The Latest in IT Security

OSX/SabPub – New Backdoor Malware Threat for Mac OS X


Another new malware has been discovered that exploits the CVE-2012-0507 Java Vulnerability, the same vulnerability that OSX/Flashback used. The latest variant of this threat have been found using the same exploit that OSX/MS09-027!exploit used.

This new malware is taking advantage of an old vulnerability in Microsoft Word (MS09-027). This vulnerability has been already patched since 2009, which could allow remote code execution if a user opens a specially crafted Word file. This malware is detected as OSX/SabPub.A.

Once executed, OSX/SabPub.A, the decoy Word file will be executed, it will cause distraction to the user to hide its malicious activity in the background.

[Figure 1 – Decoy Word Document File]

Inspecting the file OSX/SabPub.A, you can easily spot the encoded URL that it will connect to.


[Figure 2 – Code Snippet of Encoded URL]

While the user thinks that the executed file was not harmful, the malware already the file “” in /user/%user%/Library/Preferences/.

It then creates “” in the /user/%user%/ Library/LaunchAgents/ to ensure that the backdoor is active on the system.

It contacts the remote server “” via http and the remote hacker is capable of performing the following commands:

         •    Download and Upload files
         •    Create new process
         •    Capture the screen
         •    Execute shell command

Here are some code snippets of its backdoor commands:


[Figure 3 – Code Snippet]


[Figure 4 – Code Snippet]

[Figure 5 – Code Snippet]

[Figure 6 – Code Snippet]

[Figure 7 – Code Snippet]

[Figure 8 – Code Snippet]

[Figure 9 – Code Snippet]

[Figure 10 – Code Snippet]

[Figure 11 – Code Snippet]

How to Manually Remove OSX/SabPub.A:

Delete OSX/SabPub.A files and components.

    Go to /user/%user%/library/LaunchAgents/, delete the following file:


    Go to /user/%user%/Library/Preferences/, delete the following file:


Take note that there is a legitimate file called ““ in Mac OS X. The PubSub agent syncs the RSS read/unread status of bookmarked RSS feeds between computers using Mac OS X 10.5 that are syncing bookmarks via MobileMe Sync.

Ensure that your Total Defense Products are updated with the latest signatures at all times.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments