Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

New Mac OS X Trojan unearthed. Call it SabPub
CNET ^ | April 16, 2012 | Don Reisinger

Posted on 04/16/2012 9:00:32 PM PDT by iowamark

Here we go again.

Kaspersky Lab security researcher Costin Raiu has discovered another Mac OS X Trojan. Dubbed Backdoor.OSX.SabPub.a (or just SabPub, for short), the malware uses Java exploits to infect a Mac, connect to a remote Web site, and wait for instructions that include taking screenshots of the user's Mac and executing commands.

"The Java exploits appear to be pretty standard, however, (and) they have been obfuscated using ZelixKlassMaster, a flexible and quite powerful Java obfuscator," Raiu wrote on the Securelist blog. "This was obviously done in order to avoid detection from anti-malware products." Related stories

Raiu's discovery comes as Mac users are on high alert over the Flashback Trojan, which reportedly infected over 600,000 Macs worldwide. That exploit, which also uses Java, is capable of nabbing user passwords and other information from their Web browser or some applications. Apple on Friday released a tool designed to remove Flashback from infected machines. Prior to that launch, it was believed that 270,000 Macs were infected with the Trojan, down significantly from its height.

In a follow-up post on Securelist yesterday, Raiu provided a bit more information on SabPub to help differentiate it from Flashback. He reported that there are at least two SabPub variants in the wild today, including one that dates back to February. The malware appears to be delivered through targeted attacks, which should limit its ability to make widespread incursions a la Flashback.

Raiu also reported that the malware appears to be spreading through Word documents that exploit the CVE-2009-0563 vulnerability related to a stack-based buffer overflow in Office on the Mac.

"The most interesting thing here is the history of the second SabPub variant. In our virus collection, it is named '8958.doc.'" Raiu wrote on the blog. "This suggests it was extracted from a Word document or was distributed as a Doc-file."

Apple did not immediately respond to CNET's request for comment.


TOPICS: Business/Economy; Computers/Internet
KEYWORDS: apple; mac; sabpub

1 posted on 04/16/2012 9:00:46 PM PDT by iowamark
[ Post Reply | Private Reply | View Replies]

To: iowamark

And so it begins...if you own a mac please by a 3rd party AV solution to protect your machine.


2 posted on 04/16/2012 9:11:09 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 1 | View Replies]

To: iowamark

Just had an Apple software update for Java that said it removed malware.

Was that bogus?


3 posted on 04/16/2012 9:18:37 PM PDT by Clint N. Suhks
[ Post Reply | Private Reply | To 1 | View Replies]

To: iowamark

Bookmark


4 posted on 04/16/2012 9:25:53 PM PDT by GOP Poet
[ Post Reply | Private Reply | To 1 | View Replies]

To: Clint N. Suhks; Swordmaker

swordmaker may be able to help.

My bet is that it was legit. OSX is being torn up by java malware right now.


5 posted on 04/16/2012 9:38:06 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 3 | View Replies]

To: for-q-clinton; Swordmaker

So far everything is working, except the ice maker went out on the Sub Zero...


6 posted on 04/16/2012 9:47:02 PM PDT by Clint N. Suhks
[ Post Reply | Private Reply | To 5 | View Replies]

To: Clint N. Suhks
Just had an Apple software update for Java that said it removed malware.

The problem is not exploit of the Apple's OS X but the Java that also runs on OS X that is being over hyped. Leo Laporte said you can actually disable Java!

7 posted on 04/16/2012 10:01:07 PM PDT by hamboy
[ Post Reply | Private Reply | To 3 | View Replies]

To: Clint N. Suhks

Run the software update. Apple has addressed this problem in software updates.


8 posted on 04/16/2012 11:02:49 PM PDT by BigSkyFreeper (You have entered an invalid birthday)
[ Post Reply | Private Reply | To 3 | View Replies]

To: hamboy
Simply downloading and installing “Java for OS X 2012-003″ through software updates disables Java.
9 posted on 04/16/2012 11:05:14 PM PDT by BigSkyFreeper (You have entered an invalid birthday)
[ Post Reply | Private Reply | To 7 | View Replies]

To: iowamark

If you disable Java system-wide, your safe. Ways to disable Java: http://osxdaily.com/2012/04/07/tips-secure-mac-from-virus-trojan/


10 posted on 04/16/2012 11:06:42 PM PDT by BigSkyFreeper (You have entered an invalid birthday)
[ Post Reply | Private Reply | To 1 | View Replies]

To: iowamark; ~Kim4VRWC's~; 1234; Abundy; Action-America; acoulterfan; AFreeBird; Airwinger; Aliska; ...
Another variation of the JAVA exploit... contrary to the breathless tone of this article, this one is ALSO handled by simply turning OFF JAVA... and is based on a 2009 EXPLOIT that was patched by Apple in 2009!—PING!

Note, also that, contrary to the article, the Flashback NEVER, EVER infected 600,000 Macs, and the number was reduced to 227K, ADMITTED BY KASPERSKY, if even that! The number was ESTIMATED, and we are STILL not finding ANYONE in the real world who claims to have been infected! Where are the infected Macs????

This version requires an even OLDER unpatched version of JAVA... SHEESH!

Can you say "Proof of Concept?"


Apple Security Ping!

Please, No Flame Wars!
Discuss technical issues, software, and hardware.
Don't attack people!
Don't respond to the Anti-Apple Thread Trolls!
PLEASE IGNORE THEM!!!

If you want on or off the Mac Ping List, Freepmail me.

11 posted on 04/17/2012 1:20:30 AM PDT by Swordmaker
[ Post Reply | Private Reply | To 1 | View Replies]

To: BigSkyFreeper
Simply downloading and installing “Java for OS X 2012-003″ through software updates disables Java.

Thanks, if that is so, good enough.... I wonder if Facebook video calling will still work though because looks like Skype plugin running on Java...?

12 posted on 04/17/2012 1:24:42 AM PDT by hamboy
[ Post Reply | Private Reply | To 9 | View Replies]

To: iowamark
.

.

Mitt's Fault

.

.

13 posted on 04/17/2012 1:26:30 AM PDT by Jeff Chandler (This place is nuts.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: iowamark
Prior to that launch, it was believed that 270,000 Macs were infected with the Trojan, down significantly from its height.

That is a BS statement... re-analyzing the data provided by Doctor Web, it was found that they had exaggerated the threat by quite a bit... and that the number was 227,313 IF THAT... since no one is finding any infected machines in the WILD!

Doctor Web was claiming that you could submit your Mac's UUID to them and have them check with the CONTROL SERVER for the MacBOT to find out if you were infected, but KNOWN clean machines so submitted to their automatic checking site, some without JAVA being installed at all, were being reported as being members of the botnet!, including brand new Macs, right out of the box!

This—combined with the dearth of infected machines being reported on all the forums—pretty much proves the botnet a hoax in my book—made up of artificially generated UUIDs from the known range assigned to Apple Macs!

14 posted on 04/17/2012 1:34:15 AM PDT by Swordmaker
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
I have been getting this java from apple never had a problem. My kaspersky antivirus sent a Removal tool. Only if I wanted to use it not that I had it. After I sent a scan it came up empty. I still never had the headaches of a Windows os. I know I started on windows exp. Windows is way behind Apple.

Cheers!

15 posted on 04/17/2012 1:42:10 AM PDT by johngrace (I am a 1 John 4! Christian- declared at every Sunday Mass , Divine Mercy and Rosary prayers!)
[ Post Reply | Private Reply | To 11 | View Replies]

To: Swordmaker

Thanks for Ping!! Keep me posted.


16 posted on 04/17/2012 1:43:54 AM PDT by johngrace (I am a 1 John 4! Christian- declared at every Sunday Mass , Divine Mercy and Rosary prayers!)
[ Post Reply | Private Reply | To 11 | View Replies]

To: for-q-clinton
My bet is that it was legit. OSX is being torn up by java malware right now.

BS. You have been on the anti-apple train since your startup date. It is in your posting history.
17 posted on 04/17/2012 1:56:05 AM PDT by PA Engineer (Time to beat the swords of government tyranny into the plowshares of freedom.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: PA Engineer

Even if that’s true that doesn’t change the fact that OSX now has confirmed malware in the wild.


18 posted on 04/17/2012 5:00:18 AM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 17 | View Replies]

To: Clint N. Suhks

“Just had an Apple software update for Java that said it removed malware.

Was that bogus?”

Nope, it was aimed at the Flashback malware. The Java update also removed the vulnerability, so attacks like Flashback won’t work.

This Cnet article was fairly worthless, as they didn’t make it clear that the latest Java patches remove the vulnerability.

http://www.securelist.com/en/blog/208193467/SabPub_Mac_OS_X_Backdoor_Java_Exploits_Targeted_Attacks_and_Possible_APT_link

There is apparently another variant that targets Microsoft Word for Mac, but you’re fine if you either don’t run Office, or simply don’t open documents from unknown sources. I didn’t see anything about a patch for this yet, it might be worth check Microsoft’s site for one.

I’ll also link a decent article on maximizing Mac security. It’s a bit overly paranoid in my view (I have Java and Flash installed, though I may get rid of standalone Flash). I guess at this point I’d recommend installing an anti-malware solution. I’m using Sophos, which is free and seems pretty lightweight.

http://www.securelist.com/en/blog/208193448/10_Simple_Tips_for_Boosting_The_Security_Of_Your_Mac

http://www.sophos.com/en-us/


19 posted on 04/17/2012 5:14:07 AM PDT by PreciousLiberty (Pray for America!!!)
[ Post Reply | Private Reply | To 3 | View Replies]

To: for-q-clinton

“Even if that’s true that doesn’t change the fact that OSX now has confirmed malware in the wild.”

Not for a fully patched machine. There has been “theoretical” malware targeting Macs for years.

It is still a minuscule problem compared to the Windows free-for-all.


20 posted on 04/17/2012 5:17:48 AM PDT by PreciousLiberty (Pray for America!!!)
[ Post Reply | Private Reply | To 18 | View Replies]

To: iowamark

It looks like the Apple is starting to get worms. I guess it’s becoming time to pitch the Apple and get PCs which have much more mature and developed exploit removal tools.


21 posted on 04/17/2012 5:21:04 AM PDT by norwaypinesavage (Galileo: In science, the authority of a thousand is not worth the humble reasoning of one individual)
[ Post Reply | Private Reply | To 1 | View Replies]

To: norwaypinesavage

“It looks like the Apple is starting to get worms. I guess it’s becoming time to pitch the Apple and get PCs which have much more mature and developed exploit removal tools.”

There’s a saying about that: “It’s like cutting off your nose to spite your face!”

It’s funny watching each release of Windows add the same things that earlier releases of MacOS had. I hear Windows 8 is going to have a backup system. Just imagine!


22 posted on 04/17/2012 5:30:28 AM PDT by PreciousLiberty (Pray for America!!!)
[ Post Reply | Private Reply | To 21 | View Replies]

To: PreciousLiberty

You know that’s a lie. A fully patched windows machine is secure.


23 posted on 04/17/2012 5:31:37 AM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 20 | View Replies]

To: for-q-clinton

“You know that’s a lie. A fully patched windows machine is secure.”

You apparently don’t know that you’re uninformed. Do a search on “zero day exploit”.

Guess which OS gets vastly more of them?


24 posted on 04/17/2012 5:42:08 AM PDT by PreciousLiberty (Pray for America!!!)
[ Post Reply | Private Reply | To 23 | View Replies]

To: PreciousLiberty

I’ll steal a page from Swordmaker. There are no 0 day exploits in the wild for a fully patched windows7 machine.

If there is prove it. I will navigate my windows 7 machine to any website you want me to.


25 posted on 04/17/2012 6:49:26 AM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 24 | View Replies]

To: Swordmaker
Thanks for the clarity.

The pc-shills have been screaming
this in every news venue.


26 posted on 04/17/2012 7:39:00 AM PDT by Uri’el-2012 (Psalm 119:174 I long for Your salvation, YHvH, Your law is my delight.)
[ Post Reply | Private Reply | To 11 | View Replies]

To: for-q-clinton

“If there is prove it. I will navigate my windows 7 machine to any website you want me to.”

The first phase of a zero day exploit is one nobody knows about - like the Flashback malware before people were aware of it. That is how hundreds of thousands or millions of machines become infected.

Good luck with Windows. As for me, I will continue to enjoy the painless and productive MacOS - along with its best in class bundled applications.


27 posted on 04/17/2012 7:56:22 AM PDT by PreciousLiberty (Pray for America!!!)
[ Post Reply | Private Reply | To 25 | View Replies]

To: PreciousLiberty

I’m not saying OSx is garbage, all I’m saying is the security of both OSX and windows 7 is about the same. OSX enjoys the benefit of having a smaller user base so the target is smaller. But as it becomes more popular we will see more and more attacks on OSX.

So all I’m saying is get ahead of the game and apply a good 3rd party AV solution to your system to help protect your data.


28 posted on 04/17/2012 2:55:59 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 27 | View Replies]

To: for-q-clinton

“Even if that’s true that doesn’t change the fact that OSX now has confirmed malware in the wild.”

yeah, but YOU LIED LIKE OBAMA’S MOMMA when you wrote “OSX is being torn up by java malware right now.”


29 posted on 04/17/2012 3:36:25 PM PDT by Yehuda (http://jewpoint.blogspot.com)
[ Post Reply | Private Reply | To 18 | View Replies]

To: Yehuda

That is not a lie. It is being torn up with java malware. When you go from having 0 to hundreds of thousands of cases that’s being torn up.


30 posted on 04/17/2012 5:03:10 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 29 | View Replies]

To: for-q-clinton
I’ll steal a page from Swordmaker. There are no 0 day exploits in the wild for a fully patched windows7 machine.

If there is prove it. I will navigate my windows 7 machine to any website you want me to.

There HAVE been... several. They are now patched.

31 posted on 04/17/2012 6:23:30 PM PDT by Swordmaker
[ Post Reply | Private Reply | To 25 | View Replies]

To: Swordmaker

To use your logic. I’ve never been hit nor anyone I know that was running a fully patched windows 7 machine—therefore it does not exist.

Kind of like the recent malware on OSX.


32 posted on 04/18/2012 7:30:38 AM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 31 | View Replies]

To: for-q-clinton; Swordmaker
a/ the numbers of infected users went from 600,000 to under 270k, and even those numbers are in dispute.

b/ the latest issue is now shown to be from infected MICROSOFT 9did you get that, MICROSOFT!) Word docs, from an exploit that goes back to THREE YEARS:

Kaspersky's Costin Raiu writes in the Securelist blog that: "At least two variants of the SabPub bot exist today". He adds that "The earliest version of the bot appears to have been created and used in February 2012. The malware is being spread through Word documents that exploit the CVE-2009-0563 vulnerability." He notes that "SabPub stayed undetected for more than 1.5 months." (More below)

Graham Cluley warns that: "Unlike the earlier sightings of Sabpab, there is nothing about this attack which relates to the Java vulnerability exploited by the Flashback botnet." Cluley wrote in his blog that: "Rather than relying upon a Java vulnerability - it appears to be exploiting malformed Word documents instead."

Cluley's concern is that: "Any Mac users who believe that they have protected themselves because they don't use Java probably needs to realise that that's not an effective defence".

It was previously thought that Sabpab used the same vulnerability in the OS X's Java plug-in to infect Macs. Sophos had earlier warned that just like Flashback - all that needs to happen is for you to visit an infected webpage. It had been thought that if you have updated Java on your Mac then you would be protected from the new threat, and most Mac anti-virus software will protect against Sabpab as well. This is not the case.

The Trojan works as follows, according to Cluley: "If you open the boobytrapped Word document on a vulnerable Mac, a version of the OSX/Sabpab Trojan horse gets installed on your computer opening a backdoor for remote hackers to steal information or install further code." He adds that: "Mac users may be caught out by the attack, as there is no prompt to enter your username or password when the malicious software installs itself onto your Mac."Sophos anti-virus products will detect the Word documents as Troj/DocOSXDr-A, and protection against OSX/Sabpab-A has been updated to detect this variant also, Cluley notes, suggesting that Mac users install security software.

This Word exploit is nothing new. Cluley points to an earlier blog about another Mac malware, identified by AlienVault back in March. In that case the Trojan was hidden in a booby trapped Word document and relied upon a critical security vulnerability discovered in Microsoft Word back in 2009...

Summary:It needs to be addressed, but it's not "tearing up" the Mac community.
33 posted on 04/18/2012 8:59:54 AM PDT by Yehuda (http://jewpoint.blogspot.com)
[ Post Reply | Private Reply | To 30 | View Replies]

To: Yehuda

The OS should NOT allow an application to be exploited like that. Microsoft has been beaten up for years over such things.


34 posted on 04/18/2012 12:37:46 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 33 | View Replies]

To: Swordmaker

Thank you for all you do. I’ve no other source for straight skinny as good as yours.


35 posted on 04/18/2012 12:52:39 PM PDT by Sundog (When Hollywood defines reality there is none.)
[ Post Reply | Private Reply | To 14 | View Replies]

To: for-q-clinton

It doesn’t. The data stacks and heaps are non-executeable memory locations in OSX. Microsoft was apparently doing something that is not permitted under the system programming that moved data into executable areas. This was patched THREE YEARS AGO. It is not in the wild as far as I can see. It’s theoretical, again, if you haven’t updated your MS Word, or your Mac, you might get hit by this.


36 posted on 04/18/2012 3:06:58 PM PDT by Swordmaker
[ Post Reply | Private Reply | To 34 | View Replies]

To: Swordmaker

How does Microsoft do something that isn’t permitted? The OS controls that stuff. The app should just crash when that happens or not be allowed to be compiled/installed. Or at least warn the user that the app they are installing is altering the OS at ring0.


37 posted on 04/18/2012 3:23:54 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 36 | View Replies]

To: for-q-clinton

“The OS should NOT allow an application to be exploited like that. “

Oh yeah, and I am sure you aren’t one of those nincompoops who scream “Apple has too much control of the apps”.

Try spending as much time beefing about Obama, and be productive.

PS - Ever notice how Mac users will hardly ever even post a comment on a Windows thread? IF YOU AREN’T USING A MAC, go whine somewhere else.


38 posted on 04/18/2012 9:41:07 PM PDT by Yehuda (http://jewpoint.blogspot.com)
[ Post Reply | Private Reply | To 34 | View Replies]

To: Yehuda

Uh actually the reason I’m doing this service of posting in Mac threads is because for years we had knuckleheads post in windows threads to get a Mac. I’m not even say to go back to windows. I’m just saying get a real AV solution and use good security practices because no OS is fool-proof.

Also you are RIGHT I’m not one of those guys that say Apple has too much control of the apps. I hate android and that’s one of their biggest issues—did you see the instagram malware for android? Why on earth would you even bring this up on this thread? Are you a macbot or apple zealot?


39 posted on 04/19/2012 11:48:15 AM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 38 | View Replies]

To: for-q-clinton

“OSX is being torn up by java malware right now....Even if that’s true that doesn’t change the fact...Uh actually the reason I’m doing this service...I’m just saying ....”


40 posted on 04/19/2012 3:16:42 PM PDT by Yehuda (http://jewpoint.blogspot.com)
[ Post Reply | Private Reply | To 39 | View Replies]

To: hamboy

My suggestion is to use native Skype. Skype by itself works fine on my Macbook Pro.


41 posted on 04/20/2012 5:18:02 AM PDT by BigSkyFreeper (You have entered an invalid birthday)
[ Post Reply | Private Reply | To 12 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson