Industry Trends

Mac OS X Pummeled By Yet Another Trojan

By Stefanie Hoffman | April 17, 2012

Mac lovers, hold onto your machines—it's going to be a bumpy ride after yet another Mac Trojan was found on the security threatscape, once again wreaking havoc on the once typically sheltered Mac OS X users.

Moscow-based antivirus firm Kaspersky Lab warned users in a blog post that the new Mac threat, dubbed Backdoor OSX SabPub.a, is another Trojan exploiting a Java vulnerability known as Exploitl.Java, which seems to have developed a talent for circumventing antimalware scanners and is likely used in Mac APT attacks.

The latest, greatest Mac Trojan, which appeared to have made its debut about a month ago, creates a custom backdoor for the OS X platform used specifically in targeted Mac attacks. Once it becomes activated, the Trojan connects to a remote Website linked to its command and control center to await further instructions from its creators. The threat then recreates screenshots of the user's current session and subsequently executes malicious commands on the compromised machine.

Experts maintained that the exact infection mechanisms for Backdoor SabPub are unclear, but one theory suggests that the attack was launched via e-mails containing URLs that redirected users to the malicious Websites hosted in both the US and Germany.

Meanwhile, some reports suggest that the Backdoor SabPub could possibly be one component of a more comprehensive campaign comprised of targeted Pro-Tibetan attacks against Mac OS X users, detected by researchers at AlienVault. Researchers recently tied another Mac-targeted threat--the MaControl botnet--to six malicious Microsoft Word documents, four of which contain the MacControl bot. Like many similar threats, MaControl botnet infected users' Mac OS Xs in socially engineered attacks that lured victims with Pro-Tibetan Word documents that were delivered as attachments via e-mail.

But no doubt, SabPub's emergence onto the scene seems to be amid a significant time in security history for the Mac OS X. For one, the latest SabPub threat follows closely on the heels of another Mac virus—the Flashback Trojan--that ran rampant on users machines during the first few months of 2012. The Trojan, which exploited a critical Java vulnerability, was first detected in September but gained traction earlier this year, infecting at one time more than 600,000 Mac OS X machines.

Last week, Apple made good on a promise to address the threat by releasing a Flashback removal tool, in the form of a Java update, that eradicated the most common variants of the Flashback malware. Apple's Java security update "Java for OS X Lion 2012-003" -- which includes a Java SE 6 version 1.6.0_31 that Oracle issued more than a month prior—addresses the threat by automatically stopping the execution of Java applets by the Java Web plug-in. The update was primarily intended for Mac OS X Lion and Mac OS X v10.6, but users with earlier versions of the operating system could disable Java in order to reduce risk of infection by the Flashback malware, Cupertino said.

Meanwhile, the Mac threatscape has appeared to take a giant, but natural, evolutionary leap from this same time a year ago, when a fake antivirus scam known as the MacDefender/MacGuard attack swept across users' machines during spring of 2011. The threat came in the form of rogue, or fake, antivirus software often found masquerading as legitimate sites in search engine listings. Like most fake antivirus software, Mac Defender compelled downloads by showing users a bogus antivirus scan that falsely claimed to find malware on their computers. The attack then gleaned victims by offering a phony antivirus program in exchange for a fee that claimed to rid the machine of infection. In reality, the scam simply acquired users' credit card details and other personal information, while placing more malware on users' Macs. And, on par with the malware evolution, later versions of the threat actually forcibly installed themselves on users' computers.

** **

Join the Discussion