New version of Sabpab Mac Trojan emerges, spread via Word documents

Filed Under: Apple, Featured, Malware, Vulnerability

Mac Word iconA new version of the Mac OS X Sabpab Trojan horse has come to light, and rather than relying upon a Java vulnerability - it appears to be exploiting malformed Word documents instead.

If you open the boobytrapped Word document on a vulnerable Mac, a version of the OSX/Sabpab Trojan horse gets installed on your computer opening a backdoor for remote hackers to steal information or install further code.

As a decoy, a Word document is dumped onto your drive and displayed - effectively acting as a camouflage for the Trojan's true intentions:

Word document displayed as decoy

Mac users may be caught out by the attack, as there is no prompt to enter your username or password when the malicious software installs itself onto your Mac.

Sophos anti-virus products already proactively detected the boobytrapped Word documents as Troj/DocOSXDr-A, and protection against OSX/Sabpab-A has been updated to detect this variant also.

This technique of infecting Mac users is not new. At the end of last month, warnings were issued about a new Mac malware attack that embedded itself inside boobytrapped Word documents.

Those attacks exploited a known security vulnerability (MS09-027) in Word, which allow hackers to remotely execute code on your computer without your knowledge.

Now the same technique is being used by cybercriminals to spread OSX/Sabpab.

In both incidents, the Word document displayed appears to relate to Tibet.

Bad appleUnlike the earlier sightings of Sabpab, there is nothing about this attack which relates to the Java vulnerability exploited by the Flashback botnet.

So, any Mac users who believe that they have protected themselves because they don't use Java probably needs to realise that that's not an effective defence.

And although there's no reason to believe that this attack is widespread, it's clearly time for some people to wake up to the reality of Mac malware.

Mac users - please get an anti-virus, for goodness sake. If you don't want to pay for one, there is free anti-virus for Mac home users available for download.

Of course, it would also be sensible to update your installation of Microsoft Word - as a patch has been available for the vulnerability being exploited here since 2009. To make sure that your Office for Mac is patched, open up any program from the Office suite, and choose the "Check for updates" option from the Help menu.

You can find out more about the threat in Costin Raiu's post on the Kaspersky blog.

Broken apple image, from ShutterStock

, , , , , ,

You might like

21 Responses to New version of Sabpab Mac Trojan emerges, spread via Word documents

  1. G Dean · 1233 days ago

    Yet another reason for mac users NOT to use any micros**t products! Most should already know this.

    • NYMike · 1233 days ago

      Unfortunately, Microsoft Office is a necessary evil for many Mac users' occupations. Therefore, users MUST apply Office updates promptly in addition to having anti-virus protection.

    • Machin Shin · 1233 days ago

      Yeah, you could do that, and avoid java and any other third party software. Of course then all you will have is your wonderful OSX with a few basics and STILL be vulnerable because it is a fact of life that nothing is perfect. Yes, that includes your Mac, I know it is a hard thing for Mac fanboys to understand but Macs are not impervious to attacks.

    • B Wilkerson · 1233 days ago

      Yes that is the solution. If a Trojan, virus, or piece of Malware affects a program then the solution is to never use that program. Based on your comments you do not use Java, Flash, Acrobat, or any other software on your Mac because any software can be compromised.

      Also nevermind the fact that Microsoft patched this hole 3 years ago.

      • Dan M · 1232 days ago

        "Also nevermind the fact that Microsoft patched this hole 3 years ago."

        This is exactly what I'm curious about. How is it that someone can go THREE YEARS without updating software?

    • Josh · 1233 days ago

      You're missing the point. I've said for years that the only reason Macs didn't have more malware is because the market share wasn't large enough yet to make it worth the criminals' time to attack it. Now the market share is large enough and we're starting to see the malware.

      Anything with an OS can be attacked and it will be attacked. If you stop using Java then the criminals will attack Word. If you stop using Word then they'll start attacking OpenOffice/LibreOffice. If you stop using that then they'll attack something else. If they can't crack the OS then they'll crack something on it that's common to the majority of users. It doesn't matter if the OS is so perfectly designed that it doesn't have a single flaw (I say that to appease the Mac fanboys here), if it's using third party software and if there's a user at the keyboard then the bad guys will find a way in.

      Debates about which desktop OS is the most secure are a thing of the past. It doesn't matter whether you use Windows, Mac, or Linux, when a significant percentage of other people start using your OS of choice then it'll be attacked, and people will find a way to crack it.

      So as the article says, it's time to wake up and smell the coffee. The days of Macs being safe from malware are a thing of the past.

    • Peter J Taylor · 1232 days ago

      Without MS Office applications, how does G Dean suggest Macintosh users exchange documents, spreadsheets and presentations with those who have MS Office? Apple provide no alternative. Is Open Office safe?

  2. Donna · 1233 days ago

    Does this include IPad ?

  3. ohhai · 1233 days ago

    Are we going to get a news article for every piece of Mac malware that is discovered? Why are there no news articles on new malware for Windows, Linux, Apache, etc?

    • Mostly because there are just so many for Windows that it would fill up the feed, and that there are so few for Linux/Apache that it's not worthwile. Also the userbase For OS's like Linux and Apache are usually more informed about this stuff.

  4. Ryan C. Moon · 1233 days ago

    Re: "Mac users - please get an anti-virus, for goodness sake. " >>

    Keep beating that ineffectual drum, Mr. Cluley. Anti-virus is routinely lacking in detecting malware that is 2+ years old, has been completely absent battling ZeuS and it's variants, and routinely less than 5% of them detect new malware flying around in the wild. Anti-virus would not have stopped Sabpab from taking over OSX machines opening vulnerable versions of Mac Word, updating Office would have done that (in the cases we have seen so far).

    The fact is that by the time a new infection vector like this is discovered, disclosed, researched, documented, fixed, clears through QA and passed to production for deployment through AV updates, the malware is already three to four versions later using different methodologies. AV signature based detection is a relic of the past and is no longer an effective means of counteracting today's manifold malware threats.

    • Josh · 1233 days ago

      Guess you missed the part of the article where the author said that Sophos detected infected Word documents before they even updated their signatures.

      You're also completely incorrect about anti-virus products failing to detect new threats. It's called heuristics, and good AV products are very good at detecting new threats.

      P.S. - I don't use Sophos and I'm not associated with them. I'm a firm believer in AV being part of a comprehensive solution to security, though. Is it the only solution? No. Using NoScript/NotScript, not using Java, and just showing some brains on what Web sites you visit and what attachments you open are all great first lines of defense, but that doesn't eliminate the need for a good AV product.

  5. Patrick · 1233 days ago

    I have Sophos and found both files in Preferences.

    • Natalie · 1232 days ago

      I had one of the files as well, even though I have up-to-date Sophos and run it regularly.

  6. B Wilkerson · 1233 days ago

    Can this affect machines without Microsoft Word on them? Like if the document is opened in another program that can open word docs?

  7. Jon Fukumoto · 1232 days ago

    A good reason to have an anti-virus product installed on your Mac. I know this sounds like a broken record, I'm going to say it again: THERE'S NO SUCH THING AS 100% SECURE. It's up to each of us to secure our systems, whether it's a Mac, PC, or Linux. Please be vigilant when it comes to security.

  8. David · 1232 days ago

    How can it install software without admin permission? I am using Sophos, btw.

    • It's a user mode infection (aka userland).

      It doesn't install onto a part of your computer which requires admin permissions.

  9. Bill Horvath II · 1232 days ago

    I'd also like to know whether this virus depends on the Microsoft Office product itself. I use Pages and OpenOffice for opening Word documents -- Will this virus 'work' if the document in question is opened using one of these non-MS programs?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley