New targeted Mac OS X Trojan requires no user interaction

New targeted Mac OS X Trojan requires no user interaction

Summary: A new Mac OS X Trojan referred to as Backdoor.OSX.SabPub.a or SX/Sabpab-A is also exploiting Java vulnerabilities in a way that requires no user interaction. It is being used in targeted attacks.


Update - New version of Mac OS X Trojan exploits Word, not Java

Another Mac OS X Trojan has been spotted in the wild; this one exploits Java vulnerabilities just like the Flashback Trojan. Also just like Flashback, this new Trojan requires no user interaction to infect your Apple Mac. Kaspersky refers to it as "Backdoor.OSX.SabPub.a" while Sophos calls it at "SX/Sabpab-A."

After infecting a given Mac, this Trojan is like most: it connects to a remote website using HTTP in typical command and control (C&C) fashion to fetch instructions from remote hackers telling it what to do. The backdoor contains functionality to take screenshots of the user's current session, upload and download files, as well as execute commands remotely on the infected machine. Encrypted logs are sent back to the control server, so the hackers can monitor activity.

The remote C&C website appears to be hosted on the free dynamic DNS service Interestingly, the IP address in question has been used in other targeted attacks (known as Luckycat) in the past. This particular attack may been launched through e-mails containing a URL pointing to two websites hosting the exploit, located in Germany and the U.S.

The Trojan may have been created on March 16, 2012. It was compiled with debug information, meaning analyzing it wasn't hard, but more importantly this seems to suggest it is not the final version. You can check for infection by looking for the following files:

/Library/Preferences/ /Library/LaunchAgents/

The Java exploits appear to be pretty standard, but have been obfuscated using ZelixKlassMaster to avoid detection by anti-malware products. The low number of infections and its backdoor functionality indicates that it is most likely used in targeted attacks.

The good news is this means that this Trojan is not believed to be anything as widespread as Flashback, and if you've downloaded and installed the latest software updates from Apple that patch the Java vulnerabilities (or disabled Java), you're safe. The bad news is these Trojans will just keep coming, likely at an increasing rate.

This Trojan further underlines the importance of protecting Macs against malware with an updated anti-virus program as well as the latest security updates.

Update - New version of Mac OS X Trojan exploits Word, not Java

See also:

Topics: Apple, Hardware, Malware, Open Source, Operating Systems, Security

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This is beginning to be old news....

    Test Subject
    • More importantly, the end of this article is wierd

      Why Emil wants Mac users to hog their machines down with anti-virus software, when the only thing that is necessary is Java updates?
      • Sweet dreams

        For now an updated jre will do the trick, of course with Apple being notoriously late to patch leaks (you don't believe this is the first time right ?), and with Safari which is known as being an attach vector all in itself, it is not realistic to think Java is the only problem on Osx.

        With xprotect being ineffective, it might indeed be a good idea to:

        A) enable the build in firewall
        B) get AV

        I am sure that similar to Windows, there are av packages that not hog machines down.
    • Bogus!

      There is no such thing as a Trojan that "requires no user interaction".

      Trojan malwares (short for "Trojan horse") by definition must be installed by the user. Just like the ancient story of the Trojan horse where the people of Troy were tricked into opening their gates and dragging the wooden horse into their own city, users must be tricked into installing Trojans onto their own computers.

      This story is clearly bogus, and meant to use irrational fears in order to sell (usually ineffective) anti-virus software to Mac users.
      Harvey Lubin
      • truly reporters not having a clue....

        did these reporters think the first one required admin password because the hackers were being nice??? hello???? the second one is exactly the same and the java code it can install is harmless if you don't enter a password, and only then if you have unpatched java software...

        they don't install anything that is harmful if you don't enter your password, otherwise they wouldn't require it... the java code TRY's other vectors, but fails, and leaves some java code that can't do anything...

        what is particularly stupid about reporting like this is a real reporter would go to an effected website and find out that it requires admin password... and after that fails, it is finds what is left is harmless...

        you don't need AV software for something that no AV software had definitions for until everyone heard about it... AV software is over 1,000,000 times more likely to destroy your data, than the malware you are trying to prevent... and they have no definitions in them (future) than Apple already has released as updates... making them absolutely worthless...

        every major AV software provider had to apologize for releasing definitions that ruined millions of PC's Data... that is something Windows users have to deal with.. don't release that kludge on yourself....

        and here is a 1 second malware discovery tool for ANY malware on a mac, have you entered your admin password when not expecting to have to do it? no? then you don't have any Java code, and if you didn't enter a password to one that has popped up, you don't have any Java code that can do any harm....

        there 1 second malware discovery tool...
      • Well, a trojan is another undesired program hiding in a desired program.

        In most cases, a user has to authorize installation. Having it install without user intervention is not difficult if the OS has a fault. If a password is required to install and no password is being requested, something is wrong in the design of the OS. Applying AV or just fixing Java isn't the right answer. The OS has to be re-designed or hardened to prevent this.

        If any application had free access to install, any problem with Java would allow malware to be installed on the computer without user knowledge. The philosophy is to secure the OS regardless of the application, so any attempt to install would be stopped. Windows easily allows installation of malware even with their UAC, advanced driver signing and other protections. They don't write secure source code for the OS and rely on external measures and AV, which doesn't work. Apple needs to audit it's source code or it will become another Windows, absolutely requiring AV to cover for shoddy or inadequate source code design.

        I use Linux, which requires a password. If a password request happened with this in Linux, it would come out of the blue and I would decline it. Linux kernel and OS source code has been open source since 1991. That means it has been available to anyone at no charge. It has to be secure to the point where it would not allow an arbitrary install.

        If Microsoft ever released Windows source code to the public, it would be the complete end of Windows.
  • AV apps aren't the answer.

    The Java environment is insufficiently sandboxed for safe use on OS X. The developer community hasn't been that happy about the sandboxing requirements to qualify apps for the Mac App Store, but now it looks like the emphasis on smarter sandboxing is going to grow in popularity. The one issue is that a variety of applications require access beyond a simple straightforward sandbox to get work done. I'd like to be able to tell OS X (not the app's "uninstaller") to remove all trace of an app, and *pwam* OS X makes it so, simply because OS X corrals app behavior and keeps tabs on what's being changed and where.
    • Okay wiseguy

      Everything you've mentioned doesn't even take into account the average Jane & Joe. What do you suggest to the average Mac user without a background in I.T?

      It's fine for you to get all sanctimonious, but how about providing constructive, possible solutions for other users. At least the anti-virus vendors *are providing* tangible, effective mitigation and preventative measures for said users. You sound concerned, but i wonder if it's genuine. I mean, what have you done for the Mac community lately?
      • Simple: use Firefox with NoScript

        Very simple: (1) Use Firefox instead of Safari, and install the NoScript plugin (disables scripts and Java by default: you enable on a site-by-site basis when desired); (2) configure Apple's Mail program to not display images by default: all you then have to do is click on "Show Images" in an email if you trust the email and want to see any embedded images.
      • @cliffbdf ... that's a start

        ... but you're preaching to the converted: i've used NoScript for the last 4 years.

        But, realistically, NoScript (configured to the best of its abilities) requires more than a little nous - as far as scripting knowledge goes. Again, how do you expect average Jane & Joe to be able to configure ABE, XSS rules and whitelists (c/w wildcard entries)?

        Don't get me wrong, you're being constructive, but the solutions need to be universally easy to use for the largest possible amount of Mac users. To this point, the fixes / patches / updates provided by Apple and the anti-virus vendors (i.e. those making Apple-compatible anti-virus app's) are the best, most feasible and most practical mitigation measures available, to date. Until, someone comes up with a more effective, long term solution .. than i'm afraid many "best intentions" from the wider community actually serve more to create, rather than solve, problems.

        +1 for the FF & NoScript suggestion. ;)
      • Java off

        How about just turn off Java for start, most of those people you talked about will never need it. That is a start.
  • Be sure to look in /Library, not /Users/<yourid>/Library

    You may well have files with these names in the Library directory of your homedir. It's the /Library location that would indicate infection.
  • I like it.

    I like my mac better with this. Its more snappier and way better than windows.
  • Geez...

    It is getting to the point where Windows is safer!
    • Typical response...

      ...from a Windows user who doesn't think. Keep it up.
      • Typical response...

        ...from a naive Mac user. Keep it up.
      • Never mind that technically he is 100% right !

        As witnessed with relevant data, since Vista, Windows machines are much harder to infect. If the user keeps the default settings and doesn't disable things like uac, there is no real worry about ever being infected. Of course an important security measure is keeping your os and apps up to date, which on Windows is easy, and more importantly, Microsoft, contrary to Apple, does provide timely and accurate fixes. Not having to wait two months or sometimes until the next servicepack, for fixes to known leaks, is almost as an important security feature as stuff like Mandatory integrety control and Aslr (wich Apple finally coukd be bothered to completely introduce in Lion, whereas Windows user have this protection since Vista).
      • Right

        As I entered that comment from my MacBook Air!
  • IS this Zero day, or is this a old vulnerability?

    IS this Zero day, or is this a old vulnerability? Flashback outbreak was the result of Apple dragging its feet in implementing a month old patch from Oracle (Oracle released patch on Feb 14). The resulting use or you lose it 35 day policy ban on Java seems to be shooting the messenger type of behavior from Apple but that is another story.

    I bet this uses the same vulnerability. If it doesn't and it truly zero day, then all platforms are in danger and it probable that this is being actively exploited on Windows, not just Mac OS X. You know this is the relevant information that one would expect journalist covering the story to research about but I guess grabbing headlines is a bigger priority. lol
    • Read the article, not just the headline.

      Then you won't have to speculate.