or Connect
AppleInsider › Forums › Software › Mac OS X › Latest Mac trojan spreads through Microsoft Word documents
New Posts  All Forums:Forum Nav:

Latest Mac trojan spreads through Microsoft Word documents

post #1 of 65
Thread Starter 
A new version of a backdoor trojan for Apple's OS X operating system takes advantage of an exploit in Microsoft Word to spread.

The latest variant of the attack known as "LuckyCat" was discovered and detailed by Costin Raiu, Kasperskky lab expert. He found that a dummy infected machine was taken over by a remote user who started analyzing the machine and even stole some documents from the Mac.

"We are pretty confident the operation of the bot was done manually — which means a real attacker, who manually checks the infected machines and extracts data from them," Raiu wrote in a post to SecureList.

The new Mac-specific trojan, named "Backdoor.OSX.SabPub.a," uses a Java exploit to infect targeted machine. It spreads through Microsoft Word documents that exploit a vulnerability known as "CVE-2009-0563."

The new trojan is noteworthy because it stayed undetected for more than a month and a half before it came alive and data was manually extracted from the machine. That's different from MaControl, another bot used in attacks discovered in February 2012.

There are currently at least two variants of the "SabPub" trojan, which remains classified as an "active attack." It is expected that new variants of the bot will be released in the coming weeks, as the latest was created in March.




Security on the Mac has been in the spotlight of late as a result of the "Flashback" trojan that infected more than 600,000 Macs worldwide. Apple addressed the issue with a series of software updates last week designed to remove the trojan from affected machines.

The Flashback botnet harvested personal information and Web browsing logs fron infected machines. The trojan, which disguises itself as an Adobe Flash installer, was first discovered last September.

[ View article on AppleInsider ]
post #2 of 65
If you never install Java - you don't expose yourself to these trojan malware.

Apple no longer installs Java on Macs. Java is not present in iOS.

Java is a third party platform - like Flash - that opens up security holes in Mac OS X.
post #3 of 65
Quote:
Originally Posted by jameskatt2 View Post

If you never install Java - you don't expose yourself to these trojan malware.

Apple no longer installs Java on Macs. Java is not present in iOS.

Java is a third party platform - like Flash - that opens up security holes in Mac OS X.

Except for the fact that this trojan uses an Office vulnerability, not Java. Since this attack vector appears to be from 2009 can we assume that current, fully patched systems are safe? I always apply Office patches as soon as they are available.
post #4 of 65
Quote:
Originally Posted by jameskatt2 View Post

If you never install Java - you don't expose yourself to these trojan malware.

Apple no longer installs Java on Macs. Java is not present in iOS.

Java is a third party platform - like Flash - that opens up security holes in Mac OS X.

You have to wonder what's going on with Android OS. Aren't most of their Google Play apps Java-based?

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply
post #5 of 65
Could this article possibly be less useful?

No info on how to detect the trojan, no info on whether the latest patched Java version is still vulnerable, no info on how to get rid of it, no info...no info.
post #6 of 65
it's not like it's a pc trojan...why is it called as such? it requires manual intervention
post #7 of 65
I am having troubles watching some of the youtube videos in Safari. The video never plays or attempts to play. Ultimately it is asking me to force reload the other open pages.

I am now watching youtube videos on Firefox. No problems there.

Yes I am using the latest Apple's operating system and I am doing regular updates.
post #8 of 65
The article should be updated to list the Word version affected by the exploited bug.
Namely, the virus can only affect Word for Mac versions 2004 and 2008. If you have Word for Mac 2011, you should not worry.

Not listing the Word version could just unnecessarily scare users. Especially given that Word 2004 doesnt work on OS X Lion and Word 2008 is such a joke few people use it.
post #9 of 65
Quote:
Originally Posted by lkrupp View Post

Except for the fact that this trojan uses an Office vulnerability, not Java. Since this attack vector appears to be from 2009 can we assume that current, fully patched systems are safe? I always apply Office patches as soon as they are available.

Did you even read the article? I'm guessing not.

It says, right in the article, and I quote, "The new Mac-specific trojan, named "Backdoor.OSX.SabPub.a," uses a Java exploit to infect targeted machine. It spreads through Microsoft Word documents that exploit a vulnerability known as "CVE-2009-0563."
post #10 of 65
Quote:
Originally Posted by lkrupp View Post

Except for the fact that this trojan uses an Office vulnerability, not Java.

Actually according to the article, it uses both Java and Office.

Quote:
Originally Posted by mr O View Post

I am having troubles watching some of the youtube videos in Safari. .

And???

This has nothing to do with the topic of the thread.

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #11 of 65
Quote:
Originally Posted by venyz View Post

The article should be updated to list the Word version affected by the exploited bug.
Namely, the virus can only affect Word for Mac versions 2004 and 2008. If you have Word for Mac 2011, you should not worry.

Not listing the Word version could just unnecessarily scare users. Especially given that Word 2004 doesnt work on OS X Lion and Word 2008 is such a joke few people use it.

I'm using Word 2008 - didn't know it was a joke - better than giving Microsoft more money for the latest version though
post #12 of 65
Pages ftw, open office, or even google docs.
White Nexus 7 8GB
Black & Slate iPhone 5 32GB AT&T
Reply
White Nexus 7 8GB
Black & Slate iPhone 5 32GB AT&T
Reply
post #13 of 65
Quote:
Originally Posted by mr O View Post

I am having troubles watching some of the youtube videos in Safari. The video never plays or attempts to play. Ultimately it is asking me to force reload the other open pages.

I am now watching youtube videos on Firefox. No problems there.

Yes I am using the latest Apple's operating system and I am doing regular updates.

Perhaps your Java isn't enabled (Safari Preferences). Your inquiry is reasonable and may in fact be related to this thread. Chill.
__________________________________________________ _
"You can't depend on your eyes when your imagination is out of focus." (Mark Twain)
Reply
__________________________________________________ _
"You can't depend on your eyes when your imagination is out of focus." (Mark Twain)
Reply
post #14 of 65
Quote:
Originally Posted by jameskatt2 View Post

Java is a third party platform - like Flash - that opens up security holes in Mac OS X.

Let's clear up the misconceptions here:

Java is a programming language plus a specification of a runtime environment in which programs written using the Java programming language will run. The key word there is "specification".

On each operating system, a Java runtime developer/maintainer uses that specification as the basis for creating a runtime environment (for the purpose of allowing Java applications to be run on that operating system).

So, if security holes exist in the Mac OS X Java runtime only (not all Java runtimes), then the problem is with that particular implementation, and not the Java specification itself.

One more interesting point: up until Mac OS X 10.7, it was Apple themselves who created and maintained the Java runtime for Mac OS X. I believe, but am not certain, that the source code for that exact runtime was passed on to Oracle when the reigns of maintenance switched hands. Which, if true, means that it could potentially be Apple's fault these security holes exist, not Oracle's.

Regardless, to mindlessly maintain that Java is the problem is to only look skin deep.
 
Reply
 
Reply
post #15 of 65
Quote:
Originally Posted by doyourownthing View Post

it's not like it's a pc trojan...why is it called as such? it requires manual intervention

You don't understand what a trojan is. A trojan pretends to be what it is not. If I write an app which appears to be a word processor but actually deletes all your files, it's a trojan horse.

The Trojans had to wheel the horse into Troy in order for it to be effective, hence the name.
My Android phone is the worst phone I've ever owned.
Reply
My Android phone is the worst phone I've ever owned.
Reply
post #16 of 65
Quote:
Originally Posted by auxio View Post

Let's clear up the misconceptions here:

Java is a programming language plus a specification of a runtime environment in which programs written using the Java programming language will run. The key word there is "specification".

On each operating system, a Java runtime developer/maintainer uses that specification as the basis for creating a runtime environment (for the purpose of allowing Java applications to be run on that operating system).

So, if security holes exist in the Mac OS X Java runtime only (not all Java runtimes), then the problem is with that particular implementation, and not the Java specification itself.

One more interesting point: up until Mac OS X 10.7, it was Apple themselves who created and maintained the Java runtime for Mac OS X. I believe, but am not certain, that the source code for that exact runtime was passed on to Oracle when the reigns of maintenance switched hands. Which, if true, means that it could potentially be Apple's fault these security holes exist, not Oracle's.

Regardless, to mindlessly maintain that Java is the problem is to only look skin deep.

Don't bother. You'll never convince the armchair programmers that Java is not the root of all evil in the universe, despite their not knowing a single thing about it.
My Android phone is the worst phone I've ever owned.
Reply
My Android phone is the worst phone I've ever owned.
Reply
post #17 of 65
Quote:
Originally Posted by auxio View Post

On each operating system, a Java runtime developer/maintainer uses that specification as the basis for creating a runtime environment (for the purpose of allowing Java applications to be run on that operating system).

While technically correct, almost all Java runtimes that you will find on desktop systems are built off the exact same source code as the official Oracle runtime. They open-sourced it about 5 years ago, and anyone can build their own JRE and JDK as long as you are abide by the license terms. OpenJDK (which is the de facto standard JDK you'll find on open-source operating systems) is now even officially the reference implementation of the language and SDK.

Quote:
So, if security holes exist in the Mac OS X Java runtime only (not all Java runtimes), then the problem is with that particular implementation, and not the Java specification itself.

Seeing that the Oracle JDK, the OS X JDK and most other desktop Java implementations are based off of the same source code, there isn't much of a difference in practice. In fact, as it turns out, the same security hole that is now being exploited on OS X, was also present in the JDK's you would typically use on Windows and Linux, but those were simply patched quicker and never exploited on a large scale.

Quote:
One more interesting point: up until Mac OS X 10.7, it was Apple themselves who created and maintained the Java runtime for Mac OS X. I believe, but am not certain, that the source code for that exact runtime was passed on to Oracle when the reigns of maintenance switched hands. Which, if true, means that it could potentially be Apple's fault these security holes exist, not Oracle's.

None of that makes any sense. Apple used to maintain the packaging and distribution of the JDK used on OS X, but it was simply built from Sun/Oracle code with OS X specific adaptations. This meant that any time Oracle patched some security hole, OS X would not have it until Apple got around to pulling the patch into their own JDK package and pushed it as an update.

To prevent exactly the problems that allowed the Flashback trojan and its variants to spread on OS X, Apple decided they don't want to be maintaining their own JDK builds, just like they decided at one point they would stop distributing the Flash plugin as an integral part of OS X. The only code that Apple likely transferred to Oracle would have been the OS X specific adaptations to the reference JDK source code, which I expect are very minimal, and may not even be present in the OS X JDK builds that Oracle ships now.

Quote:
Regardless, to mindlessly maintain that Java is the problem is to only look skin deep.

I don't see what's so mindless about this. The security leak is in the JDK, right?
post #18 of 65
Quote:
Originally Posted by knightlie View Post

Don't bother. You'll never convince the armchair programmers that Java is not the root of all evil in the universe, despite their not knowing a single thing about it.

Maybe you should educate yourself about Java a little more before you make statements like that, because the piece you quoted in your reply is full of factual errors.

That said, I know a fair bit of Java myself, having written somewhere in the neighbourhood of some 300K lines of Java code (rough guesstimate) spread over different projects and problem domains, over a timeframe of about 15 years, and I absolutely ff-ing hate it. It's probably one of the worst programming languages you can use today, and if it weren't for the fact that it garnered such a large following and billions of lines of legacy code, nobody would ever use it voluntarily. There's a reason people felt the need to create something like Scala.

Java as a programming language is garbage. Unless you are masochistic, there are plenty of alternatives you can use that are better in every aspect imaginable except ubiquity.
post #19 of 65
Quote:
Originally Posted by mr O View Post

I am having troubles watching some of the youtube videos in Safari. The video never plays or attempts to play. Ultimately it is asking me to force reload the other open pages.

I am now watching youtube videos on Firefox. No problems there.

Yes I am using the latest Apple's operating system and I am doing regular updates.

Reset all temporary data in safari (can't check right now, on a windows machine) I had the same problem and this fixed it. Others have also had this problem after upgrading to Lion, fixed it for a lot of people.
post #20 of 65
I've been a Mac user for something like 24 years (Mac OS 6, I think) and have enjoyed my computer security far more than my Windows friends. This one makes me a little squeamish, though. For the longest time I've been touting Apple's OS implementations as much more inherently safe since they've done a better job walling off the OS from applications.

So I guess it raises this question: Why is Java able to reach into the bowels of my computer for things I don't think it should be able to reach? Whether Java for OS X is a product of Apple or Oracle is mostly meaningless as it's pushed out to my computer by Apple.
post #21 of 65
Quote:
Originally Posted by mr O View Post

I am having troubles watching some of the youtube videos in Safari. The video never plays or attempts to play. Ultimately it is asking me to force reload the other open pages.

I am now watching youtube videos on Firefox. No problems there.

Yes I am using the latest Apple's operating system and I am doing regular updates.

Ummmm, ok. It must be that Word vulnerability messing you up.
post #22 of 65
Quote:
Originally Posted by Hudson1 View Post

So I guess it raises this question: Why is Java able to reach into the bowels of my computer for things I don't think it should be able to reach? .



That is because OSX is inherently insecure.
post #23 of 65
Quote:
Originally Posted by d-range View Post

Maybe you should educate yourself about Java a little more before you make statements like that, because the piece you quoted in your reply is full of factual errors.

Java as a programming language is garbage. Unless you are masochistic, there are plenty of alternatives you can use that are better in every aspect imaginable except ubiquity.

How cute. Poor little bunny doesn't like Java. As opposed to what, one wonders ...
post #24 of 65
MSFT and Adobe, the gifts that keep on giving!
post #25 of 65
Quote:
Originally Posted by I am a Zither Zather Zuzz View Post

That is because OSX is inherently insecure.

Wow! You have over 1,200 posts since just Januaty of this year? An automated troll in our midst! And a clueless one at that.
post #26 of 65
Quote:
Originally Posted by canoeberry View Post

How cute. Poor little bunny doesn't like Java. As opposed to what, one wonders ...

As opposed to about anything else, including the many Java spin-offs that use just the JVM and get rid of the rest of the language so they don't have to deal with all the bone-headed things about Java. You don't think these exist for the sole reason that so many people hate everything about Java except the JVM (which is, in fact, pretty decent)?

But hey, if you like writing lots of boilerplate code, hate closures or first-class lambda functions, love to deal with the arbitrary distinction between primitives data types and the ones that have java.lang classes, enjoy littering your code with compiler intrinsics just to shut it up when you want to compile anything that uses generics or autoboxing against legacy code that doesn't, if you really think it's a good idea to make every.single.thing an object (well, except integers, chars and doubles, obviously), don't mind having to wade through piles of deprecated API's that are still part of the core language (what's the standard Java UI library of the day today? AWT, Swing, SWT, or do we have something 'better' already?), are absolutely thrilled to catch all the millions of checked exceptions thrown by library methods (as opposed to just catching java.lang.Exception which most Java programmers do so they don't have to write millions of lines of code just to handle exceptions, effectively killing the whole idea behind exception handling in general and checked exceptions in particular), and would rather use something as obtuse and inconvenient as JNI just to interact with some piece of code that was not written in Java, be my guest.

Do you have any arguments yourself, or are you just a little butt-hurt that someone on the internet does not like Java? How about you give me 1 (one) reason why I should like Java more than one of the many alternatives that I could use instead of it.
post #27 of 65
Quote:
Originally Posted by auxio View Post

Let's clear up the misconceptions here:

[...]
Regardless, to mindlessly maintain that Java is the problem is to only look skin deep.

Regardless, unless you need it for a specific application, you should probably disable it.

The Java Preferences utility is in /Applications/Utilities; uncheck the boxes next to the versions listed in the General tab.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #28 of 65
Quote:
Originally Posted by jameskatt2 View Post

If you never install Java - you don't expose yourself to these trojan malware.

Apple no longer installs Java on Macs. Java is not present in iOS.

Java is a third party platform - like Flash - that opens up security holes in Mac OS X.


One snag is you can't run Adobe CS5 or CS6 without Java though (and who knows what else) and many of us need Adobe products.

By the way I know this as I deleted all Java items this morning as an experiment. I had to re download and install it after I found Photoshop would no longer run.

I discovered to my surprise many apps are remarkably faster now, PS CS5, Aperture to name only two, load in the blink of an eye and seem to run many times faster now. An unexpected side effect!
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
Google Motto "You're not the customer. You're the product."
Reply
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
Google Motto "You're not the customer. You're the product."
Reply
post #29 of 65
Quote:
Originally Posted by canoeberry View Post

How cute. Poor little bunny doesn't like Java. As opposed to what, one wonders ...

If you read his post instead of getting snarky, you'd have seen he specifically mentioned Scala. Please read before posting.
post #30 of 65
Quote:
Originally Posted by FreeRange View Post

Wow! You have over 1,200 posts since just Januaty of this year? An automated troll in our midst! And a clueless one at that.

Unfortunately, quoting trolls doesn't help. Those that have put them in ignore lists sadly get to see replies although I see no reason why the AI database couldn't exclude replies containing excluded users.
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
Google Motto "You're not the customer. You're the product."
Reply
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
Google Motto "You're not the customer. You're the product."
Reply
post #31 of 65
Quote:
Originally Posted by digitalclips View Post

One snag is you can't run Adobe CS5 or CS6 without Java though (and who knows what else) and many of us need Adobe products.

Really? CS5.5 seems to run fine without Java. Is there a specific application function that you have found that will not run?

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #32 of 65
Quote:
Originally Posted by jameskatt2 View Post

If you never install Java - you don't expose yourself to these trojan malware.

Apple no longer installs Java on Macs. Java is not present in iOS.

Java is a third party platform - like Flash - that opens up security holes in Mac OS X.

True except that Apple itself is the company supplying/developing the software should you decide you need it so it is their responsibility to fix things like this.

-kpluck

Do you use MagicJack?

The default settings will automatically charge your credit card each year for service renewal. You will not be notified or warned in anyway. You can turn auto renewal off.

Reply

Do you use MagicJack?

The default settings will automatically charge your credit card each year for service renewal. You will not be notified or warned in anyway. You can turn auto renewal off.

Reply
post #33 of 65
Quote:
Originally Posted by mstone View Post

Really? CS5.5 seems to run fine without Java. Is there a specific application function that you have found that will not run?

I deleted all Java items (I used Finder Find 'Java' and trashed all items it found) and re booted. On launching PS I got a dialog stating "Adobe CS5 programs cannot load without Java, do you wish to download it?" I did and by the way, now my Mac is many, many times faster!!! Got to do more tests but Adobe products launch instantly (i7 MBP) whereas they used to take quite a while to load.
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
Google Motto "You're not the customer. You're the product."
Reply
From Apple ][ - to new Mac Pro I've used them all.
Long on AAPL so biased
Google Motto "You're not the customer. You're the product."
Reply
post #34 of 65
Quote:
Originally Posted by Flash_beezy View Post

Pages ftw, open office, or even google docs.

^^^ This! Changed over to iWork for everything, and haven't looked back once. Everything converts and exports fine; at least for me and my needs.
post #35 of 65
Quote:
Originally Posted by digitalclips View Post

I deleted all Java items (I used Finder Find 'Java' and trashed all items it found) and re booted. On launching PS I got a dialog stating "Adobe CS5 programs cannot load without Java, do you wish to download it?" I did and by the way, now my Mac is many, many times faster!!! Got to do more tests but Adobe products launch instantly (i7 MBP) whereas they used to take quite a while to load.

I just used the Java Preference app to disable it and all the CS5.5 apps that I use regularly run fine. Perhaps Adobe doesn't really need it all the time but looks for it to be sure it is available when/if needed. By disabling it in the preferences it is still on the system, it just can't be used. In the event that a function requiring Java is requested the dialog prompt would probably say something like Java is currently turned off please enable it to use this function.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #36 of 65
Quote:
Originally Posted by tdmelvin View Post

^^^ This! Changed over to iWork for everything, and haven't looked back once. Everything converts and exports fine; at least for me and my needs.

Unfortunately, there are a lot of advanced business spreadsheets in Excel which either don't work at all with Numbers, OpenOffice, etc., or don't work well enough to be usable.
post #37 of 65
I hope OpenOffice isnt affected Although I need it maybe 5 times a year anyway.

This Java thing sounds cool, though. Im gonna have to install that and try it out!
post #38 of 65
So am I ok if I'm using Microsoft for Mac 2011? I just did a service pack update of some sort this past week and my mom is getting her new iMac set up with Microsoft office 2011 tomorrow. I'd hate to introduce her to Apple with this this kind of sh*t going on.
post #39 of 65
Quote:
Originally Posted by SolipsismX View Post

You have to wonder what's going on with Android OS. Aren't most of their Google Play apps Java-based?

Haha, very funny.

For those that didn't get the joke, Android has nothing to do with this -- it has neither the JVM, nor MS Office. This is a Mac OS problem exclusively.
post #40 of 65
Quote:
Originally Posted by AppleInsider View Post

A new version of a backdoor trojan for Apple's OS X operating system takes advantage of an exploit in Microsoft Word to spread. [...]

New version, ancient technique. Microsoft Word macro viruses have been around since the '90s.

Thanks again for architecting a malware-friendly app, Mr. Gates.

Sent from my iPhone Simulator

Reply

Sent from my iPhone Simulator

Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Latest Mac trojan spreads through Microsoft Word documents