Mac Malware Strikes Again With SabPub Trojan
Apr 16, 2012 3:06 PM PT
Two more related Trojan exploits that target Macs have been discovered.
They appear to be two versions of the SabPub information-stealing Trojan, discovered by antivirus software vendor Kaspersky last weekend.
They have existed undetected in the wild for two months, according to Kaspersky's Costin Raiu.
"We're aware of two versions [of the Trojan]," Michael Sutton, vice president of security research at Zscaler ThreatLabZ, told MacNewsWorld. "One version is exploiting an old stack-based buffer overflow vulnerability in Microsoft Word, while the other's targeting the same Java vulnerability used by the Flashback Trojan."
The Flashback Trojan made headlines earlier this monthwhen it rapidly infected hundreds of thousands of Macs.
The SabPub Backstory
The earliest version of the SabPub Trojan was created and used in February, Kaspersky's Raiu stated. This Trojan is an advanced persistent threat (APT), meaning that it has the capability and intent to persistently and effectively go after a specific target.
It's spread through two infected Microsoft Word documents that exploit the CVE-2009-0563 vulnerability, Raiu wrote.
Both documents had the original filename "10th March Statement." The Dalai Lama released a statement related to the 53rd anniversary of the Tibetan people's National Uprising Day on March 10, and Raiu concluded that the filenames indicate the malware is targeted at Tibetans.
The second variant of SabPub was created in March. It uses the same CVE-2012-0507 Java vulnerability the Flashback Trojan used to infect Macs running OS X.
The APT behind SabPub is currently active, Raiu said. He predicted more new variants of the bot will be released soon.
Apple did not respond to our request for comment for this story.
More on SabPub
There seems to be a direct connection between the SabPub and Luckycat APT attacks, Kaspersky's Raiu surmised.
The Luckycat threat was first discovered in 2012 by Symantec. Trend Micro UK said the people behind the threat attacked more than 90 targets using a variety of methods.
The targets included the aerospace, energy, engineering, shipping and military research industries as well as Tibetan activists.
Trend Micro UK said it traced elements of this campaign back to hackers based in China who are members of the Xfocus hacker forum.
What About Flashback?
The Flashback Trojan, which infected over 600,000 Macs last week, led Apple to release a fix for the Java vulnerability. Meanwhile, security vendors developed their own free software tools to remove the malware.
Critics alleged Apple was partly to blame for the infection because the company wasn't sufficiently transparent about security issues and didn't release a fix soon enough. The Java vulnerability Flashback exploited had been patched by Oracle in February, and Apple's response to that was reportedly limited to releasing a Java security bulletin pointing to the Oracle patch.
Since there are tools available to detect and fix the Java vulnerability that Flashback exploited, how is it that SabPub could use that flaw again?
Symantec, which had released a free software tool to fix the vulnerability, "doesn't have anything to add to the story," company spokesperson Aaron Searle said.
Much Ado About Nothing?
It could be that the excitement around the Mac Trojans is a tad overblown, according to Zscaler's Sutton.
"SabPub is receiving far more media attention than would a similar PC-based attack, given the limited number of victims involved," he said.
Patches are available for both vulnerabilities targeted by SabPub, so fully patched systems are protected, he pointed out.
Also, "Mac OS X [malware] today remains a small sliver of total malware currently in the wild," Sutton said. However, as the Mac becomes increasingly popular, the number of attacks targeting OS X will go up.