Another new malware has been discovered that exploits the CVE-2012-0507 Java Vulnerability, the same vulnerability that OSX/Flashback used. The latest variant of this threat have been found using the same exploit that OSX/MS09-027!exploit used.
This new malware is taking advantage of an old vulnerability in Microsoft Word (MS09-027). This vulnerability has been already patched since 2009, which could allow remote code execution if a user opens a specially crafted Word file. This malware is detected as OSX/SabPub.A.
Once executed, OSX/SabPub.A, the decoy Word file will be executed, it will cause distraction to the user to hide its malicious activity in the background.
[Figure 1 – Decoy Word Document File]
Inspecting the file OSX/SabPub.A, you can easily spot the encoded URL that it will connect to.
[Figure 2 – Code Snippet of Encoded URL]
While the user thinks that the executed file was not harmful, the malware already the file “com.apple.PubSabAgent.pfile” in /user/%user%/Library/Preferences/.
It then creates “com.apple.PubSabAgent.plist” in the /user/%user%/ Library/LaunchAgents/ to ensure that the backdoor is active on the system.
It contacts the remote server “188.8.131.52” via http and the remote hacker is capable of performing the following commands:
• Download and Upload files
• Create new process
• Capture the screen
• Execute shell command
Here are some code snippets of its backdoor commands:
[Figure 3 – Code Snippet]
[Figure 4 – Code Snippet]
[Figure 5 – Code Snippet]
[Figure 6 – Code Snippet]
[Figure 7 – Code Snippet]
[Figure 8 – Code Snippet]
[Figure 9 – Code Snippet]
[Figure 10 – Code Snippet]
[Figure 11 – Code Snippet]
How to Manually Remove OSX/SabPub.A:
Delete OSX/SabPub.A files and components.
Go to /user/%user%/library/LaunchAgents/, delete the following file:
Go to /user/%user%/Library/Preferences/, delete the following file:
Take note that there is a legitimate file called “com.apple.PubSubAgent.plist“ in Mac OS X. The PubSub agent syncs the RSS read/unread status of bookmarked RSS feeds between computers using Mac OS X 10.5 that are syncing bookmarks via MobileMe Sync.
Ensure that your Total Defense Products are updated with the latest signatures at all times.
Leave a reply