∞ SecureMac discovers Mac OS X trojan horse

Macintosh security firm, SecureMac, on Wednesday discovered a new trojan affecting Mac OS X, including Snow Leopard.

[ad#Google Adsense 300×250 in story]The trojan, which has been dubbed “Boonana Trojan Horse” is being widely distributed on social networking websites like Facebook, according to Nicholas Raba, the founder of SecureMac.com.

Raba told The Loop that have the trojan distributed through social networking sites makes it a more critical threat because it is such a widely used network. As he pointed out, users of Facebook trust their friends and are more willing to click on a link from a friend.

SecureMac describes the trojan like this:

“When a user clicks the infected link, the trojan initially runs as a Java applet, which downloads other files to the computer, including an installer, which launches automatically. When run, the installer modifies system files to bypass the need for passwords, allowing outside access to all files on the system. Additionally, the trojan sets itself to run invisibly in the background at startup, and periodically checks in with command and control servers to report information on the infected system. While running, the trojan horse hijacks user accounts to spread itself further via spam messages. Users have reported the trojan is spreading through e-mail as well as social media sites.”

Raba said the trojan modifies the sudo file in Mac OS X, so it no longer needs a root password in order to execute commands. The trojan contains files to install on both Mac OS X and Windows systems, so all users are potentially vulnerable.

SecureMac’s MacScan will remove the trojan if you are already infected. Raba said the company’s 30-day free trial will remove it as well. SecureMac will also be posting instructions on its website to manually remove the trojan from your system. Instructions are expected to be posted this afternoon.



  • Lawrence Velázquez

    I’m curious about how the software “modifies system files to bypass the need for passwords.” Doesn’t modifying the sudoers file require administrative privileges?

  • WooDz

    I guess it was only a matter of time before we had sure an event on a MAC… Not bad 3 years of being Virus free was nice…

  • WooDz

    What the hell did I just write????

    English is slowly becoming my second language. I just don’t know what the first one is : /

  • What’s described here is what the trojan is supposed to do. But it doesn’t, because it doesn’t work on Mac OS X. It runs into OS X’s security. The discoverers thought it was interesting because it was apparently designed to be cross-platform, but fails. For example http://blog.intego.com/2010/10/27/intego-security-memo-trojan-horse-osxkoobface-a-affects-mac-os-x-mac-koobface-variant-spreads-via-facebook-twitter-and-more/

  • Matthias

    I would take this seriously if you wrote that it takes user interaction to work. How many novice users may be curious enough to ignore the macs security barriers and allow it to run?