Latest Mac trojan spreads through Microsoft Word documents

Posted:
in macOS edited January 2014


A new version of a backdoor trojan for Apple's OS X operating system takes advantage of an exploit in Microsoft Word to spread.



The latest variant of the attack known as "LuckyCat" was discovered and detailed by Costin Raiu, Kasperskky lab expert. He found that a dummy infected machine was taken over by a remote user who started analyzing the machine and even stole some documents from the Mac.



"We are pretty confident the operation of the bot was done manually — which means a real attacker, who manually checks the infected machines and extracts data from them," Raiu wrote in a post to SecureList.



The new Mac-specific trojan, named "Backdoor.OSX.SabPub.a," uses a Java exploit to infect targeted machine. It spreads through Microsoft Word documents that exploit a vulnerability known as "CVE-2009-0563."



The new trojan is noteworthy because it stayed undetected for more than a month and a half before it came alive and data was manually extracted from the machine. That's different from MaControl, another bot used in attacks discovered in February 2012.



There are currently at least two variants of the "SabPub" trojan, which remains classified as an "active attack." It is expected that new variants of the bot will be released in the coming weeks, as the latest was created in March.











Security on the Mac has been in the spotlight of late as a result of the "Flashback" trojan that infected more than 600,000 Macs worldwide. Apple addressed the issue with a series of software updates last week designed to remove the trojan from affected machines.



The Flashback botnet harvested personal information and Web browsing logs fron infected machines. The trojan, which disguises itself as an Adobe Flash installer, was first discovered last September.



[ View article on AppleInsider ]

«134

Comments

  • Reply 1 of 65
    If you never install Java - you don't expose yourself to these trojan malware.



    Apple no longer installs Java on Macs. Java is not present in iOS.



    Java is a third party platform - like Flash - that opens up security holes in Mac OS X.
  • Reply 2 of 65
    lkrupplkrupp Posts: 7,146member
    Quote:
    Originally Posted by jameskatt2 View Post


    If you never install Java - you don't expose yourself to these trojan malware.



    Apple no longer installs Java on Macs. Java is not present in iOS.



    Java is a third party platform - like Flash - that opens up security holes in Mac OS X.



    Except for the fact that this trojan uses an Office vulnerability, not Java. Since this attack vector appears to be from 2009 can we assume that current, fully patched systems are safe? I always apply Office patches as soon as they are available.
  • Reply 3 of 65
    solipsismxsolipsismx Posts: 19,566member
    Quote:
    Originally Posted by jameskatt2 View Post


    If you never install Java - you don't expose yourself to these trojan malware.



    Apple no longer installs Java on Macs. Java is not present in iOS.



    Java is a third party platform - like Flash - that opens up security holes in Mac OS X.



    You have to wonder what's going on with Android OS. Aren't most of their Google Play apps Java-based?
  • Reply 4 of 65
    neilmneilm Posts: 618member
    Could this article possibly be less useful?



    No info on how to detect the trojan, no info on whether the latest patched Java version is still vulnerable, no info on how to get rid of it, no info...no info.
  • Reply 5 of 65
    it's not like it's a pc trojan...why is it called as such? it requires manual intervention
  • Reply 6 of 65
    mr omr o Posts: 1,046member
    I am having troubles watching some of the youtube videos in Safari. The video never plays or attempts to play. Ultimately it is asking me to force reload the other open pages.



    I am now watching youtube videos on Firefox. No problems there.



    Yes I am using the latest Apple's operating system and I am doing regular updates.
  • Reply 7 of 65
    venyzvenyz Posts: 4member
    The article should be updated to list the Word version affected by the exploited bug.

    Namely, the virus can only affect Word for Mac versions 2004 and 2008. If you have Word for Mac 2011, you should not worry.



    Not listing the Word version could just unnecessarily scare users. Especially given that Word 2004 doesn?t work on OS X Lion and Word 2008 is such a joke few people use it.
  • Reply 8 of 65
    hpodhpod Posts: 19member
    Quote:
    Originally Posted by lkrupp View Post


    Except for the fact that this trojan uses an Office vulnerability, not Java. Since this attack vector appears to be from 2009 can we assume that current, fully patched systems are safe? I always apply Office patches as soon as they are available.



    Did you even read the article? I'm guessing not.



    It says, right in the article, and I quote, "The new Mac-specific trojan, named "Backdoor.OSX.SabPub.a," uses a Java exploit to infect targeted machine. It spreads through Microsoft Word documents that exploit a vulnerability known as "CVE-2009-0563."
  • Reply 9 of 65
    charlitunacharlituna Posts: 7,215member
    Quote:
    Originally Posted by lkrupp View Post


    Except for the fact that this trojan uses an Office vulnerability, not Java.



    Actually according to the article, it uses both Java and Office.



    Quote:
    Originally Posted by mr O View Post


    I am having troubles watching some of the youtube videos in Safari. .



    And???



    This has nothing to do with the topic of the thread.
  • Reply 10 of 65
    sedneysedney Posts: 13member
    Quote:
    Originally Posted by venyz View Post


    The article should be updated to list the Word version affected by the exploited bug.

    Namely, the virus can only affect Word for Mac versions 2004 and 2008. If you have Word for Mac 2011, you should not worry.



    Not listing the Word version could just unnecessarily scare users. Especially given that Word 2004 doesn?t work on OS X Lion and Word 2008 is such a joke few people use it.



    I'm using Word 2008 - didn't know it was a joke - better than giving Microsoft more money for the latest version though
  • Reply 11 of 65
    Pages ftw, open office, or even google docs.
  • Reply 12 of 65
    sandyfsandyf Posts: 42member
    Quote:
    Originally Posted by mr O View Post


    I am having troubles watching some of the youtube videos in Safari. The video never plays or attempts to play. Ultimately it is asking me to force reload the other open pages.



    I am now watching youtube videos on Firefox. No problems there.



    Yes I am using the latest Apple's operating system and I am doing regular updates.



    Perhaps your Java isn't enabled (Safari Preferences). Your inquiry is reasonable and may in fact be related to this thread. Chill.
  • Reply 13 of 65
    auxioauxio Posts: 1,997member
    Quote:
    Originally Posted by jameskatt2 View Post


    Java is a third party platform - like Flash - that opens up security holes in Mac OS X.



    Let's clear up the misconceptions here:



    Java is a programming language plus a specification of a runtime environment in which programs written using the Java programming language will run. The key word there is "specification".



    On each operating system, a Java runtime developer/maintainer uses that specification as the basis for creating a runtime environment (for the purpose of allowing Java applications to be run on that operating system).



    So, if security holes exist in the Mac OS X Java runtime only (not all Java runtimes), then the problem is with that particular implementation, and not the Java specification itself.



    One more interesting point: up until Mac OS X 10.7, it was Apple themselves who created and maintained the Java runtime for Mac OS X. I believe, but am not certain, that the source code for that exact runtime was passed on to Oracle when the reigns of maintenance switched hands. Which, if true, means that it could potentially be Apple's fault these security holes exist, not Oracle's.



    Regardless, to mindlessly maintain that Java is the problem is to only look skin deep.
  • Reply 14 of 65
    knightlieknightlie Posts: 282member
    Quote:
    Originally Posted by doyourownthing View Post


    it's not like it's a pc trojan...why is it called as such? it requires manual intervention



    You don't understand what a trojan is. A trojan pretends to be what it is not. If I write an app which appears to be a word processor but actually deletes all your files, it's a trojan horse.



    The Trojans had to wheel the horse into Troy in order for it to be effective, hence the name.
  • Reply 15 of 65
    knightlieknightlie Posts: 282member
    Quote:
    Originally Posted by auxio View Post


    Let's clear up the misconceptions here:



    Java is a programming language plus a specification of a runtime environment in which programs written using the Java programming language will run. The key word there is "specification".



    On each operating system, a Java runtime developer/maintainer uses that specification as the basis for creating a runtime environment (for the purpose of allowing Java applications to be run on that operating system).



    So, if security holes exist in the Mac OS X Java runtime only (not all Java runtimes), then the problem is with that particular implementation, and not the Java specification itself.



    One more interesting point: up until Mac OS X 10.7, it was Apple themselves who created and maintained the Java runtime for Mac OS X. I believe, but am not certain, that the source code for that exact runtime was passed on to Oracle when the reigns of maintenance switched hands. Which, if true, means that it could potentially be Apple's fault these security holes exist, not Oracle's.



    Regardless, to mindlessly maintain that Java is the problem is to only look skin deep.



    Don't bother. You'll never convince the armchair programmers that Java is not the root of all evil in the universe, despite their not knowing a single thing about it.
  • Reply 16 of 65
    d-ranged-range Posts: 396member
    Quote:
    Originally Posted by auxio View Post


    On each operating system, a Java runtime developer/maintainer uses that specification as the basis for creating a runtime environment (for the purpose of allowing Java applications to be run on that operating system).



    While technically correct, almost all Java runtimes that you will find on desktop systems are built off the exact same source code as the official Oracle runtime. They open-sourced it about 5 years ago, and anyone can build their own JRE and JDK as long as you are abide by the license terms. OpenJDK (which is the de facto standard JDK you'll find on open-source operating systems) is now even officially the reference implementation of the language and SDK.



    Quote:

    So, if security holes exist in the Mac OS X Java runtime only (not all Java runtimes), then the problem is with that particular implementation, and not the Java specification itself.



    Seeing that the Oracle JDK, the OS X JDK and most other desktop Java implementations are based off of the same source code, there isn't much of a difference in practice. In fact, as it turns out, the same security hole that is now being exploited on OS X, was also present in the JDK's you would typically use on Windows and Linux, but those were simply patched quicker and never exploited on a large scale.



    Quote:

    One more interesting point: up until Mac OS X 10.7, it was Apple themselves who created and maintained the Java runtime for Mac OS X. I believe, but am not certain, that the source code for that exact runtime was passed on to Oracle when the reigns of maintenance switched hands. Which, if true, means that it could potentially be Apple's fault these security holes exist, not Oracle's.



    None of that makes any sense. Apple used to maintain the packaging and distribution of the JDK used on OS X, but it was simply built from Sun/Oracle code with OS X specific adaptations. This meant that any time Oracle patched some security hole, OS X would not have it until Apple got around to pulling the patch into their own JDK package and pushed it as an update.



    To prevent exactly the problems that allowed the Flashback trojan and its variants to spread on OS X, Apple decided they don't want to be maintaining their own JDK builds, just like they decided at one point they would stop distributing the Flash plugin as an integral part of OS X. The only code that Apple likely transferred to Oracle would have been the OS X specific adaptations to the reference JDK source code, which I expect are very minimal, and may not even be present in the OS X JDK builds that Oracle ships now.



    Quote:

    Regardless, to mindlessly maintain that Java is the problem is to only look skin deep.



    I don't see what's so mindless about this. The security leak is in the JDK, right?
  • Reply 17 of 65
    d-ranged-range Posts: 396member
    Quote:
    Originally Posted by knightlie View Post


    Don't bother. You'll never convince the armchair programmers that Java is not the root of all evil in the universe, despite their not knowing a single thing about it.



    Maybe you should educate yourself about Java a little more before you make statements like that, because the piece you quoted in your reply is full of factual errors.



    That said, I know a fair bit of Java myself, having written somewhere in the neighbourhood of some 300K lines of Java code (rough guesstimate) spread over different projects and problem domains, over a timeframe of about 15 years, and I absolutely ff-ing hate it. It's probably one of the worst programming languages you can use today, and if it weren't for the fact that it garnered such a large following and billions of lines of legacy code, nobody would ever use it voluntarily. There's a reason people felt the need to create something like Scala.



    Java as a programming language is garbage. Unless you are masochistic, there are plenty of alternatives you can use that are better in every aspect imaginable except ubiquity.
  • Reply 18 of 65
    Quote:
    Originally Posted by mr O View Post


    I am having troubles watching some of the youtube videos in Safari. The video never plays or attempts to play. Ultimately it is asking me to force reload the other open pages.



    I am now watching youtube videos on Firefox. No problems there.



    Yes I am using the latest Apple's operating system and I am doing regular updates.



    Reset all temporary data in safari (can't check right now, on a windows machine) I had the same problem and this fixed it. Others have also had this problem after upgrading to Lion, fixed it for a lot of people.
  • Reply 19 of 65
    hudson1hudson1 Posts: 800member
    I've been a Mac user for something like 24 years (Mac OS 6, I think) and have enjoyed my computer security far more than my Windows friends. This one makes me a little squeamish, though. For the longest time I've been touting Apple's OS implementations as much more inherently safe since they've done a better job walling off the OS from applications.



    So I guess it raises this question: Why is Java able to reach into the bowels of my computer for things I don't think it should be able to reach? Whether Java for OS X is a product of Apple or Oracle is mostly meaningless as it's pushed out to my computer by Apple.
  • Reply 20 of 65
    ghostface147ghostface147 Posts: 1,629member
    Quote:
    Originally Posted by mr O View Post


    I am having troubles watching some of the youtube videos in Safari. The video never plays or attempts to play. Ultimately it is asking me to force reload the other open pages.



    I am now watching youtube videos on Firefox. No problems there.



    Yes I am using the latest Apple's operating system and I am doing regular updates.



    Ummmm, ok. It must be that Word vulnerability messing you up.
Sign In or Register to comment.