Threat behavior
Trojan:Java/Boonana is the detection for a Java archive (.JAR) file that connects to a remote server to download files and to send information about the user's activities. It is known to be distributed as a link in messages in popular social networking sites such as Facebook. This trojan contains components that are installed on both Mac and Windows operating systems.
Installation
Trojan:Java/Boonana may be hosted on a website and installed by unsuspecting users. Users of social networking sites such as Facebook may receive messages containing a link to the website. When a user clicks on the hyperlink, they are prompted to run a Java applet named "JPhotoAlbum.jar", which is detected as Trojan:Java/Boonana. It contains several components:
- start.class - contains the main method and initialization functions
- classprotect.class - contains the methods to download different file input streams from a given URL
- a.jad - contains the methods to execute remote files
- lake.jad - capture screenshots and download files (see Payload section below)
- jphotoalbum.jad - encodes and decodes URLs, download files
When run, Trojan:Java/Boonana also drops the following files:
- "._" - batch file
- "_" - Java JAR file containing malicious java classes
- "logo.gif" - clean GIF file
- ".vbs"- VBS script used to call the Java runtime library
Payload
Connects to a remote server
Trojan:Java/Boonana uses its dropped batch file in an attempt to connect to "ftp.deal-bank.ru" using TCP port 21.
It steals and then sends the following information to the server:
It can also download and execute arbitrary files from the server.
Downloads other files
Trojan:Java/Boonana downloads other files
The above files may be downloaded from various domains with names in the following format:
<random string>.<domain>
For example:
38ffqm9bju.lachgastuning.info
5oc7hzqqi9.strangled.net
3atyhpxj7r.semashare.com
In the wild, some of the domains it is known to download files from are:
aintno.info
animefocus.com
animelink.com
bigbox.info
braintec.ch
com.ru
desmoineshockey.com
digital-forever.com
dis-cover.info
drugdealer24.info
freezed.info
gna.biz
hardcoretorrents.org
hopto.org
ignorelist.com
kaleebso.com
kokchat.tk
lachgastuning.info
lamer.la
lesbianbath.com
milstone.net
milstone.org
mirkforce.de
mooo.com
myftp.org
myrkraverk.net
myvnc.com
net.ru
njhurst.org
no-ip.info
no-ip.org
ohbah.com
one.pl
phyllisdiller.us
pisoft.ch
pornandpot.com
professionalcopy.net
redirectme.net
requiemproject.org
sektori.org
semashare.com
serveblog.net
servecounterstrike.com
serveftp.com
servepics.com
shell.la
slowblog.com
spacetechnology.net
stevepostma.com
stfu-kthx.net
strangled.net
sullyhome.net
sytes.net
tallerideas.com
tobban.com
toutges.us
us.to
verymad.net
worldcom.bz
yourwebhostingcompany.net
zapto.org
Analysis by Jaime Wong
Prevention