A more detailed analysis of the recently discovered cross-platform social networking trojan, suggests that the Linux infection vector might have been an unintended side effect.
The hypothesis was put forth ParetoLogic's Jerome Segura, one of the first security researchers to point out the trojan's capability of infecting Linux
After analyzing the encrypted malicious code, the researcher believes that its authors only intended to target Windows and Mac OS X.
There are routines that explicitly check for Mac OS X, but none for Linux. The "might have been an accident" idea is further supported by the temporary nature of the infection on the latter.
"If they really wanted to infect Linux computers, the bad guys would have added a start-up entry to ensure the code would run each and every time the machine was started. This, by the way, is not a big deal to achieve
," the researcher notes
Symantec also published some findings that point in this direction. According to the antivirus giant, the trojan contains multiple components, one of which is used to decrypt the malicious Java classes.
However, the attack server only contained versions of this component for Windows (cplib_x86_win.klf) and Mac (cplib_x86_osx.tnw).
This doesn't change the fact that Linux users are affected, but does help explain why the infection is less effective on this OS, than on the other two.
There is also a bit of confusion about the trojan's name. While it is similar to the notorious Koobface social networking worm, ultimately, this seems to be a separate creation.
SecureMac, the company that originally reported
the threat, calls it Trojan.osx.boonana.a, however, Mac antivirus vendor Intego names it OSX/Koobface.A.
Symantec also published a rundown of the infection. The company detects the malware as Trojan.Jnanabot.
"An unsuspecting user clicks on a malicious URL on a social networking site, resulting in the downloading of a dropper file.
"This file then drops and launches the main component of the threat, that is jnana.tsa, which is a .jar file. This file contains many encrypted class files.
"Cplib_x86_win [or cplib_x86_osx] module is used to encrypt and decrypt those class files. This component has the ability to control all the other components of the threat
," the antivirus vendor explains
Some people have questioned, and not without merit, the drive-by download nature of this attack. However, it's worth pointing out that, according to some theories, Java applets and ActiveX objects qualify as drive-by downloads, even though they require user interaction.