Computer Business Review

More Trojan malware targeting Mac OS X spotted

by CBR Staff Writer| 16 April 2012

A basic backdoor Trojan horse that doesn't require any user interaction to infect a system

Sophos and Kaspersky have identified a new malware targeting at Mac OS X operating system, called OSX/Sabpab-A.

Sabpab was spotted in early April 2012 is a basic backdoor Trojan horse that uses the same Java vulnerability discovered in the Flashback attack that infected about 650,000 Macs earlier this month.

The newly discovered Sabpab malware has the ability to upload and download files as well as run arbitrary commands and take a screenshot from infected Macs.

Sophos senior technology consultant Graham Cluley said it connects to a control server using HTTP, receiving commands from remote hackers as to what it should do.

The Trojan creates the files /Users/<user>/Library/Preferences/com.apple.PubSabAgent.pfile (the malicious software) and /Users/<user>/Library/LaunchAgents/com.apple.PubSabAgent.plist (to make it persistent), Sophos stated.

"Encrypted logs are sent back to the control server, so the hackers can monitor activity," added Graham.

Kaspersky said after activation on an infected system the malware connects to a remote website for instructions.

The command and control server was hosted in the US, and used a free dynamic DNS service to route the infected computers' requests.

Sophos said most Apple Mac infections were installed without user intervention, due to the abuse of Exp/20120507-A, which was only patched on OS X several weeks after a patch was available for other operating systems.

At this point, OSX/Sabpab-A is not cleaned up on Time Machine backups and can be manually cleaned up within time machine by deleting the pfile and plist files.

Kaspersky Lab chief security expert Alexander Gostev said the SabPub backdoor once again reveals that not a single software environment is invulnerable.

"The relatively low number of malware for Mac OS X does not mean better protection." Gostev said.

The most recent incidents like Flashfake and SabPub indicate that the personal data of unprotected Mac users is also at risk, either because cybercriminals understand the rising market share of such machines, or because they are hired for the direct task of attacking Apple computers."

Comments
Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

715 people like this.
1526 people follow this.

Intelligence

Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.