The widely-reported ‘Boonana’ Trojan was a new piece of malware after all and had nothing directly to do with Koobface, Microsoft and other security companies have reported a week after the event.
At the time, Mac security software company SecureMac reported Boonana as trojan.osx.boonana.a, later identified by Mac security specialist Intego and other companies as a variant of the Koobface worm that has been attacking Facebook users since 2008.
However, according to Microsoft, ESET and SecureMac, the similarity with Koobface doesn’t appear to stretch beyond its general tactics and the fact that it attacks using Facebook and other social media sites. At a code level, what Microsoft now identifies as Trojan:Java/Boonana is a distinct piece of malware.
The main significance of Boonana could be that its Java design allows it to attack both Windows PCs and Apple Mac computers, and at least run on Linux, the first time such a design has been seen since the age of Macros viruses in the 1990s. Where the software hails from is unknown although one of its first actions on infecting computers is to try to contact a Russian FTP server.
The fact that Boonana is distinct family of malware rather than a variant matters in a small but important way. A new branch of malware capable of attacking across operating systems suggests a new direction in malware innovation. If Boonana was a simple variant it might count more as a one-off experiment.
Programming and platforms apart, Boonana’s use of Facebook often shows that social engineering skill is its real forte. Originally pushed with basic ‘watch this video’ lures, the malware has subsequently tried more sophisticated messages, including one based on an apparent suicide notice.
“As you are on my friends list I thought I would let you know I have decided to end my life. For reasons that will be clear please visit my video on this site. Thanks for being my friend, “ says one reported by ESET. As with much contemporary malware, the platform is secondary in the mind of the creator. It is the user that is being attacked first and foremost.