Mac Trojan SabPub

A Flashback trojan which has affected over 600,000 computers across the world been a matter of concern for Mac users. This virus stole personal data like user names and passwords. Apple Inc. has released a java patch four days ago which allows users to remove the Flashback Trojan from their computers.

Once again we are seeing some reports that are a matter of concern for both Apple and their users, this time it is about another Trojan called ‘Backdoor.OSX.SabPub.a’, this new Trojan which has been discovered on Saturday is reported to be bigger than the previous one. The new Trojan similarly like the old one is also spreading through Java exploits.

According to the Kaspersky Lab Expert:

“This new threat is a custom OS X backdoor, which appears to have been designed for use in targeted attacks. After it is activated on an infected system, it connects to a remote website in typical C&C fashion to fetch instructions. The backdoor contains functionality to make screenshots of the user’s current session and execute commands on the infected machine.”

Although it is not yet confirmed how users get infected with this new Trojan, Kaspersky Expert says, “the low number and the virus’ backdoor functionality indicates that it is most likely used in targeted attacks.”

Many reports also suggest that the attack were launched via e-mails containing an URL leading to two websites hosting the exploit, located in US and Germany.

Here is the summary about the SabPub:

– At least two variants of the SabPub bot exist today.

– The earliest version of the bot appears to have been created and used in February 2012.

– The malware is being spread through Word documents that exploit the CVE-2009-0563 vulnerability.

– SabPub is different from MaControl, another bot used in APT attacks in February 2012; SabPub was more effective because it stayed undetected for more than 1.5 months.

– the APT behind SabPub is active at the time of writing