New Mac OS X Trojan unearthed. Call it SabPub

CNET ^ | April 16, 2012 | Don Reisinger

[iowamark]

Here we go again.

Kaspersky Lab security researcher Costin Raiu has discovered another Mac OS X Trojan. Dubbed Backdoor.OSX.SabPub.a (or just SabPub, for short), the malware uses Java exploits to infect a Mac, connect to a remote Web site, and wait for instructions that include taking screenshots of the user's Mac and executing commands.

"The Java exploits appear to be pretty standard, however, (and) they have been obfuscated using ZelixKlassMaster, a flexible and quite powerful Java obfuscator," Raiu wrote on the Securelist blog. "This was obviously done in order to avoid detection from anti-malware products." Related stories

Raiu's discovery comes as Mac users are on high alert over the Flashback Trojan, which reportedly infected over 600,000 Macs worldwide. That exploit, which also uses Java, is capable of nabbing user passwords and other information from their Web browser or some applications. Apple on Friday released a tool designed to remove Flashback from infected machines. Prior to that launch, it was believed that 270,000 Macs were infected with the Trojan, down significantly from its height.

In a follow-up post on Securelist yesterday, Raiu provided a bit more information on SabPub to help differentiate it from Flashback. He reported that there are at least two SabPub variants in the wild today, including one that dates back to February. The malware appears to be delivered through targeted attacks, which should limit its ability to make widespread incursions a la Flashback.

Raiu also reported that the malware appears to be spreading through Word documents that exploit the CVE-2009-0563 vulnerability related to a stack-based buffer overflow in Office on the Mac.

"The most interesting thing here is the history of the second SabPub variant. In our virus collection, it is named '8958.doc.'" Raiu wrote on the blog. "This suggests it was extracted from a Word document or was distributed as a Doc-file."

Apple did not immediately respond to CNET's request for comment.

[for-q-clinton]

And so it begins...if you own a mac please by a 3rd party AV solution to protect your machine.

[Clint N. Suhks]

Just had an Apple software update for Java that said it removed malware.

Was that bogus?

[GOP Poet]

Bookmark

[for-q-clinton]

swordmaker may be able to help.

My bet is that it was legit. OSX is being torn up by java malware right now.

[Clint N. Suhks]

So far everything is working, except the ice maker went out on the Sub Zero...

[hamboy]

Just had an Apple software update for Java that said it removed malware.

The problem is not exploit of the Apple's OS X but the Java that also runs on OS X that is being over hyped. Leo Laporte said you can actually disable Java!

[BigSkyFreeper]

Run the software update. Apple has addressed this problem in software updates.

[BigSkyFreeper]

Simply downloading and installing “Java for OS X 2012-003″ through software updates disables Java.

[BigSkyFreeper]

If you disable Java system-wide, your safe. Ways to disable Java: http://osxdaily.com/2012/04/07/tips-secure-mac-from-virus-trojan/

[Swordmaker]

Another variation of the JAVA exploit... contrary to the breathless tone of this article, this one is ALSO handled by simply turning OFF JAVA... and is based on a 2009 EXPLOIT that was patched by Apple in 2009!—PING!

Note, also that, contrary to the article, the Flashback NEVER, EVER infected 600,000 Macs, and the number was reduced to 227K, ADMITTED BY KASPERSKY, if even that! The number was ESTIMATED, and we are STILL not finding ANYONE in the real world who claims to have been infected! Where are the infected Macs????

This version requires an even OLDER unpatched version of JAVA... SHEESH!

Can you say "Proof of Concept?"

Apple Security Ping!

Please, No Flame Wars!
Discuss technical issues, software, and hardware.
Don't attack people!
Don't respond to the Anti-Apple Thread Trolls!
PLEASE IGNORE THEM!!!

If you want on or off the Mac Ping List, Freepmail me.

[hamboy]

Simply downloading and installing “Java for OS X 2012-003″ through software updates disables Java.

Thanks, if that is so, good enough.... I wonder if Facebook video calling will still work though because looks like Skype plugin running on Java...?

[Jeff Chandler]

.

.

Mitt's Fault

.

.

[Swordmaker]

Prior to that launch, it was believed that 270,000 Macs were infected with the Trojan, down significantly from its height.

That is a BS statement... re-analyzing the data provided by Doctor Web, it was found that they had exaggerated the threat by quite a bit... and that the number was 227,313 IF THAT... since no one is finding any infected machines in the WILD!

Doctor Web was claiming that you could submit your Mac's UUID to them and have them check with the CONTROL SERVER for the MacBOT to find out if you were infected, but KNOWN clean machines so submitted to their automatic checking site, some without JAVA being installed at all, were being reported as being members of the botnet!, including brand new Macs, right out of the box!

This—combined with the dearth of infected machines being reported on all the forums—pretty much proves the botnet a hoax in my book—made up of artificially generated UUIDs from the known range assigned to Apple Macs!

[johngrace]

I have been getting this java from apple never had a problem. My kaspersky antivirus sent a Removal tool. Only if I wanted to use it not that I had it. After I sent a scan it came up empty. I still never had the headaches of a Windows os. I know I started on windows exp. Windows is way behind Apple.

Cheers!

[johngrace]

Thanks for Ping!! Keep me posted.

[PA Engineer]

My bet is that it was legit. OSX is being torn up by java malware right now.

BS. You have been on the anti-apple train since your startup date. It is in your posting history.

[for-q-clinton]

Even if that’s true that doesn’t change the fact that OSX now has confirmed malware in the wild.

[PreciousLiberty]

“Just had an Apple software update for Java that said it removed malware.

Was that bogus?”

Nope, it was aimed at the Flashback malware. The Java update also removed the vulnerability, so attacks like Flashback won’t work.

This Cnet article was fairly worthless, as they didn’t make it clear that the latest Java patches remove the vulnerability.

http://www.securelist.com/en/blog/208193467/SabPub_Mac_OS_X_Backdoor_Java_Exploits_Targeted_Attacks_and_Possible_APT_link

There is apparently another variant that targets Microsoft Word for Mac, but you’re fine if you either don’t run Office, or simply don’t open documents from unknown sources. I didn’t see anything about a patch for this yet, it might be worth check Microsoft’s site for one.

I’ll also link a decent article on maximizing Mac security. It’s a bit overly paranoid in my view (I have Java and Flash installed, though I may get rid of standalone Flash). I guess at this point I’d recommend installing an anti-malware solution. I’m using Sophos, which is free and seems pretty lightweight.

http://www.securelist.com/en/blog/208193448/10_Simple_Tips_for_Boosting_The_Security_Of_Your_Mac

http://www.sophos.com/en-us/

[PreciousLiberty]

“Even if that’s true that doesn’t change the fact that OSX now has confirmed malware in the wild.”

Not for a fully patched machine. There has been “theoretical” malware targeting Macs for years.

It is still a minuscule problem compared to the Windows free-for-all.