A new Mac trojan is threatening Macintoshes — even before the massive Flashback-created Mac botnet and the malware that created it has been completely neutralized.
New targeted Mac OS X Trojan requires no user interaction
First, don’t panic.
But… it is cause for concern that there is yet another ‘drive-by’ malware attack on the Macintosh’s OS X operating system — fresh on the heels of the massive Flashback infestation that created a ‘botnet’ (robot network or zombie-net) of over 550,000 Macintoshes that had been taken over by that Java-related malware. Particularly troubling in that case was the fact that even though Java publishers Oracle released a fix for the vulnerability in January, it took Apple more than two months to implement the fix and patch the OS X system.
(Apple elects to handle updates to their Java engine themselves. Which, obviously, created a long window during which the malware was able to spread to over a half million Macs — the greatest penetration — as measured by percentage of a given computer platform — ever.)
Part of the problem for Apple is that they coasted on what they claimed were their laurels with regard to security for so long. OS X, they insisted, had almost never been the target of a large, succesful attack — even stretching so far as to claim that was because of ‘superior security’ on the Mac’s OS X. Sadly, that last is simply not true, as MacWorld’s own Rich Mogull pointed out last year when he stated that Windows 7 was more secure than OS X — to the predictable howls of Mac evangelists.
Now, of course, with Flash back — the most ‘successful’ penetration (measured by percentage) of any modern OS ever — there’s little rational argument that OS X seriously needs the kind of security overhaul that Microsoft performed on Windows — in particular the ‘anonymization’ of critical OS code libraries. Windows now uses what amounts to a dynamic naming system to ‘hide’ critical OS components from malware, which has proved very successful. Mac security specialists like Mogull have been urging Apple to do the same and it appears that they have, indeed been working to bring OS X up to contemporary security standards.
Flashback removal info: http://www.macworld.com/article/1160098/macdefender.html
MacWorld doesn’t have news of this newest Mac trojan, currently known by the euphonically challenged names, Backdoor.OSX.SabPub.a and SX/Sabpab-A — but ZDNet is on the tip with this article on the latest set of threats (same as linked at top of article)…
From the article…
The remote C&C website appears to be hosted on the free dynamic DNS service onedumb.com. Interestingly, the IP address in question has been used in other targeted attacks (known as Luckycat) in the past. This particular attack may been launched through e-mails containing a URL pointing to two websites hosting the exploit, located in Germany and the U.S.
The Trojan may have been created on March 16, 2012. It was compiled with debug information, meaning analyzing it wasn’t hard, but more importantly this seems to suggest it is not the final version. You can check for infection by looking for the following files:
The Java exploits appear to be pretty standard, but have been obfuscated using ZelixKlassMasterto avoid detection by anti-malware products. The low number of infections and its backdoor functionality indicates that it is most likely used in targeted attacks.
UPDATE on FLASHBACK:
Despite Apple’s release of a removal tool and OS patch last month, there are still about 270,000 Macs in the Flashback botnet: http://www.zdnet.com/blog/bott/apple-releases-flashback-removal-tool-infections-drop-to-270000/4775?tag=content;siu-container