New Mac OS X trojan unearthed: call it SabPub

The folks at Kaspersky Lab have reported that there's new Mac malware in the wild, called Backdoor.OSX.SabPub.a. There are at least two variants being spread through Java exploits.

(Credit: Apple; Feline leukemia virus by the United States Department of Health and Human Services, public domain)

Here we go again.

Kaspersky Lab security researcher Costin Raiu has discovered another Mac OS X trojan. Dubbed Backdoor.OSX.SabPub.a (or just SabPub, for short), the malware uses Java exploits to infect a Mac, connect to a remote website and wait for instructions that include taking screenshots of the user's Mac and executing commands.

"The Java exploits appear to be pretty standard, however, [and] they have been obfuscated using ZelixKlassMaster, a flexible and quite powerful Java obfuscator," Raiu wrote on the Securelist blog. "This was obviously done in order to avoid detection from anti-malware products."

Raiu's discovery comes as Mac users are on high alert over the Flashback trojan, which reportedly infected over 600,000 Macs worldwide. That exploit, which also uses Java, is capable of nabbing user passwords and other information from their web browser or some applications. Apple on Friday released a tool designed to remove Flashback from infected machines. Prior to that launch, it was believed that 270,000 Macs were infected with the trojan, down significantly from its height.

In a follow-up post on Securelist yesterday, Raiu provided a bit more information on SabPub to help differentiate it from Flashback. He reported that there are at least two SabPub variants in the wild today, including one that dates back to February. The malware appears to be delivered through targeted attacks, which should limit its ability to make widespread incursions a la Flashback.

Raiu also reported that the malware appears to be spreading through Word documents that exploit the CVE-2009-0563 vulnerability related to a stack-based buffer overflow in Office on the Mac.

"The most interesting thing here is the history of the second SabPub variant. In our virus collection, it is named '8958.doc.'" Raiu wrote on the blog. "This suggests it was extracted from a Word document or was distributed as a Doc file."

Apple did not immediately respond to CNET's request for comment.


Add Your Comment


Be the first to comment on this story!

Post comment as

Sponsored Links

Recently Viewed Products