New targeted Mac OS X Trojan requires no user interaction
Update - New version of Mac OS X Trojan exploits Word, not Java
Another Mac OS X Trojan has been spotted in the wild; this one exploits Java vulnerabilities just like the Flashback Trojan. Also just like Flashback, this new Trojan requires no user interaction to infect your Apple Mac. Kaspersky refers to it as "Backdoor.OSX.SabPub.a" while Sophos calls it at "SX/Sabpab-A."
After infecting a given Mac, this Trojan is like most: it connects to a remote website using HTTP in typical command and control (C&C) fashion to fetch instructions from remote hackers telling it what to do. The backdoor contains functionality to take screenshots of the user's current session, upload and download files, as well as execute commands remotely on the infected machine. Encrypted logs are sent back to the control server, so the hackers can monitor activity.
The remote C&C website appears to be hosted on the free dynamic DNS service onedumb.com. Interestingly, the IP address in question has been used in other targeted attacks (known as Luckycat) in the past. This particular attack may been launched through e-mails containing a URL pointing to two websites hosting the exploit, located in Germany and the U.S.
The Trojan may have been created on March 16, 2012. It was compiled with debug information, meaning analyzing it wasn't hard, but more importantly this seems to suggest it is not the final version. You can check for infection by looking for the following files:
/Library/Preferences/com.apple.PubSabAgent.pfile /Library/LaunchAgents/com.apple.PubSabAGent.plist
The Java exploits appear to be pretty standard, but have been obfuscated using ZelixKlassMaster to avoid detection by anti-malware products. The low number of infections and its backdoor functionality indicates that it is most likely used in targeted attacks.
The good news is this means that this Trojan is not believed to be anything as widespread as Flashback, and if you've downloaded and installed the latest software updates from Apple that patch the Java vulnerabilities (or disabled Java), you're safe. The bad news is these Trojans will just keep coming, likely at an increasing rate.
This Trojan further underlines the importance of protecting Macs against malware with an updated anti-virus program as well as the latest security updates.
Update - New version of Mac OS X Trojan exploits Word, not Java
See also:
- Apple releases Flashback removal tool, infections drop to 270,000
- Over 600,000 Macs infected with Flashback Trojan
- New Mac malware epidemic exploits weaknesses in Apple ecosystem
- Has Flashback malware made you consider installing antivirus on your Mac?
- The scariest thing about the Flashback trojan: I have no idea how to fight it
- How big a security risk is Java? Can you really quit using it?