Koobface Mac Security Threat Described

Intego, billed as the Mac security specialists, has revealed more details of the potential security threat from the Koobface Trojan horse.

Writing in a blog post, Intego claims the problem is not a "critical" risk as a rival provider of Mac OS X security software claims.

Graphic: Diego Aguirre
"First of all, OSX/Koobface.A is not very widespread. While there is evidence that a handful of Mac users have been infected, there is no evidence to suggest that there is any large number of infections," insists Intego.

"Second, the malware is flawed, and does not work correctly in all situations. Intego's researchers have not been able to get it operable on Macs running Mac OS X 10.6. In addition, the presence of a Java alert, and the appearance of an installer asking for an administrator's password, show that the installation does not occur surreptitiously."

The Mac version of the Koobface worm reportedly spreads via social networks such as Facebook, MySpace and Twitter disguised as links to videos. Users are then taken to malicious web sites in order to view the videos. These sites then attempt to load a Java applet. However, users are alerted to this via the standard Mac OS X Java security alert.

"Finally, the installer for this malware contacts a number of remote servers to download files. The installer contacts 5 servers at a time until one responds. Intego has isolated dozens of servers that are contacted, yet all but one of them seem to be currently off-line. (This does not mean that these servers will not come back on line, or that future variants of this malware will not contact other servers.)," Intego notes.

"In addition to the servers used to provide elements installed on Macs, one part of the malware contacts IRC servers. As of today, all the IRC servers contacted have been blacklisted and are off line."

Intego provides a list of files that are installed, a combination of Java files for the malware's main operation, together with Mac, Windows and Linux files.

"Intego has no doubt that there will be variants of this malware in the future, but for now, the threat is minimal. Intego's Virus Monitoring Center is remaining vigilant in order to detect any new variants that may cause serious threats to Mac users," Intego adds.

Subscribe to the Security Watch Newsletter

Comments