A week after a security company warned Mac users of the slowly growing risk of malware attack, a new Mac OS X Trojan-worm based on Koobface has been discovered circulating via Facebook and Twitter.
The malware appears in security bulletins puts out by two Mac anti-malware companies, SecureMac, which has dubbed it trojan.osx.boonana.a, and Intego, which describes it as OSX/Koobface.A, which would make it a variant of the common Koobface worm that afflicted Facebook in 2008.
The interesting feature of the worm-cum-Trojan is its design and delivery, which resembles the sort of malevolence that is utterly standard in Windows world.
Using an "Is this you in this video?" link on Facebook, Twitter and other social media as the lure, infection starts with a Java applet downloading remote malware that sets itself to run automatically at startup. This then hijacks the user's email software in order to spam further links, and modifies the system's password settings.
From the point of infection, the Mac can be remotely monitored and any files on it are at risk of being stolen.
One unusual aspect of the malware is that its Java architecture allows it to hit Mac, Windows and Linux users. In-browser exploits using Java are common in Windows, and not unheard of in Macs either, but doing both at the same time is a rare approach. This hints that integrated malware could become more common in future.
"This is a sobering reminder that hackers are turning their efforts toward Mac OS X as Apple's market share grows, and users should be vigilant in protecting their computers and taking precautions when surfing the web," said SecureMac researcher, Nicholas Ptacek.
As with any Java exploit, the simplest defence it to turn off Java in the browser. That will cause problems when browsing come websites, however.
At the time of going to press, Techworld could not confirm that any of the Mac security products from vendors better known for their PC security suites protected against Boonana-a. Intego and SecureMac have put out warnings and it is likely that the Koobface connection will allow them to update in due course.
"While Intego has evidence of several infections in the wild, we are not currently able to go beyond this step, as either the malicious malware has bugs preventing it from running correctly, or the servers it contacts are not active or are not serving the correct files," said an analysis put out by Intego researchers.
"Technically, it propagates as a worm, is installed via a Trojan Horse, and installs a rootkit, backdoor, command and control, and other elements," the statement added.