First spotted almost three months ago, the Boonana Trojan stood out because of its capability to infect both computer running Windows and those running Mac OS X. The Trojan nestled itself in the system, and allowed outside access to all files on it.
And if that wasn’t bad enough, it seems that it has some vulnerabilities that can be exploited by other attackers to collect information about the system or – according to a Symantec researcher – even be used to create a completely functional parallel botnet or take over of the existing one.
The Boonana bots are designed to take part of a P2P network and to communicate with each other via a custom-designed communication protocol.
Apart from making the identification of infected hosts on a particular IP range almost trivial, the P2P protocol also contains an information-disclosure vulnerability which can be used to detect which operating system the computer is running.
According to Symantec, in December 2010, 84 percent of the infected systems were running Windows, and 16 percent a version of OS X.
Windows users are especially at risk, as the malware also installs a keylogger into the system and sends the collected data to the attacker. But all users are in danger of having their systems accessed not only by the original attacker, but by others as well.
A vulnerability in the P2P protocol can also allow attackers who have identified the infected systems to install a backdoor on them and in that way gain further access to the system. Also, the list of peers that each bot has and updates occasionally can lead the attacker to the other infected hosts, allowing him to repeat all these steps and gain access to it, too.
Malware is also a software application, and as such, it has vulnerabilities like any other legitimate software. Symantec’s researcher says that this fact proves that a single malware infection can open the door to further infections, and warns users to check their systems for the Boonana Trojan in particular, and malware in general.