Recently Symantec Security Response analyzed a Trojan that uses social networking vectors to infect users on multiple platforms. Virus writers have often used this technique to entice unsuspecting users to click on a malicious link, which may result in download and execution of threats onto the user’s “PC”(one example being W32.Koobface). I say “PC”because in the computer world, PC is synonymous with Windows computers and they are often the target platform for virus writers for various reasons. But, the popularity of other operating systems, for example Mac OSX, has captured the attention of malware writers. They are constantly trying to expand their scope beyond Windows and maximize their infection base by infecting other popular operating systems.
This particular Trojan (that Symantec detects as Trojan.Jnanabot) is one such attempt to target multiple platforms. Jnanabot has numerous functionalities that include key logging, connection to IRC servers, and posting malicious links on social networking sites, affecting users on Windows, Mac OSX, and Linux platforms.
The threat is composed of multiple files. I will address them as components throughout this blog. Each component is meant for a specific task. Some components are compiled Java files whereas others are platform specific executable files.
- Library component: Contains Library files needed to run the threat on various platforms namely: Mac OSX, Linux with AMD 64 machines, Linux with x86 machines, Windows with x86 machines
- Main component: The main .jar file that controls execution of all the components.
- Install/update component: Installs and updates the threat.
- IRC component:Connects to remote IRCs and waits for further commands from the master.
- Key logging component.
- Crypt component: Windows and Mac executable files to decrypt the packaged files.
- Facebook component: We are currently analyzing this component. From our brief analysis it seems as if the threat can read cookies of logged on user and may post malicious links on the social networking site.
Its worth noting that the choice of language to code the Trojan is also cleverly chosen. The Trojan is written in Java, which is a platform independent language. Individual modules contain Java compiled files (.class files), which are packaged in a Java runtime executable (.jar files). As long as a computer has the Java Runtime Environment (JRE) installed on it, which is often the case across all the platforms, the threat can execute itself.
Here is a typical scenario of installation and working of Jnanabot on a Windows platform:
An unsuspecting user clicks on a malicious URL on a social networking site, resulting in the downloading of a dropper file. This file then drops and launches the main component of the threat, that is jnana.tsa, which is a .jar file. This file contains many encrypted class files. Cplib_x86_win module is used to encrypt and decrypt those class files. This component has the ability to control all the other components of the threat.
The main component then downloads the installer/updater component and the Keylogging component.
Symantec detects this threat and its components as Trojan.Jnanabot. We are currently analyzing the threat and will post more information on it as it is available.