Mac OS X malware used in targeted attacks

Powered by SC Magazine
 

Targets 'Flashback' Java vulnerability.

Just as the news surrounding the outbreak of the Flashback trojan that infected nearly 650,000 Mac OS X machines began to subside, experts have discovered another threat to the platform.

Security firm Symantec released a report on Friday indicating that a new trojan is targeting the same (now-patched) vulnerability that the Flashback malware took advantage of in Java.

Once the malware, dubbed “Sabpub,” is injected into a user's computer, it has the ability to open a back door that enables miscreants to send commands to the infected computer, including taking screenshots, downloading files or installing additional malware.

Symantec classified the infection as a “very low” risk trojan and research conducted over the weekend by Russian-based Kaspersky Lab may indicate why the threat level is not comparable to that of Flashback.

According to a blog post Saturday by Costin Raiu, director of Kaspersky Lab's global research and analysis team, Sabpub is designed for use in “targeted attacks.”

“At the moment, it is not clear how users [were] infected with this, but the low number and its back door functionality indicates that it is most likely used in targeted attacks,” he wrote.

Raiu reported that the IP address of the command-and-control (C&C) server which hosts Sabpub is shared with that of a previous attack, known as “Luckycat,” discovered by Kaskersky in March. That was an advanced persistent threat (APT) campaign targeting Tibetan activists.

“The IP address of the C&C to which this bot connects (199.192.152) was also used in other Windows malware samples during 2011, which made us believe we were looking at the same entity behind these attacks,” Raiu wrote.

Further, a separate blog post on Sunday revealed that there are at least two variants of Sabpub in the wild: one which attacks the vulnerability in Java, and another that focuses on an older vulnerability in Microsoft Word for OS X.

“The Word documents exploited a vulnerability in Microsoft Word (including Microsoft Office for Mac), to install an older version of the malware,” Seculert CTO Aviv Raff said. “These seem to be the method of operation used by the attackers before they started using the Java exploits.

Kaspersky Lab senior researcher Roel Schouwenberg suspected the attacks occurred through infected websites and via phishing emails.

Flashback infected computers through drive-by downloads that results in greater infection numbers. Although Sabpub used the same Java vulnerability, the malware was spread via targeted spam messages, leading experts like Schouwenberg to say infection numbers could be fewer than 100.

“People definitely need to make sure their software is up to date, just like with Windows,” Schouwenberg said. “So that's not just OS X, but also Java and Office. Obviously, running security software will help.”

A spokesperson for Apple could not be reached for comment.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Mac OS X malware used in targeted attacks
 
 
 
Top Stories
Qld Transport to replace core registration system
State's biggest citizen info repository set for overhaul.
 
Innovating in the sleepy super industry
There’s little incentive to be on the bleeding edge, so why is Andrew Todd fighting so hard?
 
How technology will unify Toll
The systems headache formed through 15 years of acquisitions.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  7%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  21%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  5%
TOTAL VOTES: 897

Vote