Thursday, October 28, 2010

Koobface Malware for Mac, and How to Disable Java

Intego recently blogged about their investigation into a Mac-infecting variant of the Koobface malware (which Intego explains "propagates as a worm, is installed via a Trojan Horse, and installs a rootkit, backdoor, command and control, and other elements") that's actively being tested in the wild. Koobface infections often come via links on Facebook (hence the name, which is an anagram of Facebook), but can come via other sites as well. I've previously blogged about Koobface here and also mentioned it here.

According to Intego, the Mac variant tries to install itself via a Java applet, which prompts the user with a dialog box saying:
/!\  An applet from "[domain]" is requesting access to your computer.

The digital signature could not be verified.

[ ] Allow all applets from "[domain]" with this signature
(Show Details...)               (Deny) (Allow)
If presented with such a dialog box, users should click the "Deny" button to prevent infection. If instead they allow the applet to run, it will attempt to download files into /Users/[username]/.jnana/ (a hidden folder; you can use my freeware app Invisibility Toggler to see if it's there on your system). So far Intego has only seen the malware get to this point because the servers it tries to contact have not been online and actively serving the requested malicious files at the time of Intego's testing. The Java applet is detected as OSX/Koobface.A by Intego's VirusBarrier and trojan.osx.boonana.a by SecureMac's MacScan. SecureMac also offers a free removal tool.

Users can avoid infection altogether by disabling Java in their browsers. Other security researchers including Brian Krebs have recently been recommending this anyway, since Java has quickly become one of the most exploited Web technologies, and most users probably don't actually need or use Java.

Unfortunately, Apple doesn't provide an uninstaller for its implementation of Java (which Apple has recently deprecated). Here's how to disable it in your browser instead:
  • To disable Java in Safari, first open the Preferences dialog box (on the Mac, click on the Safari menu next to the Apple menu, then select Preferences...). Click on Security, then click on the check box next to "Enable Java" to remove the check and disable Java.
  • To disable Java in Firefox, first open the Add-ons dialog box by clicking on the Tools menu and then selecting Add-ons. Click on the Plugins tab at the top of the window, and look for "Java Embedding Plugin" and "Java Plug-In 2 for NPAPI Browsers." Click on each one of those and click the Disable button for each one. (Note: Whenever Apple releases a Java update, you may need to quit Firefox and reopen it, and then verify that both are still disabled.)
  • To disable Java in Chrome, go to chrome://plugins/ (you may need to copy and paste or type this into the address bar) and click on the "Disable" link below the word Java.
  • To disable Java in Opera,  go to opera:config#Java and click on the check box next to "Enabled" to remove the check from the box, then click Save. You will be prompted to restart the browser in order for the setting to take effect.
  • To disable Java in Camino, click on the Camino menu next to the Apple menu, then select Preferences..., then click on Web Features, and finally click on the check box next to "Enable Java" to remove the check and disable Java.
  • To disable Java in OmniWeb, click on the OmniWeb menu next to the Apple menu, then select Preferences..., then click on Show All, then click on Security, and finally click on the check box next to "Enable Java" to remove the check and disable Java.

UPDATE, 18 Nov 2010 @ 9:47 PST: Added instructions for disabling Java in OmniWeb.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

No comments:

Post a Comment

Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)