Researchers at Kaspersky Lab says a new malicious program, dubbed SabPub, exploits the same Java security hole as the Flashback Trojan and enables targeted attacks against Mac users.
The new malware was identified in a blog post by Kaspersky Lab expert Costin Raiu on Saturday and is described as a “custom OS X backdoor” application, which gives attackers access to infected systems. The warning comes as infections linked to the Flashback program have begun to wane, after Apple followed the lead of other firms, releasing a program to detect and remove infections linked to the malware.
SabPub appears to date to mid-March and components of the malware were first detected in the wild on April 2nd and April 12th – both in China, according to the post on the Securelist blog.
SabPub works like other downloaders, which are the workhorses of the malware world. After infecting a vulnerable OS X machine, it connects to a Web site that is part of a command and control network on the Internet. From there, it receives and runs instructions to download other malicious components that can be used to log keystrokes, enroll the infected host in a botnet, and so on. Raiu said that clues in the malware suggest that it is still under development.
The appearance of another Mac-focused malicious program will be more bad news for Apple corp., which has long marketed its Mac systems as safe from viruses, worms and other kinds of malicious code. The recent appearance of a botnet consisting of some 500,000 infected Macs casts doubt on those claims, while the appearance of SabPub suggests that Mac-focused malware may become an endemic problem for Mac systems, as it is for those running Microsoft Windows. The emergence of a Mac malware ecosystem may also force changes on Mac users. A recent report suggested that many Mac users were running vulnerable versions of the Java software, exposing them to the Flashback Trojan.