SabPub malware proves Macs are an APT target

Trojan exploits malformed Word documents to open back doors on Macs

Mac users who are living in ignorance or denial of the danger of APTs (advanced persistent threats), prepare for a wake-up call: A new version of a Trojan horse dubbed SabPub, capable of opening a back door on Macs for malicious hackers to exploit, is making its rounds embedded in Word documents, according to security companies Kapersky and Sophos.

According to Kaspersky, Backdoor.OSX.SabPub -- unlike predecessors like the Flashback botnet -- provides "a real example of how a vulnerable Apple computer could be fully controlled by cyber criminals," according to Kaspersky Lab expert Costin Raiu.

"This new threat is a custom OS X back door, which appears to have been designed for use in targeted attacks," Raiu wrote. "After it is activated on an infected system, it connects to a remote website in typical C&C fashion to fetch instructions. The back door contains functionality to make screenshots of the user's current session and execute commands on the infected machine."

The news comes less than a week after Apple released two urgent security updates for Mac OS X: one to remove a recently discovered Flashback (or Flashfake) malware, which was being distributed via infected websites as a Java applet posing as an update for the Adobe Flash Player; the other to automatically deactivate the Java browser plug-in and Java Web Start.

Although that may have nipped Flashback in the bud, it doesn't protect Macs from this version of SabPub, which does not appear to exploit Java at all; rather, it looks to exploit malformed Word documents via the CVE-2009-0563 vulnerability. If a user opens a booby-trapped Word document, his or her machine will become infected. A decoy document also gets dropped onto the user's disk.

Over the weekend, Kaspersky studied the malware on a test machine. Researchers found that attackers were able to take over the machine, analyze its contents, and steal some of its documents. On Sunday, the C&C domain was shutdown, according to Kaspersky, and the bot lost connection to it. "This appears to be an initiative from the free DNS service, and it was no doubt triggered by the media attention," according to Raiu, "Interestingly, the VPS used as the C&C is still active."

Kaspersky expects that attackers will release new variants of the bot with new C&Cs in coming days and weeks.

SabPub has proven more effective than a bot dubbed MaControl, which was used for APT attacks in February, in that SabPub managed to go undetected for more than 45 days.

This story, "SabPub malware proves Macs are an APT target," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.