A basic backdoor Trojan horse that doesn’t require any user interaction to infect a system
Sophos and Kaspersky have identified a new malware targeting at Mac OS X operating system, called OSX/Sabpab-A.
Sabpab was spotted in early April 2012 is a basic backdoor Trojan horse that uses the same Java vulnerability discovered in the Flashback attack that infected about 650,000 Macs earlier this month.
The newly discovered Sabpab malware has the ability to upload and download files as well as run arbitrary commands and take a screenshot from infected Macs.
Sophos senior technology consultant Graham Cluley said it connects to a control server using HTTP, receiving commands from remote hackers as to what it should do.
The Trojan creates the files /Users/<user>/Library/Preferences/com.apple.PubSabAgent.pfile (the malicious software) and /Users/<user>/Library/LaunchAgents/com.apple.PubSabAgent.plist (to make it persistent), Sophos stated.
"Encrypted logs are sent back to the control server, so the hackers can monitor activity," added Graham.
Kaspersky said after activation on an infected system the malware connects to a remote website for instructions.
The command and control server was hosted in the US, and used a free dynamic DNS service to route the infected computers’ requests.
Sophos said most Apple Mac infections were installed without user intervention, due to the abuse of Exp/20120507-A, which was only patched on OS X several weeks after a patch was available for other operating systems.
At this point, OSX/Sabpab-A is not cleaned up on Time Machine backups and can be manually cleaned up within time machine by deleting the pfile and plist files.
Kaspersky Lab chief security expert Alexander Gostev said the SabPub backdoor once again reveals that not a single software environment is invulnerable.
"The relatively low number of malware for Mac OS X does not mean better protection." Gostev said.
The most recent incidents like Flashfake and SabPub indicate that the personal data of unprotected Mac users is also at risk, either because cybercriminals understand the rising market share of such machines, or because they are hired for the direct task of attacking Apple computers."