Another, Different Apple Trojan DiscoveredBy: Sean Patterson - April 16, 2012
Hot on the heals of the news about the Flashback botnet that infected around 600,000 macs, security analysts have confirmed the existence of another Trojan that is compromising Apple products. This one, dubbed Backdoor.OSX.SabPub.a, infects Mac OS X computers and opens a backdoor to a remote connection. Using the connection, screenshots can be taken and commands can be executed on the computer.
Costin Raiu of Kaspersky Lab wrote about how the trojan was confirmed:
For the past two days, we have been monitoring a “fake” infected system – which is a typical procedure we do for APT bots. We were extremely surprised when during the weekend, the APT controllers took over our “goat” infected machine and started exploring it.
Raiu found evidence that the SabPub infection has been active for over a month. One interesting thing about the infection is the way it spreads. It rides along on Microsoft Word documents, exploiting a known stack-based buffer overflow vulnerability. From Raiu’s analysis:
One of the biggest mysteries is the infection vector of these attacks. Given the highly targeted nature of the attack, there are very few traces. Nevertheless, we found an important detail which is the missing link: Six Microsoft Word documents, which we detect as Exploit.MSWord.CVE-2009-0563.a. In total we have six relevant Word .docs with this verdict — with four dropping the MaControl bot. The remaining two drop SabPub.
Oddly, one of the documents that spreads the infection is named “10th March Statemnet” [sic], a reference to the Dalai-Lama’s statement over a year ago commemorating the Tibetan People’s National Uprising Day. It seems odd that the person or persons implementing this attack have a strong “free Tibet” political stance, but I suppose it’s possible. It was reported last month that political activists for Tibet were targeting Macs with malware attacks. What do you think? Let me know in the comments below.