The Linux "Koobface" (the "book" part of facebook is backward) worm is currently amusing Linux users around the globe. The Windows version made its appearance a couple years ago. Yesterday, it was reported that a version which can infect all three platforms has appeared. The new version is dubbed "Boonana". It is a java applet which claims to link to a video and asking "Is this you in this video?". Your name was obtained from another Facebook user who became infected by taking the necessary steps to run the video, which doesn't show a video but displays a porn picture stolen from another website.
The threat is rated "Low" because in order to get infected the user must click "Ok" on a warning dialog asking:
IF you click "Yes" you will get infected. If not, you won't. I can state with absolute assurance that you do NOT know the person in the video the tease msg is linking to.
So, PAY ATTENTION to FireFox warning dialogs about unverified digital signatures or certificates and cancel any requests to approve them.
Ok. Worse case mode. You foolishly click on the link and realize your mistake. Immediately reboot.
The Linux version does not have a link that allows it to restart on boot up. Open Dolphin and check the "Show hidden files" option under the "View" menu. Look for a HIDDEN file under your home account called ".jnana". Delete it. To be sure it is gone open a Konsole and isssue "sudo updatedb". Then issue "locate jnana.tsa". That file is what was downloaded. If you find it delete it. You shouldn't find it because it moved itself into the hidden file which you have already deleted. If you find jnana.tsa outside that now removed hidden file then the java applet didn't function properly.
Say you approved the unsigned digital signature or certificate. If you have rkhunter and/or chkrootkit installed it/they will be run by cron and you will receive an email warning your of the .jnana hidden directory and any other files the Koobana trojan may have downloaded and installed. Open Dolphin using "kdesudo dolphin" and navigate to those files and delete them. Job done.
Most news reports are making the traditional claims:
but most of these stories are linked to AV software houses selling AV products, even though security firms are at odds about its severity.
No word of it has appeared in the [url=http://www.ubuntu.com/usnUbuntu security site[/url] nor has any Linux security expert played with it.
This, like all the other Linux "infections" recently mentioned, is a non-starter. Being infected by Boonana is as likely as allowing yourself to be infected by an email attachment.
The threat is rated "Low" because in order to get infected the user must click "Ok" on a warning dialog asking:
The Application's digital signature cannot be verified. Do you want to run the application?
So, PAY ATTENTION to FireFox warning dialogs about unverified digital signatures or certificates and cancel any requests to approve them.
Ok. Worse case mode. You foolishly click on the link and realize your mistake. Immediately reboot.
The Linux version does not have a link that allows it to restart on boot up. Open Dolphin and check the "Show hidden files" option under the "View" menu. Look for a HIDDEN file under your home account called ".jnana". Delete it. To be sure it is gone open a Konsole and isssue "sudo updatedb". Then issue "locate jnana.tsa". That file is what was downloaded. If you find it delete it. You shouldn't find it because it moved itself into the hidden file which you have already deleted. If you find jnana.tsa outside that now removed hidden file then the java applet didn't function properly.
Say you approved the unsigned digital signature or certificate. If you have rkhunter and/or chkrootkit installed it/they will be run by cron and you will receive an email warning your of the .jnana hidden directory and any other files the Koobana trojan may have downloaded and installed. Open Dolphin using "kdesudo dolphin" and navigate to those files and delete them. Job done.
Most news reports are making the traditional claims:
.... the news might be disappointing to many Linux and Mac OS X users, who seem to believe that malware doesn't work on these operating systems.
....
Researchers have repeatedly advised that as their market share increases, malware authors will begin viewing these platforms as attractive targets.
....
Researchers have repeatedly advised that as their market share increases, malware authors will begin viewing these platforms as attractive targets.
While SecureMac contends that Boonana is a "Critical" risk, security firm Intego--which says it has been monitoring the malware for some time--deems it only a low-risk threat, due to the fact that the implementation of the malware program is itself flawed and many of the remote servers it seems to rely on are inactive.
This, like all the other Linux "infections" recently mentioned, is a non-starter. Being infected by Boonana is as likely as allowing yourself to be infected by an email attachment.