Update - New version of Mac OS X Trojan exploits Word, not Java

Another Mac OS X Trojan has been spotted in the wild; this one exploits Java vulnerabilities just like the Flashback Trojan. Also just like Flashback, this new Trojan requires no user interaction to infect your Apple Mac. Kaspersky refers to it as "Backdoor.OSX.SabPub.a" while Sophos calls it at "SX/Sabpab-A."

After infecting a given Mac, this Trojan is like most: it connects to a remote website using HTTP in typical command and control (C&C) fashion to fetch instructions from remote hackers telling it what to do. The backdoor contains functionality to take screenshots of the user's current session, upload and download files, as well as execute commands remotely on the infected machine. Encrypted logs are sent back to the control server, so the hackers can monitor activity.

The remote C&C website appears to be hosted on the free dynamic DNS service onedumb.com. Interestingly, the IP address in question has been used in other targeted attacks (known as Luckycat) in the past. This particular attack may been launched through e-mails containing a URL pointing to two websites hosting the exploit, located in Germany and the U.S.

The Trojan may have been created on March 16, 2012. It was compiled with debug information, meaning analyzing it wasn't hard, but more importantly this seems to suggest it is not the final version. You can check for infection by looking for the following files:

/Library/Preferences/com.apple.PubSabAgent.pfile /Library/LaunchAgents/com.apple.PubSabAGent.plist

The Java exploits appear to be pretty standard, but have been obfuscated using ZelixKlassMaster to avoid detection by anti-malware products. The low number of infections and its backdoor functionality indicates that it is most likely used in targeted attacks.

The good news is this means that this Trojan is not believed to be anything as widespread as Flashback, and if you've downloaded and installed the latest software updates from Apple that patch the Java vulnerabilities (or disabled Java), you're safe. The bad news is these Trojans will just keep coming, likely at an increasing rate.

This Trojan further underlines the importance of protecting Macs against malware with an updated anti-virus program as well as the latest security updates.

Update - New version of Mac OS X Trojan exploits Word, not Java

See also: