New Targeted Mac OS X Trojan Requires No User Interaction

An anonymous reader writes "Another Mac OS X Trojan has been spotted in the wild; this one exploits Java vulnerabilities just like the Flashback Trojan. Also just like Flashback, this new Trojan requires no user interaction to infect your Apple Mac. Kaspersky refers to it as 'Backdoor.OSX.SabPub.a' while Sophos calls it at 'SX/Sabpab-A.'"

No user interaction

So, what you're saying is, It Just Works?

Re:No user interaction

[buchner.johannes]

Isn't a Trojan that requires no user interaction by definition a Virus?

Re:No user interaction

[Mitchell314]

Oh come on slashdot, I'm a mac fan and even I found this funny. No need to mod down.

Re:No user interaction

No, because you still have to navigate to a web site. It is a trojan because they need to entice you to do so.

Re:No user interaction

[ninetyninebottles]

Isn't a Trojan that requires no user interaction by definition a Virus?

Not really.

Trojan - malware posing as legitimate software.

Virus - malware that copies itself either replacing or attaching to legitimate software.

Worm - malware that copies itself from system to system automatically without user interaction.

This software seems to be automatically installed when the user follows a link in their Web browser, but there is no indication that it in any way sends more links to people. So this malware does not fit neatly into any of the common categories. "Virus" seems to be a catch all term these days so you might as well call it that.

Re:No user interaction

[Altieres+Rohr]

The definition of worm is not "malware that copies itself from system to system automatically without user interaction". Worm is self-replicating code that uses a network, by some defintions, and, by others, a worm is any malware that spreads by itself but does not parasite legitimate software (thus why "USB worms").

Although the Morris worm did not require user interaction, this is not true of all future malware that would be considered a worm. Malware that copies itself to network drives, P2P software shared folders, or attaches itself to or sends e-mail, IM or IRC messages are all worms.

As for trojans, any malware that does not replicate is a trojan. Back in the day, and even today, the only way to convince a user to run such software is by advertising it as another piece of software - thus why the trojan horse definition. Exploit code changed that, but they're all still trojans, and most still fallback to advertising themselves as a Flash player plugin or video codec when the exploit doesn't work. In any case, this new malware doesn't replicate, so it is a trojan.

There is no malware category to describe code that requires no user interaction to run. Exploits, worms and viruses and trojans all can do it, but that's not required by their definitions.

Reference: http://www.f-secure.com/en/web/labs_global/threat-types

Re:No user interaction

[ninetyninebottles]

The definition of worm is not "malware that copies itself from system to system automatically without user interaction". Worm is self-replicating code that uses a network, by some defintions, and, by others, a worm is any malware that spreads by itself but does not parasite legitimate software (thus why "USB worms").

I worked in the security industry for many years and never heard anyone call something a "usb worm". If it is copying itself as the result of user interaction, we always called it a virus. If it spread on its own, it was a worm. The definition of "worm" you provide does not seem to differentiate itself from a virus in any way. Something that copies itself via shared disks is almost the classic poster child for a virus. The term originated talking about malware spread on floppies.

Darn you kids and your newfangled definitions!

Missing from summary

[dr2chase]

from TFA: "if you’ve downloaded and installed the latest software updates from Apple that patch the Java vulnerabilities (or disabled Java), you’re safe" (for now).

But it looks like the good times are over.

Re:Missing from summary

[slashmydots]

I didn't consider mac users lording their "super advanced security and magical virus immunity" as "good times." It's about time someone reminded them that Windows is far more secure, it's just targetted more. This is going to be the beginning of a long line of taking them down a notch.

Re:Missing from summary

Is that Java security hole that we heard about over the last weeks Mac-specific or cross-platform? Any reason to worry or to have our belief in Java security shattered? Or just a conspiracy of several factors in the Mac environment?

The malware writers could in theory do the same thing to Linux distros. However the openjdk and java on Linux is essentially different in as much as the methods to run and install to a user home directory a downloaded .so the way this malware does cannot happen on Linux distros in as much as the user is the only one on Linux who can direct which binaries run from within a user profile at login.

I know this is a mouthful for those who do not understand but I would highly recommend looking into how exactly this malware works. Here is how the default set-up of OS X can be subverted to install a binary to a hidden user directory without user permission or knowledge. Then download a binary which is really smart that will try to get user permission to install system wide and if it does not receive this permission it just does it to the ill informed Mac user without permission. With Linux the system would not allow a .so to be loaded to a user /home directory and then set it to run at login. This is the problem with Mac security there is also a huge hole in the way binaries can run from within a /home at login without permission!

Here is a run-down of how it works and why it will only work on Mac because its method of infection does not require user interaction to install the payload to a users home directory with Mac OS. However I have the feeling that this security nightmare will be addressed by the Apple coders simply by doing things the way most Linux distros do!

From a CNET article:

How does it work?

The Flashback malware injects code into applications (specifically Web browsers) that will be executed when they run, and which then send screenshots and other personal information to remote servers.

First step: Exploiting Java
When you encounter the malicious Web page containing the malware and have an unpatched version of Java running on your system, it will first execute a small Java applet that when run will break the Java security and write a small installer program to the user's account. The program is named something like .jupdate, .mkeeper, .flserv, .null or .rserv, and the period in front of it makes it appear hidden in the default Finder view.

In addition, the Java applet will write a launcher file named something like "com.java.update.plist", "com.adobe.reader.plist", "com.adobe.flp.plist" or even "null.plist" to the current user's ~/Library/LaunchAgents/ folder, which will continually launch the .jupdate program whenever the user is logged in.

In order to avoid detection, the installer will first look for the presence of some antivirus tools and other utilities that might be present on a power user's system, which according to F-Secure include the following: /Library/Little Snitch /Developer/Applications/Xcode.app/Contents/MacOS/Xcode /Applications/VirusBarrier X6.app /Applications/iAntiVirus/iAntiVirus.app /Applications/avast!.app /Applications/ClamXav.app /Applications/HTTPScoop.app /Applications/Packet Peeper.app

If these tools are found, then the malware deletes itself in an attempt to prevent detection by those who have the means and capability to do so. Many malware programs use this behavior, as was seen in others such as the Tsunami malware bot.

Second step: Downloading the payload
When the jupdate program executes, it will connect to a remote server and download a payload program that is the

Re:Missing from summary

[Centurix]

Two ints and a float are in a bar. They spot an attractive double on her own.
The first int walks up to her. “Hey, baby”, he says, “my VM or yours”. She slaps him and he walks back dejected.
The second int walks over. “Hey, cute-stuff, can I lick your Bean?”. After a quick slapping, he too walks back.
The float then ambles over casually. “Were those two primitive types bothering you?”, he remarks.
“Yes. I’m so glad you’re here”, she says. “They just had no Class!”

Borrowed from somewhere else...

Re:Missing from summary

[thestuckmud]

I think about Apple's insane control issues every time I have to re-install OS X (which I did once for testing purposes). My outrage at not being required to type long registration codes and then have the OS phone home for validation is unspeakable.

Re:Missing from summary

[bryan1945]

I look down, and realize my dong is long enough not to care about anyone else's insecurities.

Apple Culture

[ninetyninebottles]

I hope the recent rash of Malware for the Mac will serve to change the culture of security at Apple. They have a lot of really good technology in that regard and many very good coders who work with security as a priority (they have a lot of oldschool UNIX guys these days). The problem is, it is not a priority for Apple or part of their culture. Some Apple software ships with what looks like no security review at all and no real consideration, while other software clearly was architected with that as a design goal.

They have some very nice sandboxing, but they don't apply it very widely within OS X, even when there is no pain to the user or developer. It is like they just don't want to spend money and resources on that sort of hardening. You send a security hole to Apple and sometimes you hear back the next day and it is fixed in short order. Other times you hear nothing or malware is known and spreading for weeks before Apple bothers to issue a filtering signature.

Hey Apple! Wake up and smell the coffee. Dump some of your cash reserves into expanding work in security and having some experts paying attention and getting things done. "Think Different" about security and listen to the people you already have that have created groundbreaking security systems elsewhere.

Re:Contradiction

[ninetyninebottles]

This Trojan further underlines the importance of protecting Macs against malware with an updated anti-virus program as well as the latest security updates.

Doesn't that seem to come off as a slightly counter-intuitive statement? Is it unreasonable to come away from this article asking yourself "Why buy anti-virus when the malware just avoids it anyway?"

It is trying to hide its similarity to other malware so that a new signature is needed to detect this specific variant. So while anti-virus programs may not detect this now, within a few days they probably will, at least until there is yet another variant. Apple is, of course, including their own signatures right in the OS so that makes antivirus less attractive as well, although Apple's response time has been hit and miss.

Rubbish names.

[mr_lizard13]

Kaspersky refers to it as 'Backdoor.OSX.SabPub.a' while Sophos calls it at 'SX/Sabpab-A.'

Those names are very un-Apple. How about just 'iTrojan'.

Or, to avoid confusion with the previous trojan...

'The New iTrojan.'

Just be sure not to panic & delete the wrong f

[Kenja]

You are looking for com.apple.PubSabAgent.pfile & com.apple.PubSabAGent.plist and NOT com.PubSubAgent.plist or com.PubSubAgent.pfile.

Fix Available

[Frankie70]

Fix available here.

Re:Fix Available

pfft, out of the frying pan, into the blazing inferno of thrown chairs.

Better fix here.

Re:Fix Available

Good point, a Mac user is already used to not being able to use any of the software his friends do.