It’s one of those days again. A supposed security threat appears, and the internet loses its collective brain and starts panicking like Alpha and Omega’s kingdom come. This time around, it’s a trojan horse thing (it’s a trojan, worm, and root kit all in one, though) that targets Mac OS X and Windows. As it turns out, though, the threat this thing poses is not very large (at this point in time).
The original report comes from SecureMac, which warns Mac OS X users of a trojan horse called Boonana. It supposedly spreads via links on social networking sites (worm), so for instance clicking a link would take you to a website which executes a Java applet (trojan). This applet would download an installer which, SecureMac claims, modifies system files to bypass the system’s password. After that, it acts like a rootkit. It runs upon startup, loads up local web and IRC servers, joins a botnet, employs a DNS changer, and a bunch of other stuff.
The problem is that while SecureMac claims that the attack is completely silent, without any user intervention or password dialogs, Intego claims the contrary. In their report, they say the initial Java apple portion throws up a nice Java warning cancel/allow dialog, meaning everything works as intended and the threat level of this attack is low.
A side note from Intego is that they claim the malware is ‘broken’ or downloads the wrong files, implying that the attack could technically work silently without throwing up dialogs, but just not right now. My personal opinion is that since both claims come from security vendors, we should probably unpanic, make a nice cup of tea, and go about our daily lives.
Want to be safe? Uninstall Java, disable it, whatever. What on earth are you using it for anyway in your web browser? Oh, and also, this is a cross-platform attack and works on Linux and Windows too (although it probably throws up warning dialogs there, too), but heck, “ZOMG EXPLOITROOTKIT MAC OS X LOLOL!!1!1!” draws in the crowds more. Alas.
It isn’t like a swipe at religion (organized or otherwise) is pertinent to an article about a Java non-vulnerability.
Wtf? Since when is a simple reference to the biblical end of days a swipe at religion?
When it immediately follows “loses its collective brain and starts panicking”. Your own words, Thom.
When it immediately follows “loses its collective brain and starts panicking”. Your own words, Thom.
It was not a swipe at religion, it was a swipe at the sheep herd mentality of some people. You really need to work on your reading comprehension.
Exactly. But you know, if there really was some sort of end of times thing going on, I’d imagine people would lose their minds and panic. So I’m not sure what the swipe is even supposed to be even without any reading comprehension.
Hmmm. I am generally very sensitive about things like that and it didn’t set off my alarm.
Me neither.
Should I complain about the “swipe” at my religion by gus3 in his subject heading too?
You are far too sensitive/paranoid.
Can it be considered a worm just because it’s posting on a social networking site by itself? I’m pretty sure it needs to be replicating by itself to be considered one.
What sacrilegious articles about Apple and Linux being vulnerable to worms and viruses and other stuff when we all know it is totally impossible 😉
Considering that the academics they still rely on java applet to display data, and some of them rely on opengl (native binding so users get a lot of these popup).
Advising disabling java is quite the same as advising disabling javascript, that is asking them to disable a vital part of the todays website on which most the user are relying.
Todays websites ? Really ? Like what uses Java-applets ?
I know their are many Networking-vendors that ship java-tooling, but that is for the desktop or atleast for that very specialized group of people.
I noticed the ASUS support site used Java for the download manager when I grabbed some motherboard drivers just yesterday.
Edited 2010-10-28 08:59 UTC
Microsoft zealots don’t care about functionality you loose. They only want to libel and FUD Java. (and possibly make you install SilverBlight) That’s the purpose of this article.
You forgot the ever popular Micro$oft and other silly ways that people think will cause Microsoft to go all emo…
Not gonna test it, but I know for a fact that Chrome prevents installation of stuff by Java applets or other means on websites.
IronFox (a secured version of Firefox for the Mac) has the same thing, since both Chrome and IronFox use the Mac OS X Sandbox.
More apps should do this!
if http://lwjgl.org/applet/ runs, then chrome can’t block it.
not sure about that, cuz the company I work for has a VPN thing, starts by running a Java applet that tries to install something in /Applications (a Java app). Took me a while to figure out why it never installed – I was using Chrome and Chrome would block the actual installation on the system, even though the initial applet would run/download.
(FWIW, I refused the applet you linked, have no idea what it is lol)
hah, sorry. The applet is a GLGears demo, using java and OpenGL. It needs access because it has native code to access OpenGL.
The fact that you got the “install” dialog, basically proves that Chrome isn’t blocking it.
This time I went ahead and clicked “authorise” and “execute”
Here’s the result, background window is Safari, foreground is Chrome:
http://grab.by/76v1
Just as I thought, Chrome blocks anything from installing so the applet can’t run. Even if the Java plugin asks me to execute it, Chrome will prevent it from putting anything on the system.
<3 OS X Sandbox
ohh, interresting… That doesn’t happen for me on Windows 7, 64bit, chrome 8
The sandboxing Chrome uses is an OS X-specific feature…
if only people learnt to read instead of always clicking yes.
If only the questions weren’t so unhelpful.
Agreed. Because it’s well documented how normal users make the best security experts.
In fact, more OSs should move away from their current security set up in favour of prompting the users what their opinion of an unknown application is.
Edited 2010-10-28 09:32 UTC
Just Because your member can fit in a light bulb, does not mean you should try to fug one. It seems funny to an old graybeard but if you want quality stolen SW then -good luck- I mean remember Limewire? I really wonder how many machines I fixed because of what that beast downloaded so:
1.> I do not think that turning off Java, or javascript will fix it, because Vuze is a java app. (or at least last time I checked) So while the major parties and browsers can easily patch this I do not think that the torrent vendors are going to be in the security business and that is shame. – and a newsgroup binary? puhleez. If You do not know your source then you do not know. (at least for sure)
2.>Security in this new internet is going to be so much harder than in the old internet. I suspect that before long the wise and the cunning will have to run VMs inside of VM’s and have system snapshots every hour to ensure that they stay safe (while surfing naughty) – (note: sarcasm + tongue in cheek)
Or
3.> Only get your Media and SW from reputable sources. Not to play an holier than thou harp, but there is an inherent risk assessment that you will make on a task like .torrents.
-=-A few years back there was no such thing as p2p. And hate it or not there was no iTunes store or Amazon or whoever is number 3 in the market. But once I could find something weird like ‘Screaming Jay Hawkins-I put a spell on you’ or something treasured like a Nina Simone Anthology, Steely Dan or Stevie Wonder or Miles Davis and get it safely and pay what 99¢ each or $10 an album? I know I have gifted hundreds of dollars worth of music and movies/media to friends and family, and yhy not? Before the store we were all at a greater risk. THAT is the elephant in the room in this equation. Because phishing can be to a large extent patched or mitigated by the OS and Browser vendors, BUT the end user who really wants that file will still click on that link will get burned. Sure the link will get taken down – and maybe reposted – so it is a buyer beware world.
_Realistically_ I do not think the p2p world can support the entire string of hangers on in Hollywood and Silicon Valley and I have no Idea where the rest of the world gets or makes their SW and Media, but if you want to download media from strange sources then OK but please be advised of this: that cutting edge can cut
Whenever people say that you should just turn of plugin X I almost throw a hissy fit.
Disabling X does not solve the greater issue.
Next you’ll be asing me to not use the browser at all? – they have almost weekly 0-day exploits.
Oh, and my OS is insecure too? – best pull the plug entirely then.
We use Flash, Java, Unity, Plugin X for a reason. It provides features that browsers do not allow.
In the case of Java, you can scream all you want, but html/5 + webgl + tracemonkey is simply not good enough for running stuff like minecraft – or other OpenGL based Java games (see: http://lwjgl.org).
Furthermore, for instance in Denmark, then national ID scheme is using a Java component to securely log in on all sites.
You may argue that it should have been done in another way, and I would probably agree. But the fact remains that to use the government provided national ID, you MUST have Java installed and enabled for your browser.
But it is good enough for running Quake II, ne? http://www.osnews.com/story/23097/Quake_II_Ported_to_HTML5
Of course, this technology isn’t shipping in non-beta builds of browsers at the moment, but to think outright that HTML5+WebGL won’t _ever_ compete is silly. Give it another two years and we’ll be seeing very serious 3D games being released directly on the web. And why not? It’s still OpenGL, it’s still 3D, and no installer is needed (bar an up to date browser).
There’s a ton of game websites out there like miniclip, who have been reliant on Flash and Java for a decade and they are going to have to face an upheaval in their market where they will have to embrace JavaScript games in order to expand onto the iPad / iPhone and other mobile devices. What company, in this instance, would choose death over new technology, bar ignorance?
I agree that eventually WebGL will replace a lot of this, however do remember, that we were doing OpenGL in applets in 2006 using Java.
4 years later and HTML is still not there.
I would prefer that everything was open like html and javascript – but the fact of the matter is that plugins provide content producers with means for doing stuff that wouldn’t otherwise be possible.
There is also NaCl. And anyway, 4 years ago there were no HTML5 websites or barely anybody using this tech. A lot of this tech is still not shipping in browsers.
That’s like saying to me that 100 years ago they didn’t have quantum computers. We barely have them now, so the time-frame is irrelevant.
Given that the only option outside of the App Store for the iPad / iPhone is HTML5, I think it has plenty of chance for big things. Mozilla are holding an HTML game competition; wait for the results of that before reserving judgement.
Exactly! Which is why I am saying that plugins have their merit!
My comment was mostly in response to the:
We need to use Java (with OpenGL) to do stuff like Minecraft (or any of the other lwjgl games (lots)).
And this is of course only one example. There are many things that simply cannot be done, easily – or not at all, in a cross browser fashion using html/5.
No, in my opinion they wouldn’t embrace JS. In the worst case the number of browser games is simply going to shrink.
The problem is that Javascript and HTML5 are ugly technologies. Most creative people want to deal with a simple, high-level language, which works in the same way in all supported browsers, and has a good official IDE. It’s precisely what Flash offers, and no replacement exists among web standards I think..
Because nobody makes games with C++, obviously.
Why would choosing Flash be death?
Not death, lack of growth. And in the stock market, lack of growth == death in analysts eyes
Casual pc gaming is a growing market.
how convenient …
just when apple is thinking to phase out java from osx,
and this move could potentially get criticized by community,
java turn out to be a security threat
where horrible crackers use it to attack poor osx (and fail of course..)
can you imagine a more convenient picture ?
Exactly what I was thinking. Instead of downplaying the trojan, mac fanatics may as well raise it to defcon 5 (more accurately, drop it to defcon 1) and insist on deprecating java for great justice..
“In their report, they say the initial Java apple portion throws up a nice Java warning cancel/allow dialog, meaning everything works as intended and the threat level of this attack is low.”
Ok so how useful is the standard Mac OS X Java security alert? From what I can tell the alert is non descriptive and a non technical user might just as well click allow.
I mean how are they to know whether this alert has any merit, and what does it matter to them when all they want is access to their file or video. Even if one were to view the certificate, what would a non technical user make of it.
Does anyone know of where a sample can be found? i would like to test what happens within ironfox if it is exploited.
This article makes a lot more sense now:
http://www.osnews.com/story/23923/Apple_To_Remove_Java_from_Mac_OS_…
http://news.softpedia.com/news/New-Koobface-Variant-Infects-Linux-t…
Apparently, this one works.
The good news I suppose is that it works longer on a Mac or Windows machine.
Edited 2010-10-29 03:40 UTC