by Andy Patrizio
If the illusion of superior Mac security wasn’t punctured by the Flashback virus last week, this new attack should do it. For the second time in as many weeks, Apple Macs are the target of a nasty virus that target third-party software.
The one thing Apple has going for it is the problems are not in its operating system. Flashback exploited a hole in the Java runtime, and this new virus, called Backdoor.OSX.SabPub, or SabPub for short, comes in two flavors: one targeting Java and another targeting Microsoft Office.
According to a blog post by Costin Raiu of security firm Kaspersky, SabPub first manifested in February via phishing e-mail spam. Once a computer is infected, the virus begins spreading via Microsoft Office documents. SabPub uses the same Java exploit Flashback does to avoid detection by anti-virus software.
Raiu said he suspects that SabPub was probably written by the authors of the LuckyCat virus, which has been traced back to China and has targeted supporters of Tibet. The Office version of SabPub delivers its payloads with Microsoft Word documents which exploit the vulnerability MSWord.CVE-2009-00563.a and the filename “10thMarch Statemnet” (sic). March 10, 2011 refers to the day the Dalai Lama delivered his annual speech observing the Tibetan Uprising of 1959.
A second version of SabPub exploits the same drive-by Java vulnerability seen in Flashback. In his own blog update, Sophos’s Graham Cluley says SabPub drops two files on a user’s system, so look for them to see if you are infected:
This is not the first malware to target Tibetan sympathizers. In late March, vendors discovered an OS X Trojan called Tibet.C that exploited Microsoft Word to spy on the computers of Tibetan sympathizers.
The fix for the Flashback virus won’t work with SabPub, according to Roel Schouwenberg, senior researcher at Kaspersky. If you want to patch the Java vulnerability, you need to install the Java security update from Oracle or get rid of Java all together, he suggested. “Then you are no longer vulnerable to all those Java drive-bys,” he said.
Apple came up with a unique twist on the Flashback fix. If you don’t use Java for more than one month, it turns Java off, so you don’t get dinged by these drove-by viruses.
Schouwenberg said it’s time Mac users got serious about security and stopped acting like they were immune. “I think the major takeaway isn’t necessarily SabPub by itself but the fact that we now have concrete evidence that these attacks are taking place on OS X as well. It shows OS X is a major player for malware guys,” he said.
Schouwenberg added that only a minimum percentage of Mac users use security, around 10 to 20 percent, even though all of the major antimalware vendors offer Mac products. Because so few Mac users run security software, it’s impossible to get proper metrics in the field, he added. “To this day, only the ‘paranoid’ Mac users are using security software. That’s a major reason why the sheer size of Flashback came as a surprise,” he said.
“We have something of a perfect storm happening here, where a lot of tech-savvy people tired of dealing with infected Windows computers just said get a Mac and be done with it, you don’t have to care about security. So now we have this giant pool of people with very little to no security education. I think it’s becoming clear that pool is a very attractive target,” Schouwenberg added.