It’s one of those days again. A supposed security threat appears, and the internet loses its collective brain and starts panicking like Alpha and Omega’s kingdom come. This time around, it’s a trojan horse thing (it’s a trojan, worm, and root kit all in one, though) that targets Mac OS X and Windows. As it turns out, though, the threat this thing poses is not very large (at this point in time).
The original report comes from SecureMac, which warns Mac OS X users of a trojan horse called Boonana. It supposedly spreads via links on social networking sites (worm), so for instance clicking a link would take you to a website which executes a Java applet (trojan). This applet would download an installer which, SecureMac claims, modifies system files to bypass the system’s password. After that, it acts like a rootkit. It runs upon startup, loads up local web and IRC servers, joins a botnet, employs a DNS changer, and a bunch of other stuff.
The problem is that while SecureMac claims that the attack is completely silent, without any user intervention or password dialogs, Intego claims the contrary. In their report, they say the initial Java apple portion throws up a nice Java warning cancel/allow dialog, meaning everything works as intended and the threat level of this attack is low.
A side note from Intego is that they claim the malware is ‘broken’ or downloads the wrong files, implying that the attack could technically work silently without throwing up dialogs, but just not right now. My personal opinion is that since both claims come from security vendors, we should probably unpanic, make a nice cup of tea, and go about our daily lives.
Want to be safe? Uninstall Java, disable it, whatever. What on earth are you using it for anyway in your web browser? Oh, and also, this is a cross-platform attack and works on Linux and Windows too (although it probably throws up warning dialogs there, too), but heck, “ZOMG EXPLOITROOTKIT MAC OS X LOLOL!!1!1!” draws in the crowds more. Alas.
It isn’t like a swipe at religion (organized or otherwise) is pertinent to an article about a Java non-vulnerability.