Update - Security firm Intego now offers a detailed analysis of the Koobface trojan horse and its potential impact on Mac users including why the company deems that it is not a "critical threat" (the phrase used by competing firm SecureMac).
Mac users have a tendency to believe that their computers are immune to major security threats, particularly malware like viruses, worms, and trojan horses. Freedom from the scores of malware on infected websites that can turn most Windows PCs into botnet zombies is, in fact, often a selling point for consumers and even small businesses. While this sense of invulnerability is pretty common, it isn't exactly accurate.
Security researchers regularly point out vulnerabilities and exploits in Apple's Mac OS X and have done so for years. The fact is that Macs may be vulnerable, but it's rare to see malicious coders expending the effort to attack them – leading to an atmosphere of security by obscurity.
Today, however, marks on of the less frequent days when Mac users should sit up and take notice as security companies SecureMac and Intego both issued warnings about trojan horse malware that could affect Mac users (along with Windows users). SecureMac reported that the trojan.osx.boonana.a is making the rounds of social networking sites like Twitter, Facebook, and MySpace. Intego issued a similar warning about the trojan noting it is a Mac variant of a Windows threat known as Koobface.A and classifying it as a "low" risk.
The trojan is Java applet based and will download data to target computers. The trojan attempts to get users to access it with a link asking "Is this you in this video?" – but, if clicked, will prompt a Java applet warning from Mac OS X's set of built-in security features, making it clear that the applet is likely suspicious.
Despite SecureMac's insistence that this if of "critical" risk, Intego is downplaying the risk because of the notification already given to Mac users when it is loaded, which also allows users to terminate it before it can run. If allowed to run, the Java applet will attempt to launch the Mac OS X Installer and install a payload that does include a command and control component (though Intego notes simply quitting the Install at this point also offers protection).
This certainly isn't the most devious threat in the world and it is easily avoidable (and removable with products from each company). But, it does illustrate that Macs aren't as safe as many tend to believe them to be. Apple's built-in security features help, but this serves as a reminder that as Macs become more common (not to mention iPhones, iPads, and Apple TVs – all of which run iOS, a specialized version of Mac OS X) so does the likelihood of malware being designed to target them.
Mac users can rest relatively easy after this incident, but shouldn't become complacent about basic security awareness in the form of Apple's built-in features (like the adaptive firewall and system-level security alerts) and habits like securing wireless networks and keeping passwords safe. More importantly, Mac users should remember that in today's world, everyone needs security and anti-virus software because the next threat might not be so minor.