Mac Users, Currently Target of SabPub
Researchers from Kaspersky state that they've found one fresh backdoor named OSX.SabPub, which targets Java software, as it proliferates through the exploitation of another Java security flaw, while victimizing over one-half million users of Mac.
The backdoor Trojan SabPub reportedly is driven via APT (advanced persistent threat) assaults called Luckycat. Experts report that presently SabPub has a minimum of two strains, with the first one unleashed during February 2012.
There's only a little difference in this strain from the actual such as its hard-coded command and control identifying name is changed. It means, rather than the subsidiary domain onedumb.com that the original strain uses while being hard-coded as 'e3SCNUA2Om97ZXJ1fGI+Y4Bt' within the bot, the February version just has the Internet Protocol name identifying the VPS and it being hard-coded too (in the 'OjlDLjw5Pi4+NUAuQDBA' form), implies that the version should even then prove operational. The 42556 bytes sized February version is less than the 42580 bytes sized actual SabPub.
Till now the SabPub assaults' infection vector has remained the malware's greatest mystery. The assaults are extremely personalized that make their tracking only limited. However, researchers discovered one vital point comparable as a solution i.e. a total of 6 Microsoft Word files they identified and named as Exploit.MSWord.CVE-2009-0563.a.
The other strain got unleashed during March 2012. This one apparently abuses Java's Exploit.Java.CVE-2012-0507.bf flaw as also has been created in China. Nothing is still known about the medium through which the malware infects a PC i.e. its infection vector.
What's known is that the variant generates one malware executable and launcher file inside the infected end-users' accounts after camouflaging them as lawful file from Apple followed with utilizing the launcher for continuing the active state of the executable. Thereafter, the executable intercepts and uploads screenshots of personal information onto remote servers from where it receives commands too.
The introduction of the latest SabPub Trojan substantiates the decision by Apple for deactivating Java wholly for the temporarily non-users. No doubt, the likes of SabPub will persistently emerge as Java becomes an increasingly popular avenue for computer-attackers.
Presently, APT attacks linked to SabPub are thriving with fresh strains expected soon, confirms Kaspersky.
Related article: Mac OS X Devoid of Malware, Vexing Experts
» SPAMfighter News - 23-04-2012