SabPub - The Latest Mac OS X Backdoor Java Exploit

Monday, April 16, 2012



Recently, Russian Anti-Virus company Doctor Web, found that the Flashback Mac Trojan had infected more than 600,000 systems, further quashing the myth that Apple's OS X is somehow immune to malware threats.

The Trojan exploited three Java vulnerabilities to gain remote access to the infected systems and likely included a keylogger capability to capture authentication credentials.

Doctor Web created an online tool for uses to see if they had been infected by the Flashback Trojan, F-Secure has instructions on how to remove the virus, and Apple announced they had successfully patched the vulnerability.

Now researchers at Kaspersky Labs have discovered another OSX backdoor that utilizes a Java exploit. The Trojan, dubbed "SabPub", uses the an obfuscator to attempt to bypass antivirus protection.

"The Java exploits appear to be pretty standard, however, they have been obfuscated using ZelixKlassMaster, a flexible and quite powerful Java obfuscator. This was obviously done in order to avoid detection from anti-malware products," writes Kaspersky's Costin Raiu.

Analysis leads Raiu to believe that the malware was designed for use in targeted attacks.

"This new threat is a custom OS X backdoor, which appears to have been designed for use in targeted attacks. After it is activated on an infected system, it connects to a remote website in typical C&C fashion to fetch instructions. The backdoor contains functionality to make screenshots of the user’s current session and execute commands on the infected machine," said Raiu.

SabPub, which may have been in the wild for about a month, is now known to connect to Command and Control servers hosted on a VPS located in Fremont, California, called "".

" is a free dynamic DNS service. Interesting, the C&C at IP 199.192.152.* was used in other targeted attacks (known as “Luckycat”) in the past," Raiu wrote.

"One other important detail is that the backdoor has been compiled with debug information - which makes its analysis quite easy. This can be an indicator that it is still under development and it is not the final version," he continued.

Early analysis has not determined the exact mechanism for the spread of SubPub, but researchers suspect the use of emails containing a malicious URL as the primary method of delivery.

"At the moment, it is not clear how users get infected with this... Several reports exist which suggest the attack was launched through e-mails containing an URL pointing to two websites hosting the exploit, located in US and Germany," Raiu explained.


Possibly Related Articles:
Viruses & Malware
Java Trojans malware Vulnerabilities Headlines backdoor Mac OS X Targeted Attacks SabPub Flashback
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.