Koobface variant as a trojan for Mac OS X

In a blog posting, Mac security software firm Intego reports that a further variant of the Koobface worm is currently being circulated which targets Mac users in form of a trojan masquerading as a Java applet. Koobface (an anagram of Facebook) spreads via social networks such as Facebook, MySpace or Twitter and tricks users into viewing a video ("Is this you in this video?"). While the original version of Koobface masqueraded as an update for Flash Player on the linked page and offered a malicious EXE file to download, the new variant pretends to be a Java applet.

When accessing the alleged video page, an alert will warn the user about the applet's unverified signature – however, if access is granted regardless, the malware will download an installer and further files which eventually deploy malicious software that specifically targets Mac OS X, Windows or Linux.

Although successful Mac infections have apparently already been reported, Intego has been unable to reproduce a successful attack. The security firm said that "either the malicious malware has bugs preventing it from running correctly, or the servers it contacts are not active or are not serving the correct files" and has rated the related risk as "low". If the malware installs correctly, however, Intego say that it runs a local web server and an IRC server, acts as part of a botnet, acts as a DNS changer, and can download malicious code.

Warning dialogue for Java applets in Safari.
Source: Intego

Mac security software developers SecureMac, on the other hand, have rated the related risk as "critical" and are offering a removal tool free of charge. To protect computers against infection, users are advised to disable Java in their browsers or at least take notice of Java applet alert dialogues and deny access to applets whose origin is unclear.

(crve)