In-Depth Look at Boonana Malware

Last week a malware threat emerged that impacted both Windows and Mac OS X systems. To be fair, the attack is more social engineering than PC exploit, but it impacts Mac OS X users just the same. ESET’s David Harley has written a more detailed analysis of the Boonana threat, and identified some elements that are contrary to initial reports.

In a blog post explaining the Boonana analysis, Harley describes why the threat is more of a social engineering attack than a worm. “This is very much social engineering-focused malware: its initial attack is on the user, not on the platform, and it isn’t self-launching in the first instance. If you smell a rat when you get the authorize install prompt, the malware can’t change your system files so as to allow unflagged external access. Actually, most malware (Windows as well as OS X) relies partly or totally on conning the user into running a malicious application.”

Boonana uses the common social engineering technique of the “is this you in this video?” to lure users into clicking on the YouTube link. In some instances, it uses a darker, and significantly more compelling bait, with a message that reads “As you are on my friends list I thought I would let you know I have decided to end my life. For reasons that will be clear please visit my video on this site. Thanks for being my friend.”

The Boonana malware is spread both via Facebook messages that originate from the Facebook account of a compromised user, as well as in the form of an e-mail attachment. Harley explains that the results are similar regardless of how the message gets there. ” When the potential victim tries to run the “video”, a message is generated suggesting that the video can’t be watched without the installation of special software.”

Clicking the link to install the special software will execute a Java applet which works equally well on either Windows or Mac OS X–and ESET has confirmed it also works on Linux systems. Once the computer is infected, the malware checks a list of 161 host names and attempts to redirect traffic to a malicious Web site. However, many of the redirect targets have already been taken down, implying that perhaps the Boonana author is relying on an outdated list of malware servers.

Some have linked Boonana as a sort of Mac-compatible variant of the Koobface worm, but ESET found that there are no similarities in the underlying code and has identified Boonana as a unique threat. This attack is certainly no indication that Macs or Linux PCs will be hit with the volume of malware targeted at the Windows operating system, but it is evidence that malware authors are starting to think in cross-platform terms, and suggests that Mac and Linux users need to remain vigilant about security threats.