Java update is no protection against new SabPub Mac Trojan
SabPub Mac Trojan is spreading via Word documents, using an ancient vulnerability
By Karen Haslam
April 18, 2012 — IDG News Service — There are two variants of the Sabpab Trojan targeting Macs, according to security specialists. We reported earlier this week that Sabpab was targeting Macs using the same Java vulnerability that was used by the Flashback Trojan. Now the recently discovered Sabpab Trojan malware, is said to be targeting Macs using compromised Word documents, with the earliest version dating back to February 2012. There are concerns that Mac users who think that they are protected because they have updated Java with Apple's latest security update, are not safe from the latest vulnerability.
Kaspersky's Costin Raiu writes in the Securelist blog that: "At least two variants of the SabPub bot exist today". He adds that "The earliest version of the bot appears to have been created and used in February 2012. The malware is being spread through Word documents that exploit the CVE-2009-0563 vulnerability." He notes that "SabPub stayed undetected for more than 1.5 months." (More below)
Graham Cluley warns that: "Unlike the earlier sightings of Sabpab, there is nothing about this attack which relates to the Java vulnerability exploited by the Flashback botnet." Cluley wrote in his blog that: "Rather than relying upon a Java vulnerability - it appears to be exploiting malformed Word documents instead."
Cluley's concern is that: "Any Mac users who believe that they have protected themselves because they don't use Java probably needs to realise that that's not an effective defence".
It was previously thought that Sabpab used the same vulnerability in the OS X's Java plug-in to infect Macs. Sophos had earlier warned that just like Flashback - all that needs to happen is for you to visit an infected webpage. It had been thought that if you have updated Java on your Mac then you would be protected from the new threat, and most Mac anti-virus software will protect against Sabpab as well. This is not the case.
The Trojan works as follows, according to Cluley: "If you open the boobytrapped Word document on a vulnerable Mac, a version of the OSX/Sabpab Trojan horse gets installed on your computer opening a backdoor for remote hackers to steal information or install further code." He adds that: "Mac users may be caught out by the attack, as there is no prompt to enter your username or password when the malicious software installs itself onto your Mac."Sophos anti-virus products will detect the Word documents as Troj/DocOSXDr-A, and protection against OSX/Sabpab-A has been updated to detect this variant also, Cluley notes, suggesting that Mac users install security software.