Facebook continues being a popular target for malware authors as we discover yet another family that uses this popular social network to propagate. The main component, which we detect as Trojan:Java/Boonana, is written in Java which gives it cross platform capability infecting Windows, Mac and Linux users.

Trojan:Java/Boonana is sent via a link to a video to Facebook users. By clicking on the link, the user will be prompted to run the application “JPhotoAlbum”, which is a Java class inside a JAR file (JPhotoAlbum.jar SHA1: 159e6bc0616dec2062c92a7dd918c8179b2de640). Independent of browser or platform, by clicking to allow this application to run, the rest of the payload will be downloaded and executed on the computer.

The components that are subsequently downloaded are:

 

 

It is worth noting that this threat family also contains malicious files targeting MacOS X.  Boonana updates multiple components of the Macintosh operating system to give root level privilege to the attacker. We detect these as Trojan:MacOS_X/Boonana.

We have detection for this from 1.93.1067.0 onwards.

Thanks to Andrei Saygo for his analysis of some of the threats in this family.

--Jaime Wong