New Mac Trojan Is Latest Attack on Apple Systems

Security vendors Kaspersky, Sophos and Intego have identified a new malware targeting Apple Macs that uses the same Java flaw as Flashback.

Just as the Mac Flashback malware has begun to decline, security researchers at Kaspersky Lab, Sophos and Intego are talking about a new Trojan horse that targets Apple Macs using the same security flaw in Java that Flashback exploited.

The new malware€”dubbed €œSabPub€ by Kaspersky and €œSabpab€ by Sophos and Intego€”is what the researchers are calling a basic €œbackdoor€ Trojan horse, which can steal information from infected systems.

€œ[J]ust like Flashback, the new Trojan doesn't require any user interaction to infect your Apple Mac,€ Graham Cluley, senior technology consultant at Sophos, said in an April 13 post on the company€™s NakedSecurity blog. €œThe Sabpab Trojan horse exploits the same drive-by Java vulnerability used to create the Flashback botnet. The criminals behind the attack can grab screenshots from infected Macs, upload and download files, and execute commands remotely.€

The Sabpab Trojan creates files and then sends encrypted logs back to the command-and-control (C&C) server, enabling the hackers to monitor the activity on the system, Cluley wrote.

Costin Raiu, a security expert for Kaspersky, said in an April 15 post on the company€™s SecureList blog that researchers there had been watching a fake infected system that they had set up to monitor the malware, which he said linked back to a C&C server that had the same IP address that had been used in other malware samples found targeting Macs last year.

On April 15, traffic generated by the C&C server changed, indicating that the hackers took over control of the connection and began analyzing the €œgoat€ system that Kaspersky had set up, Raiu said.

€œThey listed the contents of the root and home folders and even stole some of the goat documents we put in there,€ he wrote. €œWe are pretty confident the operation of the bot was done manually€”which means [there is] a real attacker, who manually checks the infected machines and extracts data from them.€

What all this means, Raiu wrote, is that SabPub is an advanced-persistent-threat (APT) attack that is in an active stage.

He wrote that there appear to be at least two variants of the bot, with the earlier version being created in February and the second in March, €œand the attackers are using Java exploits to infect €¦ Mac OS X machines.€ Raiu said he expects new variants to be released in the next few days and weeks.

Intego officials on the company€™s blog April 16 said that for the time being, the Sabpab Trojan isn€™t posing the same risk as Flashback.

€œInitially, the command and control server that this malware tried to connect to was offline, but Intego€™s malware researchers have found it to be accessible today,€ the Intego officials wrote. €œIntego has seen a few samples, but this malware does not yet seem to be widely distributed, and the risk is low.€

The new malware is coming on the heels of the Flashback exploit, which at one point infected more than 600,000 Macs, or more than 1 percent of all Macs in use worldwide. Officials with security software vendor Symantec said last week that the number of infections has since dropped to 270,000.

The Flashback infections shook the theory that Macs and other Apple systems were immune to Trojans and other security exploits, and opened up Apple officials to sharp criticism over their slow response to the problem and lack of communication with the security community.

Oracle, which owns Java, had patched the Java flaw in Windows PCs and other systems weeks earlier, but Apple didn€™t sent out the patch to its users until April 3, just as security companies like Kaspersky and Dr. Web were saying that the number of infected Macs had grown past 600,000.

Then, Apple was late in rolling out a tool to detect and remove the Flashback malware, launching it days after others€”including Kaspersky, Sophos, Intego and F-Secure€”had rolled out their own free offerings.

The new Mac exploit is also the latest indication that as Apple systems increase in popularity and use in businesses, they will see more attacks by hackers. Sophos€™ Cluley said Mac users need to understand this trend.

€œThe Sabpab Trojan is not believed to be anything like as widespread as Flashback, but still underlines the importance of protecting Macs against malware with an up-to-date antivirus program and security updates,€ he wrote. €œIt's time for Mac users to wake up and smell the coffee. Mac malware is becoming a genuine issue, and cannot be ignored any longer.€