Facebook continues being a popular target for malware authors as we discover yet another family that uses this popular social network to propagate. The main component, which we detect as Trojan:Java/Boonana, is written in Java which gives it cross platform capability infecting Windows, Mac and Linux users.
Trojan:Java/Boonana is sent via a link to a video to Facebook users. By clicking on the link, the user will be prompted to run the application “JPhotoAlbum”, which is a Java class inside a JAR file (JPhotoAlbum.jar SHA1: 159e6bc0616dec2062c92a7dd918c8179b2de640). Independent of browser or platform, by clicking to allow this application to run, the rest of the payload will be downloaded and executed on the computer.
The components that are subsequently downloaded are:
- cplibs.zip: utility to encrypt decrypt class files in Mac
- OSXDriverUpdates.tar: MacOS X component detected as Trojan:MacOS_X/Boonana (SHA1: 7f0f3ec0460c117e299960a47cac27c7a6d96b32)
- Nircmd.chm: utility to execute files from cmd line
- ofex.exe: keylogger component detected as TrojanSpy:Win32/Boonana.A
- pax_wintl: Java open source networking classes
- rawpct.jar: IRC plugin class possibly for propagating to IRC users as well
- rvwop.jar: Java class that contains Facebook propagating class detected as Worm:Java/Boonana.A
- siv.exe: Downloader component detected as TrojanDownloader:Win32/Boonana.A
- VFXdSys.exe: Downloader component detected as TrojanDownloader:Win32/Boonana.A
- VfxdsysAdm.exe: Downloader detected as TrojanDownloader:Win32/Boonana.A
- WinStart.exe: utility to start in hidden mode
It is worth noting that this threat family also contains malicious files targeting MacOS X. Boonana updates multiple components of the Macintosh operating system to give root level privilege to the attacker. We detect these as Trojan:MacOS_X/Boonana.
We have detection for this from 1.93.1067.0 onwards.
Thanks to Andrei Saygo for his analysis of some of the threats in this family.