Skip to comments.New Mac OS X Trojan unearthed. Call it SabPub
Posted on 04/16/2012 9:00:32 PM PDT by iowamark
Here we go again.
Kaspersky Lab security researcher Costin Raiu has discovered another Mac OS X Trojan. Dubbed Backdoor.OSX.SabPub.a (or just SabPub, for short), the malware uses Java exploits to infect a Mac, connect to a remote Web site, and wait for instructions that include taking screenshots of the user's Mac and executing commands.
"The Java exploits appear to be pretty standard, however, (and) they have been obfuscated using ZelixKlassMaster, a flexible and quite powerful Java obfuscator," Raiu wrote on the Securelist blog. "This was obviously done in order to avoid detection from anti-malware products." Related stories
Raiu's discovery comes as Mac users are on high alert over the Flashback Trojan, which reportedly infected over 600,000 Macs worldwide. That exploit, which also uses Java, is capable of nabbing user passwords and other information from their Web browser or some applications. Apple on Friday released a tool designed to remove Flashback from infected machines. Prior to that launch, it was believed that 270,000 Macs were infected with the Trojan, down significantly from its height.
In a follow-up post on Securelist yesterday, Raiu provided a bit more information on SabPub to help differentiate it from Flashback. He reported that there are at least two SabPub variants in the wild today, including one that dates back to February. The malware appears to be delivered through targeted attacks, which should limit its ability to make widespread incursions a la Flashback.
Raiu also reported that the malware appears to be spreading through Word documents that exploit the CVE-2009-0563 vulnerability related to a stack-based buffer overflow in Office on the Mac.
"The most interesting thing here is the history of the second SabPub variant. In our virus collection, it is named '8958.doc.'" Raiu wrote on the blog. "This suggests it was extracted from a Word document or was distributed as a Doc-file."
Apple did not immediately respond to CNET's request for comment.
It looks like the Apple is starting to get worms. I guess it’s becoming time to pitch the Apple and get PCs which have much more mature and developed exploit removal tools.
“It looks like the Apple is starting to get worms. I guess its becoming time to pitch the Apple and get PCs which have much more mature and developed exploit removal tools.”
There’s a saying about that: “It’s like cutting off your nose to spite your face!”
It’s funny watching each release of Windows add the same things that earlier releases of MacOS had. I hear Windows 8 is going to have a backup system. Just imagine!
You know that’s a lie. A fully patched windows machine is secure.
“You know thats a lie. A fully patched windows machine is secure.”
You apparently don’t know that you’re uninformed. Do a search on “zero day exploit”.
Guess which OS gets vastly more of them?
I’ll steal a page from Swordmaker. There are no 0 day exploits in the wild for a fully patched windows7 machine.
If there is prove it. I will navigate my windows 7 machine to any website you want me to.
Thanks for the clarity.
The pc-shills have been screaming
this in every news venue.
“If there is prove it. I will navigate my windows 7 machine to any website you want me to.”
The first phase of a zero day exploit is one nobody knows about - like the Flashback malware before people were aware of it. That is how hundreds of thousands or millions of machines become infected.
Good luck with Windows. As for me, I will continue to enjoy the painless and productive MacOS - along with its best in class bundled applications.
I’m not saying OSx is garbage, all I’m saying is the security of both OSX and windows 7 is about the same. OSX enjoys the benefit of having a smaller user base so the target is smaller. But as it becomes more popular we will see more and more attacks on OSX.
So all I’m saying is get ahead of the game and apply a good 3rd party AV solution to your system to help protect your data.
That is not a lie. It is being torn up with java malware. When you go from having 0 to hundreds of thousands of cases that’s being torn up.
There HAVE been... several. They are now patched.
To use your logic. I’ve never been hit nor anyone I know that was running a fully patched windows 7 machine—therefore it does not exist.
Kind of like the recent malware on OSX.
The OS should NOT allow an application to be exploited like that. Microsoft has been beaten up for years over such things.
Thank you for all you do. I’ve no other source for straight skinny as good as yours.
It doesn’t. The data stacks and heaps are non-executeable memory locations in OSX. Microsoft was apparently doing something that is not permitted under the system programming that moved data into executable areas. This was patched THREE YEARS AGO. It is not in the wild as far as I can see. It’s theoretical, again, if you haven’t updated your MS Word, or your Mac, you might get hit by this.
How does Microsoft do something that isn’t permitted? The OS controls that stuff. The app should just crash when that happens or not be allowed to be compiled/installed. Or at least warn the user that the app they are installing is altering the OS at ring0.
Uh actually the reason I’m doing this service of posting in Mac threads is because for years we had knuckleheads post in windows threads to get a Mac. I’m not even say to go back to windows. I’m just saying get a real AV solution and use good security practices because no OS is fool-proof.
Also you are RIGHT I’m not one of those guys that say Apple has too much control of the apps. I hate android and that’s one of their biggest issues—did you see the instagram malware for android? Why on earth would you even bring this up on this thread? Are you a macbot or apple zealot?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.