The Latest in IT Security

OSX/SabPub – New Backdoor Malware Threat for Mac OS X

18
Apr
2012

Another new malware has been discovered that exploits the CVE-2012-0507 Java Vulnerability, the same vulnerability that OSX/Flashback used. The latest variant of this threat have been found using the same exploit that OSX/MS09-027!exploit used.

This new malware is taking advantage of an old vulnerability in Microsoft Word (MS09-027). This vulnerability has been already patched since 2009, which could allow remote code execution if a user opens a specially crafted Word file. This malware is detected as OSX/SabPub.A.

Once executed, OSX/SabPub.A, the decoy Word file will be executed, it will cause distraction to the user to hide its malicious activity in the background.

[Figure 1 – Decoy Word Document File]

Inspecting the file OSX/SabPub.A, you can easily spot the encoded URL that it will connect to.

 

[Figure 2 – Code Snippet of Encoded URL]

While the user thinks that the executed file was not harmful, the malware already the file “com.apple.PubSabAgent.pfile” in /user/%user%/Library/Preferences/.

It then creates “com.apple.PubSabAgent.plist” in the /user/%user%/ Library/LaunchAgents/ to ensure that the backdoor is active on the system.

It contacts the remote server “199.192.152.100” via http and the remote hacker is capable of performing the following commands:

         •    Download and Upload files
         •    Create new process
         •    Capture the screen
         •    Execute shell command

Here are some code snippets of its backdoor commands:

 

[Figure 3 – Code Snippet]

 

[Figure 4 – Code Snippet]

[Figure 5 – Code Snippet]

[Figure 6 – Code Snippet]

[Figure 7 – Code Snippet]

[Figure 8 – Code Snippet]

[Figure 9 – Code Snippet]

[Figure 10 – Code Snippet]

[Figure 11 – Code Snippet]

How to Manually Remove OSX/SabPub.A:

Delete OSX/SabPub.A files and components.

    Go to /user/%user%/library/LaunchAgents/, delete the following file:

            •    com.apple.PubSabAgent.plist

    Go to /user/%user%/Library/Preferences/, delete the following file:

            •    com.apple.PubSabAgent.pfile

Take note that there is a legitimate file called “com.apple.PubSubAgent.plist“ in Mac OS X. The PubSub agent syncs the RSS read/unread status of bookmarked RSS feeds between computers using Mac OS X 10.5 that are syncing bookmarks via MobileMe Sync.

Ensure that your Total Defense Products are updated with the latest signatures at all times.

Related posts:
  1. MS09-027 Target: Mac OSX & Tibetan NGOs
  2. Mac OS X Threat Masquerading as Image Files
  3. Malware Targeting Windows and MAC OSX
  4. SabPub Mac OS X Backdoor: Java Exploits, Targeted Attacks and Possible APT link
  5. Criminals gain control over Mac with BackDoor.Olyx

Written by GLOBAL SECURITY ADVISOR RESEARCH BLOG
0 Comments

Leave a reply


Categories

THURSDAY, APRIL 18, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments