New Mac malware gets newer; now available from Word docs as well as Java

Mac malware gets faster upgrades than applications for the Mac ever did

The irony may only annoy Mac users already angry about the sudden proliferation of malware for their machines, but the two most recently discovered Trojan Horses for OS X are getting exactly what Mac users demanded of the computer industry for years: revisions delivered quickly enough that the Mac version of an application isn't always a generation behind the Windows version.

The SabPub Trojan horse discovered Saturday by Kaspersky Labs has already gotten a makeover that allows it to infect Macs using boobytrapped Word documents, according to Sophos' NakedSecurity newsletter.

The Microsoft Word exploit is a new delivery method for SabPab, which had relied on the same drive-by Java flaw used by the Flashback Trojan to build a botnet army of as many as 700,000 machines.

Apple issued a patch for that particular flaw in its Java implementation on April 13.

The patch removes the Flashback virus and shuts off Java in browsers running on OS X, which should stymie the earlier version of both Trojans but does nothing about the flaw SabPab exploits in Word.

Unlike the original SabPub, the renamed SabPab does require some interaction from users to launch itself, though they only have to open the Word document, not give specific permission for the code to run.

SabPab exploits the same security flaw in Microsoft Word as the remote-access Trojan discovered by AlienVault late last month, which also plants a decoy Word document on the victim's hard drive while launching the malware payload in the background.

Both exploit a known flaw in Word that allows unauthorized code from another source to run without the user's knowledge or permission.

Microsoft issued a security bulletin about the flaw, acknowledged that it could allow remote code execution and issued patches for MS Office 2004 for the Mac, MS Office 2008 for Mac and the Open XML File Format Converter for Mac.

Microsoft released those patches on June 9, 2009.

See my note from yesterday about the increased risk Mac users put themselves under by not regularly installing patches that would close security holes malware writers are eager to exploit.

Plenty of Windows users fail to install updates or take common security precautions, of course.

In the Mac community, however, the relative dearth of malware, the sense of complacency fostered by Apple itself and the willingness of users to believe in the inherent superiority of their Macs has allowed Mac users to ignore security precautions that have become routine in other parts of the computer world.

Whoever is driving the SabPab invasion was admirably quick in shifting from the patched Java exploit to one relying on Word once Apple issued its patch.

Unfortunately, by expanding their list of exploits to use one fixed by Microsoft three years ago, they demonstrated a cynically accurate understanding of the level of complacency of Mac users, and the likelihood that even an exploit that should be obsolete and irrelevant can still find enough unprepared targets to make writing an update worthwhile.

Here's the more specific data on the new version of SabPab, from Sophos:

You can check whether your Microsoft Office for Mac is patched by choosing the "Check for updates" option in the Help menu of any of the programs in the Office suite.

Malware seen in the wild that is known to have been distributed by Word files of this sort includes OSX/Bckdr-RLG and OSX/Sabpab-A.

    Examples of Troj/DocOSXDr-A include:

    Example 1

    • Size: 156K
    • SHA-1: 445959611bc2480357057664bb597c803a349386
    • MD5: f4cbfe4f2ddf3f599984cf6d01c1b781
    • CRC-32: 4e76f78f
    • File type: application/octet-stream
    • First seen: 2012-03-28

    Example 2

    • Size: 93K
    • SHA-1: 2f0ec568ce1623e3b9fe9381876f95e7b2bc1771
    • MD5: a9ee45670c36f42a7d86de19b2242a42
    • CRC-32: 153a2f55
    • File type: application/octet-stream
    • First seen: 2012-03-28

    Example 3
    • Size: 93K
    • SHA-1: 54f74e061d8f255e5b6a929676b6622d79bbf769
    • MD5: 0e442e51e93ec1e80982ceaac06d838f
    • CRC-32: f28c8048
    • File type: application/octet-stream
    • First seen: 2012-03-28
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies