ID: IRCNE2012041468
Date: 2012-04-15
According to “ZDNet”, another Mac OS X Trojan has been spotted in the wild; this one exploits Java vulnerabilities just like the Flashback Trojan. Also just like Flashback, this new Trojan requires no user interaction to infect your Apple Mac. Kaspersky refers to it as “Backdoor.OSX.SabPub.a” while Sophos calls it at “SX/Sabpab-A.”
After infecting a given Mac, this Trojan is like most: it connects to a remote website using HTTP in typical command and control (C&C) fashion to fetch instructions from remote hackers telling it what to do. The backdoor contains functionality to take screenshots of the user’s current session, upload and download files, as well as execute commands remotely on the infected machine. Encrypted logs are sent back to the control server, so the hackers can monitor activity.
The remote C&C website appears to be hosted on the free dynamic DNS service onedumb.com. Interestingly, the IP address in question has been used in other targeted attacks in the past. This particular attack may been launched through e-mails containing a URL pointing to two websites hosting the exploit, located in Germany and the U.S.
The Trojan may have been created on March 16, 2012, but more importantly this seems to suggest it is not the final version. You can check for infection by looking for the following files:
/Library/Preferences/com.apple.PubSabAgent.pfile
/Library/LaunchAgents/com.apple.PubSabAGent.plist
The good news is this means that this Trojan is not believed to be anything as widespread as Flashback, and if you’ve downloaded and installed the latest software updates from Apple that patch the Java vulnerabilities (or disabled Java), you’re safe. The bad news is these Trojans will just keep coming, likely at an increasing rate.
Related Links:
Apple working on Flashback removal tool
Web tool checks if your Mac is Flashback
Java second update
Java update for OS X
New malware exploiting unpatched Java vulnerability in Macs
- 3