Threat behavior
Trojan:MacOS_X/Boonana is a file that runs on MacOS X operating systems. In the wild, it is known to be downloaded by a malware detected as
Trojan:Java/Boonana.
Installation
Trojan:MacOS_X/Boonana may arrive as a file named OSXDriverUpdates.tar. When executed, Trojan:MacOS_X/Boonana is installed in the root volume of the MacOS X system. It sets the following properties on all files and folders in "/Library/StartupItems/OSXDriverUpdates":
Sets owner to "root"
Sets group to "wheel"
Sets permissions to "owner:Read+Write+Execute group:Read+Execute all:Read+Execute"
Payload
Attempts to run commands
Trojan:MacOS_X/Boonana may drop a modified copy of the file "sudoers" in "/private/etc" to allow itself to execute any command on the infected system without needing a password.
Attempts to run other malware
Trojan:MacOS_X/Boonana creates a hidden folder in "/var/root" named ".jnana". It then copies the file "jnana.tsa", which is detected as Trojan:Java/Boonana, from the home folder to its created folder, and changes the permissions for the folders and files so that they can be executed.
Analysis by Andrei Florin Saygo
Prevention
