A new threat to the Apple platform has been discovered following last week's news of the Flashback botnet.
Symantec reported that a new Trojan is targeting the same vulnerability that the Flashback malware took advantage of in Java. Named 'Sabpub', it has the ability to open a backdoor that enables an attacker to send commands to the infected computer, including taking screenshots, downloading files or installing additional malware.
Symantec classified the infection as a “very low”-risk Trojan; research conducted over the weekend by Kaspersky Lab said Sabpub is designed for use in targeted attacks. “At the moment, it is not clear how users get infected with this, but the low number and its backdoor functionality indicate that it is most likely used in targeted attacks,” said Costin Raiu, director of Kaspersky Lab's global research and analysis team.
Raiu reported that the IP address of the command and control (C&C) server which hosts Sabpub is shared with that of a previous attack, known as 'Luckycat', that Kaspersky discovered in March. That was an advanced persistent threat campaign targeting Tibetan activists.
“The IP address of the C&C to which this bot connects (199.192.152) was also used in other Windows malware samples during 2011, which made us believe we were looking at the same entity behind these attacks,” Raiu said.
Further research by Kaspersky Lab revealed that there are at least two variants of Sabpub in the wild: one that attacks the vulnerability in Java; and another that focuses on an older vulnerability in Microsoft Word for OS X.
Roel Schouwenberg, senior researcher at Kaspersky Lab, said he suspected the attacks happen over email, while the Java vulnerability was likely exploited while browsing websites. He said the targeted nature of the attacks led Kaspersky researchers to believe phishing techniques were also used.
While Flashback infected computers through drive-by downloads, which involved the user visiting a bogus web page, Sabpub, which uses the same Java vulnerability, is spread via targeted spam messages, leading to researchers such as Schouwenberg to say infection numbers could be as low as the double digits.
Schouwenberg said: “People definitely need to make sure their software is up to date, just like with Windows. So that's not just OS X, but also Java and Office. Obviously, running security software will help.”