Another Mac Trojan "Backdoor.OSX.SabPub" Discovered, Exploiting Java Vulnerability
Few weeks ago security experts found Flashback Trojan infected more than 60,000 Mac users around the world. Immediately after this incident Apple issued patches that curb the vulnerability. Yet again it has been found that another Mac trojan that is also spread through Java exploits. The malware, called Backdoor.OSX.SabPub, can take screen-shots of a user’s current session, execute commands on an infected machine and connect to a remote website to transmit the data. It is not clear how users get infected with the trojan, but because of the low number of instances and the trojan’s backdoor functionality, Securelist speculates that it is most likely used in targeted attacks, possibly launched through emails containing a URL pointing to two one of websites hosting the exploit. Two versions of SabPub were discovered in the wild this past weekend, flying undedected for about two months now. Kaspersky's Costin Raiu wrote in a blog post that SabPub was probably written by the LuckyCat authors.
Version 1: Microsoft Office
One version of SabPub traps Mac (and potentially Windows) users with booby-trapped Microsoft Word documents which exploit the vulnerability 'MSWord.CVE-2009-00563.a.'
The spear-phishing emails containment a malicious Word attachment entitled '10thMarch Statemnet' (with typo) to Tibet sympathizers. March 10, 2011 refers to the day the Dalai Lama delivered his annual speech observing the Tibetan Uprising of 1959. The Word doc was created in August 2010 and updated in February with SabPub thrown in; "quite normal" for such attacks and seen in other APT's like Duqu, Raiu notes.
Version 2: Java
A March version of Sabpub also discovered last weekend exploits the same drive-by Java vulnerability seen in Flashback, one of the biggest botnet attacks seen in OS X. Once the backdoor Trojan is downloaded, a victim's system is connected to a command-and-control center via HTTP. From there the botnet can grab screenshots, upload/download files, and remotely execute commands, Sophos' Graham Cluley writes. SabPub drops the following two files on a user's system, so if you are concerned about infection Cluley recommends searching for these files:
/Users//Library/Preferences/com.apple.PubSabAgent.pfile
/Users//Library/LaunchAgents/com.apple.PubSabAGent.plist
One version of SabPub traps Mac (and potentially Windows) users with booby-trapped Microsoft Word documents which exploit the vulnerability 'MSWord.CVE-2009-00563.a.'
The spear-phishing emails containment a malicious Word attachment entitled '10thMarch Statemnet' (with typo) to Tibet sympathizers. March 10, 2011 refers to the day the Dalai Lama delivered his annual speech observing the Tibetan Uprising of 1959. The Word doc was created in August 2010 and updated in February with SabPub thrown in; "quite normal" for such attacks and seen in other APT's like Duqu, Raiu notes.
Version 2: Java
A March version of Sabpub also discovered last weekend exploits the same drive-by Java vulnerability seen in Flashback, one of the biggest botnet attacks seen in OS X. Once the backdoor Trojan is downloaded, a victim's system is connected to a command-and-control center via HTTP. From there the botnet can grab screenshots, upload/download files, and remotely execute commands, Sophos' Graham Cluley writes. SabPub drops the following two files on a user's system, so if you are concerned about infection Cluley recommends searching for these files:
/Users//Library/Preferences/com.apple.PubSabAgent.pfile
/Users//Library/LaunchAgents/com.apple.PubSabAGent.plist
Earlier also Mac users faced such attacks where OSX/Revir-B trojan was installed behind a PDF, and giving hackers remote access to MAC computers, not only Revier-B also Linux Tsunami trojan Called "Kaiten" targeted Mac OS users in 2011. Also another malware named "Devil Robber" which was also make MAC users victim while stealing their personal informations.
-Source (Securelist & PC Mag)
LINK TO OUR HOME PAGE :
Voice Of GREYHAT is a non-profit Organization propagating news specifically related with Cyber security threats, Hacking threads and issues from all over the spectrum. The news provided by us on this site is gathered from various Re-Sources. if any person have some FAQ's in their mind they can Contact Us. Also you can read our Privacy Policy for more info.
Thank You !
-Team VOGH
If you enjoyed VOGH News, Articles Then Do Make sure you to Subscribe Our RSS feed. Stay Tuned with VOGH and get Updated about Cyber Security News, Hacking Threads and Lots More. All our Articles and Updates will directly be sent to Your Inbox. Thank You!
-Team VOGH
Categories:
mac-os
,
NEWS
,
security-news
,
vulnerablity
