The notorious Flashfake Trojan that helped to create a botnet of 700k+ Mac
computers may be the most prominent example of vulnerabilities in a Mac OS X
environment, but it is certainly not alone. Kaspersky
Lab’s researchers have discovered another malicious program that targets
Apple computers, which has subsequently been confirmed as an Advanced
Persistent Threat. Unlike the Flashfake Trojan, which has uncovered the theoretical
dangers of an unprotected Mac OS X environment, the new malware known as Backdoor.OSX.SabPub.a is a real example
of how a vulnerable Apple computer could be fully controlled by cybercriminals.
The new backdoor was
spotted in the wild in early April 2012. Similar to Flashfake, it used certain
vulnerabilities in Java Virtual Machine. The number of users infected with this
malware is relatively low, which also suggests this backdoor is used in
targeted attacks. After activation on an infected system, it connects to a remote
website for instructions. The command and control server was hosted in the US,
and used a free dynamic DNS service to route the infected computers’ requests.
Subsequent events confirmed the initial theory that SabPub was
part of a targeted attack. Kaspersky Lab’s experts set up a fake victim
machine, infected by the backdoor, and on 15 April discovered some unusual
activity. The attackers seized control of the infected system and started
analyzing it. They sent commands to view the contents of root and home folders
and even downloaded some of the fake documents stored in the system. This
analysis was most likely performed manually, and not using some automated
system, which is unlikely in the widespread “mass-market” malware. Therefore,
it can be confirmed that this backdoor is an example of an Advanced Persistent
Threat in active use.
During the analysis of
the backdoor, more details were uncovered about the infection vector of a
targeted attack. Kaspersky Lab’s researchers have found six Microsoft Word
documents, all of them containing the exploit. Two of them drop the SabPub
payload. The attempt to open another four documents on a vulnerable system
leads to infection with another Mac-specific malware. The contents of one of
the SabPub-related documents contained direct references to the Tibetan
community. Meanwhile, the obvious connection between SabPub and another
targeted attack for Windows-based machines known as LuckyCat points to diverse
and widespread criminal activity with the same origin.
Chief Security Expert at Kaspersky Lab, commented: “The SabPub backdoor once
again reveals that not a single software environment is invulnerable. The
relatively low number of malware for Mac OS X does not mean better protection.
The most recent incidents like Flashfake and SabPub indicate that the personal
data of unprotected Mac users is also at risk, either because cybercriminals understand
the rising market share of such machines, or because they are hired for the direct task of attacking Apple computers.”
The Backdoor.OSX.SabPub.a malware, along
with the relevant exploits, is detected and remediated by Kaspersky Anti-Virus
2011 for Mac. More details about this Backdoor are available in the initial report and follow-up analysis at Securelist.com.
About Kaspersky Lab
Kaspersky Lab is the world's largest privately-held Internet Security company,
providing comprehensive protection against all forms of IT threats such as
viruses, spyware, hackers and spam. The company's products provide in-depth
computer defense for more than 400 million systems around the globe, including
home and mobile users, small and medium sized businesses and large
enterprises. Kaspersky technology is also incorporated inside the products
and services of nearly 100 of industry leading IT, networking, communications
and applications solution vendors.
For further information about the company,
please visit http://www.kaspersky.com/.
For the latest in-depth information on
security threat issues and trends, please visit http://www.securelist.com/. Follow @Securelist on Twitter. For
the most up-to-date world security news, visit http://www.threatpost.com/.