Second Java-Based Trojan Found in the Wild; Meet SabPub.a

News_light-virus-1Once upon a time Apple’s CEO and PR department constructed a mythology around the computers and devices that they sold. This mythology was needed to compete in the market and at the time was very good for business (even if it was less than honest). The mythology in question was that Apple products were somehow manufactured differently (or better) and that they were unable to become infected with malicious code that we all have come to know and loathe; the computer virus.

Now a second Trojan has been unearthed which is geared at attacking the mythology of Mac’s invulnerability. It is as if someone is proving a point to be honest with you. If you have one attack you can call it a fluke, but to see a second almost back to back is another story. Fortunately for Mac owners this new Trojan that has been identified as Backdoor.OSX.SabPub.a does not appear to be set up the same way that Flashback was. SabPub appears to have been setup for targeted attacks (possibly Via e-mail), but is still a very nasty bit of code. The writers are once again using Java against Apple as SabPub appears to use the same exploit as Flashback did (Java.CVE-2012-0507.bf).

Apple’s fix for the Java exploits was to disable the Java browser plugin and the Java Web Start. This can protect from many web based Java attacks, but we have to wonder what will happen when someone alters their code to re-enable these features first and then download the virus? We have seen very sophisticated pieces of malware for Windows that perform multiple steps in the infection. One of the nastier ones started off by shutting down security services (they had this embedded in the “OnClose” command so even clicking the “X” got you infected), then hid all files and folders loaded a kill list, installed multiple entries into the registry so that any executable would re-run the malware, and then just to be sure it installed itself into the system restore files. We are pretty confident that the people behind these latest attacks will be altering their code to find more holes in the OSX operating system. In fact Kaspersky feels that this is exactly the case with this new bug as the current incarnation has debug information in it. This usually means that it is still in development which could also be the reason for the targeted attack scheme right now (beta testing a new virus…)

Mac owners are in an odd position now; there are very few anti-malware products for OSX as the market demand for them has been almost non-existent (much like malware was thought to be). Meanwhile we are beginning to wonder about the timing of these attacks and the increase in the number of malware in the wild for OSX especially with some of the bad press that Apple is getting lately.

Discuss this in our Forum

No comments

Leave your comment

In reply to Some User