In the wake of the recent Flashfake Trojan, Kaspersky Lab has uncovered another threat to the Mac OS X environment. The malware, known as Backdoor (Backdoor.OSX.SabPub.a), was detected earlier this month and, like Flashfake, exploits a vulnerability in Java.
Kaspersky says the number of users infected with this malware is relatively low and this suggests the malware is used in targeted, rather than broad-based, attacks. Its subsequent analysis, conducted by setting up a fake, infected machine, showed attackers viewing folder contents and downloading documents stored in the system.
Once active, Backdoor connects to a remote website for instructions. The command-and-control server is hosted in the US and uses a free dynamic DNS service to route the infected computers’ requests.
Kaspersky Lab’s researchers have found six Microsoft Word documents, all of them containing the exploit and two of which can drop the SabPub payload. Attempting to open the other four documents on a vulnerable system leads to infection with another form or malware intended for Mac.
The contents of one of the SabPub-related documents contained direct references to the Tibetan community. Meanwhile, the obvious connection between SabPub and another targeted attack for Windows-based machines known as LuckyCat points to diverse and widespread criminal activity with the same origin.
Chief security expert at Kaspersky Lab, Alexander Gostev, says the SabPub Backdoor demonstrates that no software environment is wholly invulnerable to malware or other malicious attacks.
“The relatively low amount of malware for Mac OS X does not mean better protection,” he adds. “The most recent incidents like Flashfake and SabPub indicate that the personal data of unprotected Mac users is also at risk, either because cybercriminals understand the rising market share of such machines, or because they are hired for the direct task of attacking Apple computers.”
Apple recently released a system update to remove Flashback from infected computers and, in the process, disabled the Java plug-in for those who had not used it in the previous 35 days. Mac OS X (Lion) no longer comes with Java and it has to be installed separately. With an increasing number of sites moving away from the use of the plug-in, many people don’t find it necessary to have it installed. — (c) 2012 NewsCentral Media
