Saturday, April 14, 2012

New targeted Mac OS X Trojan requires no user interaction


Summary: A new Mac OS X Trojan referred to as Backdoor.OSX.SabPub.a or SX/Sabpab-A is also exploiting Java vulnerabilities in a way that requires no user interaction. It is being used in targeted attacks.
Another Mac OS X Trojan has been spotted in the wild; this one exploits Java vulnerabilities just like the Flashback Trojan. Also just like Flashback, this new Trojan requires no user interaction to infect your Apple Mac. Kasperskyrefers to it as “Backdoor.OSX.SabPub.a” while Sophos calls it at “SX/Sabpab-A.”
After infecting a given Mac, this Trojan is like most: it connects to a remote website using HTTP in typical command and control (C&C) fashion to fetch instructions from remote hackers telling it what to do. The backdoor contains functionality to take screenshots of the user’s current session, upload and download files, as well as execute commands remotely on the infected machine. Encrypted logs are sent back to the control server, so the hackers can monitor activity.
The remote C&C website appears to be hosted on the free dynamic DNS service Interestingly, the IP address in question has been used in other targeted attacks (known as Luckycat) in the past. This particular attack may been launched through e-mails containing a URL pointing to two websites hosting the exploit, located in Germany and the U.S.
The Trojan may have been created on March 16, 2012. It was compiled with debug information, meaning analyzing it wasn’t hard, but more importantly this seems to suggest it is not the final version. You can check for infection by looking for the following files:
The Java exploits appear to be pretty standard, but have been obfuscated using ZelixKlassMasterto avoid detection by anti-malware products. The low number of infections and its backdoor functionality indicates that it is most likely used in targeted attacks.
The good news is this means that this Trojan is not believed to be anything as widespread as Flashback, and if you’ve downloaded and installed the latest software updates from Apple that patch the Java vulnerabilities (or disabled Java), you’re safe. The bad news is these Trojans will just keep coming, likely at an increasing rate.
This Trojan further underlines the importance of protecting Macs against malware with an updated anti-virus program as well as the latest security updates.


  1. I'm all for allowing installation of Apple's security updates, but I am still suspicious of third-party security programs.

    Kaspersky Labs had to suspend distribution their own flashback removal tool when it was found to corrupt user settings.

    And don't forget, It was malware paranoia that fooled numerous Mac users into installing the bogus "Mac Defender" trojan on their otherwise uninfected computers.

  2. Exactly, the Mac users were fooled and unprepared for the attack. If they were protected the malware would have most certainly been squashed. The new one sounds much worse.

    Brett, you need to understand that spreading the word about Apple's problems is actually a GOOD thing. The more people see stuff like this, the more cautious they will be. Luck favors the prepared.

  3. I certainly never never meant to imply that Mac users would be better off being kept ignorant of real malware threats. People should absolutely practice safe computing. That means NOT downloading and opening files of dubious source, and following the news to learn of risks.

    Apparently, 600,000 Macs got attacked by flashback BEFORE the security software companies had addressed this issue. Running their software would NOT have protected these users.

    People should not assume that security software absolves them of having to be aware and careful.

    My objection to he fuss haters are making over this is that they seem to equate the relative pittance of malware on the Mac with the deluge that has historically troubled Windows users over the years. Its not even close.

  4. I read that the percentage of Mac's infected was more than the percentage of the largest Windows virus. That is significant. Apple haters have never denied that Windows has had lots of attacks but you keep going back to that argument. It seems to me that you have no real defense for Mac (because there isn't any) so you revert back to a distraction technique. "Look at them! They have viruses too!" I guess it works on some people.

  5. The notion that Windows users have been troubled by a deluge of viruses is another common delusion of Mac users. It's right up there with "Macs never crash." The average Windows machine hasn't seen anything close to a virus in the past decade.

  6. @Dillion: Funny you should mention it. "Look at them! They have viruses too!" is exactly what haters have shouted as they rejoice over every Mac security alert or proof of concept. And Flashback, they feel, is their grand moment of vindication.

    @Marty: Things have certainly improved for Windows users, but it is still attacked more vigorously than the Mac. If you deny this, your are the one that's delusional.

  7. Hackers, in their pursuit of notoriety, are going to exploit targets that will get them the most bang for their buck. If more users are on PC, that's where they'll set their sights. If the PC users get smarter and better protected, they'll shift their focus to easier targets of opportunity.

    I'm not denying that PCs have been through the ringer on virus attacks. I'd contend that while most PC users haven't seen a virus in over a decade, most would probably also have a memory of a time when they tangled with one. And they probably have countless tales of when a Mac user claimed he was impervious to such attacks with a trademark air of superiority.

    If I am rejoicing, it's not that a hacker somewhere is high-fiving himself. It's that the next Mac fan I talk to might actually pause before diving into his tired mantra. Maybe he's come one step closer to realizing that what he owns is just another computer and not the Triforce of Power.