April 16, 2012, 7:57 PM — More bad news today for Mac users and fanbois, many of whom appear to be trapped in a series of contradictory, self-limiting denials over the growing threat to Apple operating systems and devices from malware: The morning after Apple declared the malware threat over by issuing a patch to counter the botnet-building Flashback malware, a new bit of malice called SabPub began knocking unauthorized entries into machines running OS X, using the same Java flaw to blame for the last wave of Mac malware.
On Saturday, researchers at Kaspersky Labs confirmed a new "custom OS X backdoor, which appears to have been designed for use in targeted attacks," according to Kaspersky's Costin Raiu.
The malware arrives in custom Java applets designed to conceal and install them after being camouflaged itself to escape detection from antivirus products.
In the instance identified Saturday the payload was named Backdoor.OSX.SabPub; the installer was a "pretty standard" Java exploit called Exploit.Java.CVE-2012-0507.bf, which was disguised using ZelixKlassMaster,"a flexible and quite powerful Java obfuscator," Raiu wrote.
Once it's installed, SabPub phones home to a command & control server known as "Luckycat" (PDF), which was used in earlier Mac attacks as well.
Where the attack comes from is still a mystery, though it may have arrived in emails containing URLs pointing to web sites hosting the exploit. SabPub's nature as a back door suggests it is designed to attack specific groups or individuals, rather than as a general-purpose threat, Raiu wrote.
SabPub uses the same vulnerability as the earlier Flashback used to create a botnet of 700,000 machines.
The update Apple issued to plug the hole contained code to remove the malware and to deactivate the Java Web Start plugin, "effectively disabling Java applets in browsers" on OS X machines, Raiu wrote.