Sabpab, new Mac OS X backdoor Trojan horse discovered

Filed Under: Apple, Featured, Java, Malware, Vulnerability

More malware for the Mac OS X platform has been discovered, hot on the heels of the revelation that some 600,000 Macs had been infected in the Flashback attack.

And just like Flashback, the new Trojan doesn't require any user interaction to infect your Apple Mac.

The Sabpab Trojan horse exploits the same drive-by Java vulnerability used to create the Flashback botnet.

Sabpab

The newly discovered Sabpab malware is in many ways a basic backdoor Trojan horse. It connects to a control server using HTTP, receiving commands from remote hackers as to what it should do. The criminals behind the attack can grab screenshots from infected Macs, upload and download files, and execute commands remotely.

The Trojan creates the files

/Users/<user>/Library/Preferences/com.apple.PubSabAgent.pfile

/Users/<user>/Library/LaunchAgents/com.apple.PubSabAGent.plist

Encrypted logs are sent back to the control server, so the hackers can monitor activity.

The potential for abuse of compromised Macs should be obvious, given the Trojan's functionality.

Sabpab commands

The Sabpab Trojan is not believed to be anything like as widespread as Flashback, but still underlines the importance of protecting Macs against malware with an up-to-date anti-virus program and security updates.

It's time for Mac users to wake up and smell the coffee. Mac malware is becoming a genuine issue, and cannot be ignored any longer.

Sophos products, including our free Mac anti-virus for home users, detect the Trojan horse as OSX/Sabpab-A.

Of course, those users who had already protected their computers with Sophos products were already defended against the Java vulnerability.

DownloadFree Anti-Virus for Mac
Download Sophos Anti-Virus for Mac Home Edition

, , , , , , ,

You might like

40 Responses to Sabpab, new Mac OS X backdoor Trojan horse discovered

  1. g dean · 740 days ago

    Turn off java simple no need to clog your mac with intrusive anti virus products

    • .. and uninstall Flash, and stop opening PDFs or Word DOCs, and stop plugging in USB sticks, and stop installing programs you download from the internet.

      Hmm.. maybe it's easier to run an anti-virus on your Mac? :)

      • Guy · 740 days ago

        If g dean thinks the Sophos AV is intrusive, there are larger problems present. My Sophos AV (which is installed and running on both my Macs) has only raised a peep once or twice in the last three years.

    • Peter J Taylor · 738 days ago

      And stop using eBay or any online purchasing.
      I have never had any intrusion from Sophos in 17 years of use at home and at work, except for a couple of warnings of infected incoming emails.

    • Nigel · 738 days ago

      "Turn off java simple no need to clog your mac with intrusive anti virus products"

      Tell me, g dean, when Graham writes...

      "It's time for Mac users to wake up and smell the coffee. Mac malware is becoming a genuine issue, and cannot be ignored any longer."

      ...do you think he's blowing smoke?

      Obviously you have an advanced case of Dogged Denial Of Reality syndrome. Let's see...you might be able to find some expensive meds for that, or you could just install the free Sophos Anti-Virus for Mac.

      Or just let your Mac get infected.

  2. I think it is still going to take a long time for Mac users to pull their heads out of the sand and realise that macs are now just as vulnerable as Windows PC'S.

  3. AMC · 740 days ago

    As far as I know, the file com.apple.PubSubAgent.plist is a common file and has to do with RSS feeds and bookmarks. It's been around since 2005 at least. You should alert Mac users that the Trojan uses a subtle variation of that file name.

    Your screen shot shows the file existing in a user's home folder (Users/homeicon / Library/ preferences) but your paths use the notation for harddrive / library/preferences. There are two Libraries, two Preference folders, and two LaunchAgent folders in every Mac OS X system, which one are you talking about?

    The screenshot under the sentence " the potential for abuse of compromised Macs is obvious" is anything but obvious.

    All these things taken together make me think you're trending toward scare tactics rather than careful, objective reporting. What gives?

    • Apologies. There was an error in the blog post - which we'll fix.

      The screenshot is correct. The wording should have read: "/Users/<user>/Library/..."

    • RIchard · 740 days ago

      I am running Lion. There no longer seems to be a Library Folder in my user folder

      • the JoshMeister · 740 days ago

        RIchard, it's still there, but it's hidden. Apple started doing that with Lion, which makes it a bit more difficult to get to. To open the user's Library folder:

        1) Click on the Finder in the left corner of the Dock
        2) Click on the Go menu and select "Go to Folder..."
        3) Type or paste the following and then click Go: ~/Library (note: the tilde character is made by holding shift and pressing the button to the left of the 1 key near the top-left of the keyboard)

        Hope that helps.

      • R C-R · 740 days ago

        User Library folders are hidden in Lion. You can access it by holding down the option key when you click & hold on the Finder's "Go" menu.

  4. Jimmy · 740 days ago

    ...because I get malware ALL the time from using Flash, opening PDFs and DOCs, plugging in USB sticks, and using programs from the internet on my Mac.

    Assuming malware on Macs were actually a terrible enough problem to run an anti-virus program, the last one I would use is one from a company which resorts to douchebag scare tactics such as blog posts like this one.

    • I'm not suggesting that you get malware all the time on your Mac from using Flash, opening PDFs and DOCs, plugging in USB sticks, or installing programs from the net.

      But the fact of the matter is that we do see users who *are* hit in this way. And we've just seen some 600,000 Mac users hit seemingly by simply browsing the web (because Apple hadn't patched their version of Java against a known security vulnerability in a timely fashion)

      So, as we can't predict what the nature of the next malware threat for Mac users may be - perhaps it would be wise to take a preventative step, just like Windows users do.

      You say that we're resorting to scare tactics but.. err.. if this malware exists (trust me, it does) would you prefer we didn't report it at all? How exactly are we scaring folks? We acknowledge it's nothing like as big a problem as Flashback - would you rather no-one talked about Mac malware at all?

      Remember, we don't make any money out of recommending people download our free anti-virus for Mac. In fact, it costs us money in terms of research and development, infrastructure etc..

      I think as time goes by you're going to find yourself increasingly in the minority amongst Mac users - as most will begin to recognise that the time has come to take steps to protect their Apple computers against malware.

    • Lateral · 740 days ago

      Yes - you should choose mac anti-malware from a company that doesn't report on it or think it's a problem.

      L.

    • Kate · 740 days ago

      The point is that it's not just protecting your Mac - computers with any OS being added to a botnet via malware is a problem for everybody. Botnets spread spam and malware and launch DDoS attacks. It's the same principle as vaccinating your children: you do it to protect the wider community.

    • hah · 739 days ago

      lool Scare tactics.. Jimmy Jimmy Jimmy... where are you living these days?
      The days of a mac being safe are loooooooooooooong gone!

  5. Kev Bolke · 740 days ago

    Graham - can you let us know when the Flashback definition was added to your product? I'd be interested to know. I mean, if we're giving up CPU and memory to a product, it would be nice to know if it would actually help the situation.

  6. TED · 740 days ago

    Graham, As you know, you will get bombarded with more Mac deniers by posting more of the "pro" Mac malware writers NEW playground. Guess what deniers..... the 'pros" are coming into play with a Mac malware roadmap that WILL execute properly, and not fail like script kiddy hacks that can't get the malware to keep in contact command and control.

    • Tim Gowen · 738 days ago

      Well I have the Sophos AV package on my iMac and have only caught Windows malware through spam e-mail.

      You may well be right but the fact is at the moment it's very difficult to catch a virus in OS X with the simple act of, say, plugging in a USB stick.

      Good practice with IT stuff is platform independent, or should be.

  7. Thanks for the good work and the free AV. Some of us appreciate it ;)

  8. Ted · 740 days ago

    Why is it some Mac users have the extreme worry about using ram and cpu cycles with AV. I can tell you from testing them all, Sophos is one of the lightest out there. I have 5 Macs and 2 of my Macs that I surf in gray hat hacker area have both Intego and Sopho together. No problems running both together as long as you put each in the others trusted files area. I have caught 3 Mac trojans with Intego and 2 with Sophos. Sophos catches PC malware a lot better then Intego does.

    You guys can run without AV all you want. I am so proud of you guys being so forthright. I choose to run AV on a Mac. Logic dictates it.

    • Gary · 740 days ago

      > Why is it some Mac users have the extreme worry about using ram and cpu cycles with AV

      Possibly they're long-in-the-tooth users who had (or at least heard about other users having) bad experiences with early AV products years and years and years and years ago? Back in the days when the Mac malware landscape was a much, much safer place. I seem to recall that there were some true horrors released by some publishers. (Of course, there could be other reasons too.)

      I totally agree with you about the comparatively light touch of the Sophos for Mac product.

    • spidersilk · 738 days ago

      Sophos does cause major system slowdowns for some, or at least it has in past versions. The first time I installed it, it ran smoothly and unobtrusively for a few days, then my Mac started getting slower and slower and eventually became completely unusable - just opening a finder window took several minutes and restarting took literally hours. The only way I was able to regain control was to uninstall it (which I had to via the command line, because I could no longer get to the Finder).

      Currently I'm giving it another try, because I do think it's important to have protection these days (especially since I got hit with Flashback after uninstalling it!) - and because I saw that it's been through a few upgrades since then so I'm hoping they've managed to fix whatever problem it was with it that crippled my system before. And thus far it's been OK, but it's only been a couple of days, so we'll see...

      Anyway, bottom line is - it's not totally paranoid to worry about whether running Sophos will adversely affect your system, because it has done that for at least some users in the past. Not for everyone, so maybe there are configuration issues, or conflicts with other software or something - I never did pin down why it caused such a drastic slowdown on my system. I'm hoping the problem's been fixed now, but I do understand people being wary.

  9. Zeueleus · 740 days ago

    Now Windows users are better off, because here in Windows land everything is patchable update-able HAHAHA

  10. Jon Fukumoto · 740 days ago

    Everyone who owns a Mac should definitely needs to protect themselves. The malware threat is real!! There's no such thing as a 100% secure system! Running Sophos free anti-virus product gives me peace of mind knowing that Apple is slow at providing patches. Apple needs to be more active at responding to threats like this and issue patches in a timely manner. I've been running Sophos Anti-Virus on my Mac for over a year now, and so far I've never been infected. I've checked my system for the Flashback Trojan and the results were negative. Anyone who says that
    Macs can't be infected needs to wake up. Macs have started to gain significant market share, and that makes them a target. Please be vigilant in keeping your Mac secure, and I'm grateful of Sophos efforts of informing Mac users of the latest threats on either PCs or Macs.

  11. Robert Gracie · 740 days ago

    This really asks the question "How secure is Apple MacOS" from what I have seen of it in the past few weeks of all the viruses being released on it....Not very secure...but Linux is looking like the more secure OS than MacOS right now

    • Paul · 738 days ago

      Given that these recent Mac outbreaks were caused by a problem with Java applets sandbox security, then actually it could have affected Windows, Mac and Linux with the same severity. But since Linux has a smaller share of the desktop market than the Mac it's unlikely to be targeted.

      • Paul Ducklin · 738 days ago

        This exploit _is_ being used on Windows, as it's apparently now part of the exploit set available in the infamous Blackhole Exploit Kit...

        Windows users have had longer to get the patch installed, so they are in theory more likely to have got there already...

        ...but you are right. This vulnerability doesn't use memory corruption, shellcode or stack/heap data execution tricks to work. It's a logic fault in Java itself. Effectively you can trick it into using code from an untrusted applet outside the applet sandbox. So the applet isn't constrained as it should be. In particular it can read/write/run files on the local drive, and forge abritrary network connections. That's "game over" from a malware point of view.

  12. Thanks for the update Graham ! :)

  13. azurethegreat · 739 days ago

    Well now I know that macs are not half as invincable as they say they are. Remember a few years ago when macs had 0 viruses? Things change fast!

  14. anonymous penguin · 739 days ago

    how about using linux e.g red hat or scientific while taking advantage of it using SElinux or for the most security obsessed the more difficult but also more secure freebsd

  15. Sick Nilva · 739 days ago

    So I have a question - in the hospital where I work... We deploy the McAfee VirusScan 9.1 - which is a much much better product (and feels a bit lighter) than the previous ones. I have always used this, I have never ventured away, but with the hospital looking at potential budget cuts, anything that keeps them running and keeps costs down almost Guarantees you a free pass past pink-slip ally. Btwn McAfee and free Sophos... Is Sophos still as good and stable - is this recommended in the enterprise. I never thought so... Buuuut......

  16. Andrew · 739 days ago

    Thank you Graham for this post - it's great to be kept up-to-date.

    I too am mystified about why some don't appreciate these blogs and Sophos providing their free AV product for Macs. It's a great product - by far the lightest and most seamless AV product I've ever used and being free, I can't think why anyone wouldn't use it.

    In fact, I'm so keen on it, I have a little feature query/request - could we have a firewall added to it? Or at least an outbound one to augment the inbound firewall built into OS X? That would add further confidence that no malware has made it's way onto our systems. It'd make it perfect!

  17. . speaking of naked, nakedsecurity,
    don't you think it's about time to suggest to the industry
    to get away from nakedly monolithic os's,
    like Minix 3 is doing?
    or get away from running on the naked metal,
    and instead get into virtualization,
    like Qubes OS, or the OKL4 Microvisor ?
    . time to stop putting out fires,
    and do some prevention instead .
    . keep reminding us, and we will demand it .

  18. D_B · 738 days ago

    Appears that the focus here is incorrectly on the security of one OS over another... the real attack surfaces are the layer above.... flash, PDF, java etc.

    • Paul Ducklin · 738 days ago

      Of course, in Apple's case, the Java distro is effectively part of the OS (default or optional depending on whether you are 10.6 or 10.7) so you had to wait for the Apple patch...which was a bit too late :-(

      And if you have OS X 10.5, tough luck. No patch. Remove Java or turn it off in the browser.

  19. davidh · 738 days ago

    D_B's got it.

    ALL of "new rash" of Mac Malware is because of Java vulnerabilities.
    Be interesting to see how responsive Oracle is once they take over Java releases for Mac, as they have said they will do.

    Disable Java and be done. If you work in a corporate environment, I do recommend Sophos. Their Mac product is extremely lightweight and effective.

  20. spidersilk · 738 days ago

    Hasn't the Java vulnerability that Flashback exploited already been patched? As I recall, the most recent Java update from Apple was supposed to fix it - and also to detect and remove Flashback (that's how I found out I had it). If that's the case, then is Sabpab only a threat to people who haven't stayed on top of software upgrades from Apple?

  21. MACSTER · 735 days ago

    definitely appreciate the info & updates
    & thanks for free sophos.

    I do wish it had a pause feature instead of having to stop and rescan all items again, however.

    but this long time mac user here says THANK YOU!

  22. macster again · 735 days ago

    note to spidersilk, for 10.4 / Tiger users, there is no java patch, fyi/fwiw.

    i have java turned off now, however, there is at least one site where i still do need to be able to use it for security purposes, so i very much appreciate the sophos info and updates!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.