Checking for the new SabPub malware in OS X
This new minimum-threat malware development for OS X copies Flashback and suggests criminals jump on opportunistic bubbles.
Recently the Flashback malware attacks on OS X gained headlines, not because of the presence of the Trojan, which had been around for some months prior to the increase in attention, but rather because it gained the possibility of installation in a drive-by-download attack that did not require any interaction from the user in order to install.
This development was made possible because of a vulnerability in Java that allowed for a maliciously crafted applet to break the Java sandbox and write files to the disk. Apple has since patched this issue and it, along with other companies, have released Flashback Trojan removal tools to combat the malware; however, in its prime, the malware did reach more than 600,000 Mac users.
While this vulnerability has been linked in the media to Flashback, it appears the same vulnerability is being attempted by other criminal malware developers as well.
When exploits to vulnerabilities are found by criminals, many times they are packaged in underground software development kits that are then distributed, making malware development around these vulnerabilities far easier to do. According to computer security expert Brian Krebs, the CVE-2012-0507 vulnerability in Java that was used by Flashback was included in one of these kits (called Blackhole), and therefore has been available to criminal software developers for some time.
Over the weekend, uses the same CVE-2012-0507 vulnerability found in Java, and SecureList's analysis shows it uses CVE-2009-0563, which was a vulnerability in Microsoft Office that was patched years ago.for OS X that uses the same Java vulnerability in an attempt to infect Mac systems. There is a little uncertainty over exactly how this malware attacks the system, but Sophos suggests it
When installed, as with other Trojans and malware of its kind, it creates a launcher file and the malware executable within user accounts that it tries to disguise as a legitimate Apple-supplied file, and then uses the launcher to keep the malware running on affected systems. The malware then tries to upload personal information such as screenshots to remote servers, and can accept commands from remote servers.
Because both the Java and Office vulnerabilities that this malware uses have been patched, moving forward this is not considered a serious threat as long as you have kept your system and software up-to-date. Additionally, it being distributed in part through rogue Word documents makes avoiding it a bit easier by simply deleting attachments and e-mails of unknown origin. As with the Flashback malware, OS X systems that ship with Lion are safe from attack, and anyone who has updated Microsoft Office within the past couple of years is also safe from this exploit.
Despite this, to ensure your system is clear, you can check for the malware by going to the Library folder within your user account (hold the Option button and select Library from the Finder's "Go" menu in OS X Lion), and then open the LaunchAgents folder and the Preferences folder within the user library. In the LaunchAgents folder, locate and remove the file called "com.apple.PubSabAgent.plist." Then go to the Preferences folder and remove the file called "com.apple.PubSabAgent.pfile" (note the extension "pfile" instead of "plist"). The first document here is the launcher that keeps the process running, and the second is the process itself.
Alternatively to using the Finder to locate and remove these files, you can run the following two commands in the Terminal application (in the /Applications/Utilities/ folder):
Another variant called "MacKontrol" places the files /Library/launched and username/Library/LaunchAgents/com.apple.FolderActionsxl.plist on the system. There is some ambiguity as to whether or not the first file is in the user's library folder or if it is in the global library, but the following commands should remove it from the system:
After you have removed these files, log out and log back in to your system to clear them from the system's memory and from the launch manager for your user account.
Note that if you use a full system backup option like Time Machine, then these files may have been backed up, and therefore might be restored if you need to restore your system from backup. Therefore, when in these folders invoke Time Machine and then locate the files in the Time Machine backup. Then right-click the files (or control-click) and choose the option to delete all backups of the files. Additionally, after removing the files be sure to have Time Machine or your other backup solutions make a full, fresh backup instance of your system to ensure you have a new starting point that is malware-free.
The name of this malware suggests the criminals behind it are attempting to confuse users with legitimate technologies in OS X. One of the services Apple includes with OS X is called "PubSub," and is used by OS X for syncing RSS feeds among devices. Therefore, you may periodically see a process called PubSub or PubSubAgent running in Activity Monitor; however, you should not see a process with "PubSab" in its name.
The use of these known vulnerabilities in these and other malware attacks suggest that when a vulnerability in OS X or common applications and technologies used on OS X is found, then it is likely that more than one malware developer may be attempting to use it. A while ago we, and this latest development supports this notion where criminals might jump on opportunities presented to them by the distribution of exploits in kits like Blackhole and others.
Therefore, despite OS X having a fraction of the malware that is being developed daily for Windows systems, when an attack happens there may be others that follow in tow that attempt to use the same means of compromising a system, so be sure to patch any found vulnerabilities for the software you use on your system. OS X is a relatively new operating system, but its market share is on the rise in both the United States and worldwide, making it a more enticing target for attackers to use as we've seen with the increase in attacks (both opportunistically and otherwise) over the past few years.
NOTE: The name of this malware may cause a bit of confusion. Some have called it "SabPub," and others have called it SubPab, PubSab, and other permutations of the name, resulting in a bit of a tongue-twister. For now it is known to write files to the hard drive that use the term "PubSab" in their names; however, popularity and security companies are referring to it primarily as SabPub.
UPDATED: April 17, 2012 -- Added information and removal instruction about the MacKontrol variant of this malware.