October 27, 2010

A new version of the infamous Koobface worm designed to attack Mac OS X computers is spreading through Facebook and other social networking sites, security experts warn.

Security software maker Intego says this Mac OS X version of the Koobface worm is being served as part of a multi-platform attack that uses a malicious Java applet to attack users. According to Intego, the applet includes a prompt to install the malicious software:

Intego notes that if the download is allowed, “it runs a local web server and an IRC server, acts as part of a botnet, acts as a DNS changer, and can activate a number of other functions, either through files initially installed or other files downloaded subsequently. It spreads by posting messages on Facebook, MySpace and Twitter, usually trying to get people to click a link to view some sort of video.”

SecureMac also has a writeup on what appears to be the same threat, which it calls OSX.Boonana.a. SecureMac says that “there have been reports of similar behavior in recent trojan horses targeting Microsoft Windows, but they have not included cross-platform capabilities until now.”

It is not surprising that attackers would begin leveraging Java to attack Mac users with threats that have traditionally only menaced Windows users. My research shows that Java is now the leading vector of attacks against Windows systems, findings that recently were buttressed by oodles of attack data released by Microsoft. Also, Java was designed to be a cross-platform technology that would allow applications to run seamlessly regardless of the operating system relied upon by the user. It makes sense for attackers to consider Java as a platform-agnostic vehicle for delivering platform-specific malicious software.

Mac users can turn off Java in Safari by unchecking the box next to “Enable Java” in the “Security” panel of the Safari preferences panel. Firefox users can disable Java in the browser via the “Plugins” tab of the Add-ons menu.

Mac OS X machines ship with their own versions of Java, which Apple updates from time to time. Last week, Apple shipped a new version of Java for OS X that fixes at least four security holes in the program. Updates are available through Apple Software Update or Apple Downloads.

Malware that attacks Mac users may not have Java to kick around for much longer. As The Register and a number of other tech publications reported last week, Apple has “deprecated” Java on Mac OS X, meaning it will pay even less attention to upkeep of the platform, and it may kill the platform entirely on a future version of its operating system.

Update, Oct. 30, 1:12 p.m. ET: Researchers at Paretologic have published an interesting blog post showing that this attack also can infect Linux installations with Java installed.


57 thoughts on “Koobface Worm Targets Java on Mac OS X

  1. Jimmy

    Thanks to Brian and readers of this site, I decided last week to remove Java from the gf’s Windows computer. As for me, I haven’t used Java in 10 years. So apparently it has little legitimate use regardless of OS. If you haven’t already, see for yourself and delete it. You can always reinstall later if you want.

    1. Russ

      Good work Jimmy. But there are those of us who need Java. I hate it, but there are applications at my job that are built on the platform and won’t be going away. What I need/want are hardening suggestions or any security tips for machines that need to keep Java installed, OSX or Windows. These are the types of scenarios are getting lost in the shuffle. For those like you who don’t need it, you’ve absolutely taken the best path by removing Java; any suggestions for us poor souls stuck with it?

      1. David Hamilton

        As noted further down, it seems that uninstalling older versions of Java closes one possible attack vector (although it does not specifically apply to this exploit).

      2. TJ

        Russ – I run both Java and Adobe Flash exclusively in a VMware virtual machine. Since I generally keep the VM running in the background, it’s really not much of an inconvenience.

  2. Heron

    If I want to get rid of java on our PC, is using the Add/Remove Programs feature adequate, or do I also need to alter the registry, as many web pages devoted to the topic suggest? We’re still running Windows XP Home.

    1. Big Geek Daddy

      Removing it from Add/Remove Programs is fine. If you find you need it again just install the latest version. In my experience the most common need for this is for online banking or other financial websites to function properly.

      1. jimmy

        Uhhh…wtf online banking requires Java? Do you mean Javascript??????????????

        1. Heron

          *Some* online banking applications require the use of Java. If your bank is one of those, it’d behoove you to consider changing banks.

          1. Big Geek Daddy

            It’s required by my bank to scan checks in for deposit…much easier and quicker than mailing. And no, I’m not changing banks because of this.

      1. Heron

        Thanks to you, I’ve been scrupulous about removing older versions from our PC–but thank you for the reply.

    2. hhhobbit

      Heron, as with everything else, that it is probably sufficient. However if you want to be complete, after you have removed all versions of Java in Add/Remove Programs start up Windows Explorer (My Computer may work as well – I don’t like or use it), and type the following in for the file location:
      %ProgramFiles%
      Remove the “Java” and “JRE” folders inside the %ProgramFiles% folder if they exist. Just make sure you remove them AFTER you have removed all of the installed Java programs in Add/Remove Programs in the Control Panel.

      WARNING ONE: I got Java with OpenOffice when I installed it on Windows. Now that all of the best developers have left OpenOffice and are working on LibreOffice I will have to bite the bullet and uninstall both OpenOffice and Java and install LibreOffice. But in any case, if Java is installed make sure Java is disabled in all browsers that have Java plugged into them until you need Java: Firefox – Preferences, Content, et al. For those that must use Java at work, perhaps using one browser for your internal Java stuff and some other browser that doesn’t have Java for the Internet may work. Also using NoScript in Firefox may help solve your problems. Because I make filters including the PAC filter I don’t have Java on the machines / operating systems I use to create the filters with. For the longest time I was able to block the KoobFace web-site infestations with just one rule in the PAC filter. It isn’t nearly as simple now. If somebody knows the new KoobFace URLs I am all ears. I have only observed two KoobFace URLs in the past few months and was beginning to wonder if they had disappeared.

      WARNING TWO: I told you Linux and Macintosh users several months back that eventually malware was going to come your way. I also said it would work best if they could do it using just the user work-space. That way it could be done silently. The first salvo is here. What are you going to do about it? I hope you don’t do what that train station operator did in Silver Streak when the agent informed him a runaway train was headed his way. The train station operator said he could handle it. The train station operator found out he was dead wrong. He just assumed it couldn’t possibly happen when in fact it had happened. For Linux people that have healthy Firefox user data config files start with this:

      $ cd ; tar -cjf mozilla.tbz ./.mozilla
      # reverse with:
      $ cd ; mv .mozilla old.mozilla ; tar -xjf mozilla.tbz

      That way you have a fail-safe backup point to go back to. I would still much prefer being able to login as root to clean a user infection up. I would also like to have the old Mozilla files rather than the new sql-lite DB file Firefox uses. All kinds of nasty stuff can hide in that sql-lite DB. And I still don’t want ${HOME}/bin first in the PATH. Get the idea? Let’s start tightening it down and don’t count on one thing (Linux, SeLinux, et al) does it all. Security comes in layers.

  3. Big Geek Daddy

    I thought Mac users couldn’t get infected? LOL. It’s only a matter of time as their market share grows so will the attacks. And even a small market share makes them good targets because the people that are buying Macs are Middle and Upper Class…with lot’s of nice financial and credit info to steal.

    If you’re using a Mac try iAntiVirus…it’s Free so you can afford it and save your money for the next product from Apple.

    http://www.iantivirus.com/

    1. bob

      As this “attack” demonstrates, user’s have to specifically allow dodgy things to run. I agree that we’ll see a greater proportion of Mac lusers getting hit by carefully aimed scans but I sincerely hope that nobody who reads the website ever feels the need to install the legal malware that is antivirus.

  4. Chris

    iAntiVirus uses windows definitions and updates so there is no point in installing it for a mac orientated vulnerability.

    1. drzaiuschimplord

      The java file (.java, .jar, etc) is crossplatform as its, you know, java. The definitions would work on both platforms.

  5. xAdmin

    Unfortunately, you can’t uninstall Java on OS X as it is integrated into the operating system. Considering the security risks associated with Java now, I’m guessing this is why Apple is deprecating it and even considering it’s removal from future OS X versions!

    1. Gary

      So what happens if you delete the java executable or some of its supporting libraries ? Does it get re-installed with a regular update ?

    2. drzaiuschimplord

      Apple is just passing the responsibility to maintaining the virtual machine to Oracle. Java on OSX is about dead as Flash is on OSX, which is to say they’re both still very much alive.

      Firefox users on OSX can disable the Java plugin. I’m not sure about Safari. Almost never use it.

  6. Chad

    Finally not a bunch of Mac Heads running in and yelling to just get a Mac. Lmao

    1. BrianKrebs Post author

      🙂 give it time, Chad. We’re only up to 12 comments. I’m betting on a comment about how a Mac user would have to be braindead to fall for this.

      1. David Hamilton

        Maybe a more useful discussion would be on how to keep a platform secure when the user insists on clicking ‘OK’ even when warn that it is a bad thing to do?

  7. David Hamilton

    Reports on this exploit are shockingly short of detail. They don’t detail if the latest Oracle/Apple updates protect against it, and the reports seem to disagree as to whether the use is presented with a warning or not.

    Can we clarify also the difference between disabling Java in the browser and removing it completely? People seem a little confused…

    While few websites nowadays use Java in the browser (Formula1.com live timings and ManyEyes data visualisation spring to mind as exceptions), stand alone Java more widely used.

    Full OpenOffice operation requires Java to be installed, as do the Azureus/Vuze bittorrent client and a whole slew of software development tools.

    Given the fracturing of OS platforms, I’m baffled as to how you think that developers are going to be able to target all users without cross-platform capabilities sure as Java. Yes, it is vitally important that they’re kept up-to-date, but binning them completely? Hmmmm….

    1. BrianKrebs Post author

      Hi David, I agree that the writeups were sparse in details as to whether this exploited any kind of Java vulnerability or if they simply abused how the program is supposed to work on the Mac. However, there is a big honkin graphic at the top of this post that shows the user is indeed presented with a warning.

      I haven’t suggesting that people remove Java from the Mac; I merely offered a couple of ways they could unplug it from the browser if they want.

      Fundamentally, I agree with the premise of the last part of your comment: Apple (or maybe some third-party vendor) is going to find they need to figure out better ways to help users make sound decisions, and to keep all of the software on their machines updated.

      1. David Hamilton

        Hi Brian,

        Just to clarify – a lot of the comment wasn’t directed personally at you. The confusion about whether there was a warning related to the SecureMac alert, and the idea of uninstalling Java completely was raised in the comments.

        And I don’t entirely disagree with the latter: uninstalling any unused optional part of the OS will improve security. Again, functionality and security will always have an element of a tradeoff to it.

        Absolutely agree with your last paragraph, the better users can be informed about the impact of their decisions, be less scope there is for their behaviour to be exploited.

      2. Bart

        As a recent convert to Macs, I am concerned about Apple not including Java in its Software Update facility; especially in that the important Preview function uses it. Am I wrong?

        1. timeless

          Apple did include Java in a software update recently.

          You can open System Preferences, go to Software Update, select the Installed Software Tab, then scroll down to somewhere around 10/24, you should see:

          “Java for Mac OS X 10.6 Update 3” (version 1.0).

          It’s unclear what Apple will do when it decides to stop supporting Java. It probably means that some future versions of OS X will not include it at all. But no one really knows how that will affect software updates for versions which included it.

          I’m also unsure what the ideal behavior would be. It would be vaguely nice for Oracle to try to get into the habit of releasing Java for OS X (preferably on the same release schedule as it uses for everywhere else).

          If Oracle did this, would it be better for Apple to stop delivering updates to its Java and instead provide some way for its customers to switch/uninstall Java? Or would it be better for Apple to have to continue delivering updates (which it does with a fairly long delay on top of Sun/Oracle releases)?

        2. Lynda

          Bart,

          When you mention ‘the important Preview function’, are you referring to Apple’s Preview app, or the abbreviated picture you get of a folder in the Finder window – or something else altogether?
          I’m not aware of a use for Java in either of these – but I’d hardly claim to know all on this topic. I can do some digging, though.

  8. Rob R.

    You can disabled Java in Chrome too:

    Chrome/Preferences/Content Settings/Plugins/Disable Individual Plugins/Java-Disable

  9. Enon

    Java is also used for some enterprise apps; Novell’s GroupWise & GroupWise Instant Messenger OS X clients are Java based.

    Also WebCT course management software found at many schools uses Java applets in the browser.

    These programs aren’t going away anytime soon. Will Apple cripple itself in some enterprise environments or will Oracle step up and provide an OS X port of Java for those Mac users who absolutely must have it? Stay tuned!

    1. Heron

      Yet another reason to be glad I no longer work someplace that insists on using GroupWise. That program can be a real pain in the keister.

  10. David Hamilton

    Oh, yes. One thing I did learn while reading the various reports of this issue was that, when invoked from HTML or JNLP (Web Start), a particular (exploitable) version of Java can be specified if it is still on your system, even if it is not the default.

    In other words: MAKE SURE ALL OLD (OUTDATED) VERSIONS OF JAVA ARE REMOVED FROM YOUR SYSTEM AFTER ANY UPDATE.

    I believe that Apple does that automatically with their updater anyway (I couldn’t find any left over installations), whereas my Windows XP box has around 10 versions of Java on it.

  11. Bill Horvath II

    IMHO, Apple’s reasons for deprecating Java are blazingly obvious, and have nothing to do with security, or with offloading responsibility to Oracle. They’ve already announced they’re planning to offer software for the Apple computing platform using the same approach they use for their iPhone, iPod, and iPad platforms — An OSX ‘app’ store. I would be surprised if, after the release of Lion, you could install software on an Apple computer using anything _other_ than the forthcoming OSX app store without ‘jailbreaking’ the machine. Java, like Flash, presents a competitive threat to that distribution platform.

    Disclaimer: I’m an Apple user — PowerBook, iPhone, iPad, etc. I’m also a Java developer, and can tell you that Java has many, many uses inside the enterprise. I can also tell you that many universities have switched to teaching their CS students using Java, instead of a C variant, as the primary language.

    1. David Hamilton

      According to one OS X developer’s blog, the App Store for OS X will lack “free trials, education, bulk and upgrade discounts and refunds” meaning that it will be a long time before it becomes compulsory.

      http://reinventedsoftware.com/blog/2010/10/22/mac-app-store/

      Personally, I don’t believe any corporate IT will ever cede that kind of control to an external body such as Apple, so I don’t think it will become compulsory while OS X exists in a recognisable form.

      1. Bill Horvath II

        Apologies David, but I’m not sure why the lack of free trials etc. would preclude Apple from requiring compulsory adoption. Could you explain that in more detail if you’ve got a moment?

        Per the question of corporate IT ceding that kind of control, many companies are already doing so with the iPhones and iPads their staff and execs insist on using — Reasons why Apple is now offering some enterprise-friendly features such as Exchange integration. I’d imagine they’ll continue to refine their offerings to be more suitable to deployment in large-scale operations, seeing as they’ve been able to double revenues in their retail stores simply by reaching out to small businesses.

        1. David Hamilton

          Most Apple software developers have mature pricing policies, which usually include free trials, plus other special pricing deals. Were Apple to ask them to make significant changes to their revenue models, you can be certain the howls of pain would be extremely difficult for even Apple to ignore.

        2. David Hamilton

          The clincher is that licences are not transferrable to the App Store. Can you imagine how painful the process would be of trying to migrate all the separate proprietary DBs of licensees into the OS X App Store?

          Also, Apple recently blinked in the face of massive criticism of and potential anti-trust action into its App Store policies. Mandatory OS X App Store backlash would be many times worse.

          No. It won’t happen. (At least, not until tablets have taken over from PCs and no-one cares about the PC any more!)

      2. timeless

        Corporate IT. *Sigh*.

        We delayed any deployment of Windows 7 for about a year, and only provide the *32bit* version — I had been using the 64bit version thanks to Microsoft’s open early access program.

        We’re using Firefox 3.6.8 or something (we’ll probably update to Firefox 3.6.11 at some point [yes, that isn’t current today, but why would that matter to IT?)]. We have at least one rather old version of Java which powers our Corporate IT managed software update service. Our versions of Flash/Reader/Shockwave get updated months late (and like Firefox, I don’t think they’re updated to the latest versions).

        On the “bright” side, we finally got an announcement that we’re getting a mandatory upgrade from IE6 to IE8! – People might be curious as to how we managed to get it at all. The answer is thanks to Microsoft* whose newest version of SharePoint doesn’t support IE6. While I might not have any love for SharePoint I honestly applaud Microsoft for using it to force IE6 one step closer to complete retirement.

        Oh, of course most computers are locked so you can’t use Windows Update at all (you have to have a business reason to use it, the only one I know of is “I’m a developer, I need to be able to run a debugger which means I need to have Administrator access”, thankfully that applies to me).

        * in the real world, normal people were forced by Google which dropped support @youtube.

    1. Heron

      Why would you recommend something you’re not even sure is good?

      1. hhhobbit

        EMET is much better than DEP. Click on the EMET Announcement from the URL given to download the PDF file. Although the PDF file shows you making programs so that they run with or without EMET by typing the commands in cmd.exe that isn’t necessary. With the GUI you can not only do that but you can selectively turn on only what you want to turn on. The cmd.exe commands just show you a way to turn it all on or back off with say a pair of BAT files.

        1. hhhobbit

          Be sure to read ALL of the caveats about EMET in the PDF file. Once you do you will see that EMET is quite complex. IOW, don’t just slap EMET on Windows XP where they had problems with it at the start expecting a miracle. It is for example mutually incompatible with virtualizing of your browser in Windows 7 Pro/Ultimate which is another thing you can do to protect yourself. That was why I decided to say nothing about EMET on my blog. I finally considered EMET much too complex for the average user. Here among people that may have more experience it is more appropriate. Go from there to determine if EMET will be useful to you or not.

    2. Louis Leahy

      Something to consider and some of us understand your caveat.
      Java is not going away any time soon. A lot of programmers use it because of its ability to run across various platforms and its new owners appear to be continuing to promote and develop it.

    1. Chad

      I think the reason I have got two thumb down comments and only one up on my “Still no “just buy a Mac Comment” Brian. Lol” is cause they are Mac users. Lol. That OS is no more secure than any other one. I use Ubuntu, Vista, XP, and Mac OS X. Do you know how annoying it is to have people tell you just get a Mac and you are safe that is just idiotic. I could have written an applescript years ago and then sent it through an e-mail and would have deleted the contents of your hard drive. I just never wanted to make just a few people mad. Lmao What is the point.

    2. Heron

      Man, you’re just as ignorant about when to let something go as the “just get a Mac” folks can be! Give it a rest already.

      1. Chad

        I made two posts (now three) how can I be more annoying than all the mac people. You must be a mac user. Lol

        1. Chad

          Correction read that wrong, guess I think Mac people are real annoying, the die hards I mean.

  12. David Hamilton

    Intego have an update on their information on this exploit:

    http://blog.intego.com/2010/10/29/more-information-about-the-koobface-trojan-horse-for-mac/

    Quote:
    “In addition, the presence of a Java alert, and the appearance of an installer asking for an administrator’s password, show that the installation does not occur surreptitiously.”

    So both Java and OS X warn the user as they should do. Seems the only thing that is being exploited is the user’s stupidity!

  13. hhhobbit

    Big Geek Daddy, my PAC filter blocks your web site (inadvertently). I wish PC Tools would stop redirecting all over the place and keep things at home. I will add you to the PAC filter as an exclusion. Do not confuse that to mean I am giving iAntiVirus an endorsement. It just means I am getting out of the way and letting Mac owners make their own hopefully informed decision. IOW, I am just saying iAntiVirus is not malware, scareware, or used for nefarious purposes. Here are some URLs that may help Mac people to decide what they want to do:

    http://download.cnet.com/iAntiVirus-Free-Edition/3000-2239_4-10854561.html
    http://www.macworld.com/reviews/product/412818/review/iantivirus_10.html

    If your intention was to get Mac people to use what you have I think you may have failed. The content is hidden now. I have no idea whether it is the way you have worded things in the message or the fact that you have free and pay versions. What I provide is under GPLv2. Nobody should object to that – if they don’t want it they can just move on. If they use it they almost immediately have to fork it off to go the direction they need it to go. I do wonder why some users say what you provide saps their machine down. There really isn’t that much Macintosh malware (yet). Don’t you implement bintree lookups on hash sums and other things to speed it up?

    Disclaimer: I do use ClamAV on one of my Linux systems. That is due to the price (free) and because most AV programs for Linux are designed for server purposes. I am using them in the diagnosis of potential malware / malware. If a web-site scans my Linux system and indicates I have 44 registry problems, and 37 trojans in my %UserProfile% what am I supposed to conclude besides the fact that I am watching a flash file run? I don’t care if all 32 AV engines at VirusTotal say it is okay – I will say it is not okay especially if they use encoding / encrypting in their JavaScript.. I also have VBA32, SunBelt, and Symantec. SunBelt may be replaced in the future by Kaspersky (yes, I know about their web-site problems). My only statement on AV software is get and use something unless you think just the OS and your good judgement is all that you need. I use it.

  14. Rick Zeman

    Well, I think this is a non-story, frankly. It’s not a Java EXPLOIT, it just uses Java to install itself. It’s no different than if the web page detected browser type, and then presented a Win/Mac/ELF executable for the clueless user to then grant permission to run. Its interactive. The JRE is doing its job in the way it was designed.

    With all of the serious drive-by exploits of Java (see Brian’s other excellent postings), I’d hate to see them get less than their deserved attention because this one says “Mac” in the title and it brings out all of the fanboys and all of the flamers.
    (For reference’s sake, I’m a Windows admin professionally typing this on a Mac….)

Comments are closed.