Mac Trojan exploiting malformed Word documents

The Mac OS X platform has now been targeted for a second time by a Trojan called SabPub (Backdoor.OSX.SabPub.a). Several in the media are misreporting this latest Mac OS X Trojan as a Java exploit. Let me tell you, this isn’t a Java exploit. SabPub is actually exploiting malformed Word documents.

SabPub is a typical backdoor Trojan, which aims to open remote access to a target system. This Trojan appears to be part of the Flashback family which conducts click fraud scams by hijacking search engine results inside the web browser. The SabPub exploit is delivered using a drive-by download method, which occurs when people click on URLs with malware via an email or poisoned search result. A malicious Word document is downloaded and then installs the SabPub Trojan which is embedded in the Word document, on your system.

Mac users should be aware that SabPub will attempt to install on your Mac OS X and will not prompt you to enter your admin/account username and password*. Microsoft identified this vulnerability back in 2009. This vulnerability modified the way that Microsoft Word would open and parse files. I suggest you make sure that your system has MS09-027 / KB969514 installed.

*Be aware: The /tmp/ and /$HOME/Library/LaunchAgents folders on Mac OS X do not require root privileges. This means that applications can run in user land with no difficulties. There is also the chance that this could open up network sockets which would enable data transfer.

Mac OS X users should really be using anti-virus software.

Safe surfing folks!

This entry was posted in apple, malware and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *