New Mac OS X Trojan unearthed. Call it SabPub

The folks at Kaspersky Lab report that there's new Mac malware in the wild, called Backdoor.OSX.SabPub.a. There are at least two variants being spread through Java exploits.

Don Reisinger
Don Reisinger
Former CNET contributor Don Reisinger is a technology columnist who has covered everything from HDTVs to computers to Flowbee Haircut Systems. Besides his work with CNET, Don's work has been featured in a variety of other publications including PC World and a host of Ziff-Davis publications.
2 min read

Here we go again.

Kaspersky Lab security researcher Costin Raiu has discovered another Mac OS X Trojan. Dubbed Backdoor.OSX.SabPub.a (or just SabPub, for short), the malware uses Java exploits to infect a Mac, connect to a remote Web site, and wait for instructions that include taking screenshots of the user's Mac and executing commands.

"The Java exploits appear to be pretty standard, however, (and) they have been obfuscated using ZelixKlassMaster, a flexible and quite powerful Java obfuscator," Raiu wrote on the Securelist blog. "This was obviously done in order to avoid detection from anti-malware products."

Raiu's discovery comes as Mac users are on high alert over the Flashback Trojan, which reportedly infected over 600,000 Macs worldwide. That exploit, which also uses Java, is capable of nabbing user passwords and other information from their Web browser or some applications. Apple on Friday released a tool designed to remove Flashback from infected machines. Prior to that launch, it was believed that 270,000 Macs were infected with the Trojan, down significantly from its height.

In a follow-up post on Securelist yesterday, Raiu provided a bit more information on SabPub to help differentiate it from Flashback. He reported that there are at least two SabPub variants in the wild today, including one that dates back to February. The malware appears to be delivered through targeted attacks, which should limit its ability to make widespread incursions a la Flashback.

Raiu also reported that the malware appears to be spreading through Word documents that exploit the CVE-2009-0563 vulnerability related to a stack-based buffer overflow in Office on the Mac.

"The most interesting thing here is the history of the second SabPub variant. In our virus collection, it is named '8958.doc.'" Raiu wrote on the blog. "This suggests it was extracted from a Word document or was distributed as a Doc-file."

Apple did not immediately respond to CNET's request for comment.