Another
Mac OS X Trojan has been spotted in the wild; this one exploits Java
vulnerabilities just like the Flashback Trojan. Also just like Flashback, this
new Trojan doesn’t require any user interaction to infect your Apple Mac.
Kaspersky refers to it as “Backdoor.OSX.SabPub.a” while Sophos calls it at
“SX/Sabpab-A.”
After
infecting a given Mac, this Trojan is like most: it connects to a remote
website using HTTP in typical command and control (C&C) fashion to fetch
instructions from remote hackers telling it what to do. The backdoor contains
functionality to take screenshots of the user’s current session, upload and
download files, as well as execute commands remotely on the infected machine.
Encrypted logs are sent back to the control server, so the hackers can monitor
activity.
The
remote C&C website appears to be hosted on the free dynamic DNS service
onedumb.com. Interestingly, the IP address in question has been used in other
targeted attacks (known as Luckycat) in the past. This particular attack may
been launched through e-mails containing a URL pointing to two websites hosting
the exploit, located in Germany and the U.S.
The
Trojan may have been created on March 16, 2012. It was compiled with debug
information, meaning analyzing it wasn’t hard, but more importantly this seems
to suggest it is not the final version. You can check for infection by looking
for the following files:
/Library/Preferences/com.apple.PubSabAgent.pfile
/Library/LaunchAgents/com.apple.PubSabAGent.plist
The
Java exploits appear to be pretty standard, but have been obfuscated using
ZelixKlassMaster to avoid detection by anti-malware products. The low number of
infections and its backdoor functionality indicates that it is most likely used
in targeted attacks.
The
good news is this means that this Trojan is not believed to be anything as
widespread as Flashback, and if you’ve downloaded and installed the latest
software updates from Apple that patch the Java vulnerabilities (or disabled
Java), you’re safe. The bad news is these Trojans will just keep coming, likely
at an increasing rate.
This
Trojan further underlines the importance of protecting Macs against malware
with an updated anti-virus program as well as the latest security updates.
View orginal artical here- Trojan
0 comments
Post a Comment