac OS X, Windows and Linux. The Java applet should also download an installer that will then launch and attempt to install the malware. While Intego has evidence of several infections in the wild, we are not currently able to go beyond this step, as either the malicious malware has bugs preventing it from running correctly, or the servers it contacts are not active or are not serving the correct files.

Potentially, if it installs correctly, it functions the same as the Koobface worm running on Windows. It runs a local web server and an IRC server, acts as part of a botnet, acts as a DNS changer, and can activate a number of other functions, either through files initially installed or other files downloaded subsequently. It spreads by posting messages on Facebook, MySpace and Twitter, usually trying to get people to click a link to view some sort of video.

While this is an especially malicious piece of malware, the current Mac OS X implementation is flawed, and the threat is therefore low. However, Mac users should be aware that this threat exists, and that it is likely to be operative in the future, so this Koobface Trojan horse may become an issue for Macs.

Means of protection: The first step is for users who see the Java alert dialog shown above to click Deny; the Java applet will not run, and the malware will not be installed. Second, if a user sees an Installer window display spontaneously, without the user having double-clicked an installation package, they should quit the installer. Intego VirusBarrier X6 and X5 detect and eradicate this malware, which they identify as OSX/Koobface.A, with their current threat filters.

  • LizDragoon

    March 14 2016 notification of trojan Koob Face virus infection infected my husband’s computer from my computer with recently renewed Intego subscription. Running my March 10 virus definitions twice didn’t identify nor block the problem. What’s next?

    • Intego

      Hi there, thanks for contacting us about this. We detect all known versions of the OS X Koobface worm, but if you believe you have encountered a new variant Intego’s malware team would like to investigate and analyze the file. Do you still have access to the malicious file? If so, please submit it us here: Thanks!

  • LizDragoon

    The recent virus attack was a KoobFace virus detected in my spouse’iMac. His out-of-country computer consultant recommended by Apple had to call him to tell him he has a virus because Best Buy as Intego seller gave him the wrong code for Intego software. He has never been able to open his Intego purchase and gave up on Best Buy ever being helpful and never purchased any other internet security program. He won’t tell me the name of his internet security contractor…that’s a lifelong story. I ran the March 9 anti-virus update twice with no alerts on my Mac AirBook. Recently the out-of-country contractor informed my guy that the virus could have come from anywhere.