Malware

Intego’s researchers have been examining the OSX/Koobface.A Trojan horse for some time, and the company provided some information about this Trojan horse yesterday. Following a number of questions, Intego would like to present some additional information about this Trojan horse.

This malware, unlike what one company claims, is not a “critical” risk, for several reasons. The level of risk for any given malware depends on several criteria, and this risk is fluid. As time changes, the risk level can increase or decrease depending on how common the malware is, whether new variants appear, and other conditions.

First of all, OSX/Koobface.A is not very widespread. While there is evidence that a handful of Mac users have been infected, there is no evidence to suggest that there is any large number of infections. (We’re only looking at infections to Mac users; since the Trojan horse can infect Windows and Linux users as well, it is very possible that there are more infections occurring on those platforms, especially Windows.)

Second, the malware is flawed, and does not work correctly in all situations. Intego’s researchers have not been able to found it to be operable on Macs running Mac OS X 10.6. In addition, the presence of a Java alert, and the appearance of an installer asking for an administrator’s password, show that the installation does not occur surreptitiously.

Finally, the installer for this malware contacts a number of remote servers to download files. The installer contacts 5 servers at a time until one responds. Intego has isolated dozens of servers that are contacted, yet all but one of them seem to be currently off line. (This does not mean that these servers will not come back on line, or that future variants of this malware will not contact other servers.)

In addition to the servers used to provide elements installed on Macs, one part of the malware contacts IRC servers. As of today, all the IRC servers contacted have been blacklisted and are off line.

Concerning the files that are installed, there is a combination of Java files for the malware’s main operation, together with Mac, Windows and Linux files. Some files are archives containing Java classes or other Windows or Mac files. The following is a list of files downloaded:

cad.scp
cplibs.zip
cplib_x86_osx.tnw
cplib_x86_win.klf
jnana.pix
jnana.tsa
NirCmd.chm
nircmd.exe
nircmd.zip
nircmdc.exe
ofex.avi
ofex.exe
ofex.zip
OSXDriverUpdates.tar
pax_wintl
pax_wintl.zip
pex.bsl
rawpct
rawpct.zip
RingOnRequest.lock
rvwop
rvwop.zip
VFxdSys.exe
VfxdSys.zip
VfxdSysAdm.exe
WinStart.exe
WinStart.zip

One of the Java classes found in the above archives is called FaceBookWorm.class.

Intego has no doubt that there will be variants of this malware in the future, but for now, the threat is minimal. Intego’s Virus Monitoring Center is remaining vigilant in order to detect any new variants that may cause serious threats to Mac users.