A new version of the Mac OS X Sabpab Trojan horse has come to light, and rather than relying upon a Java vulnerability – it appears to be exploiting malformed Word documents instead. If you open the boobytrapped Word document on a vulnerable Mac, a version of the OSX/Sabpab Trojan horse gets installed on your computer opening a backdoor for remote hackers to steal information or install further code.As a decoy, a Word document is dumped onto your drive and displayed – effectively acting as a camouflage for the Trojan’s true intentions:
Mac users may be caught out by the attack, as there is no prompt to enter your username or password when the malicious software installs itself onto your Mac. This technique of infecting Mac users is not new. At the end of last month, warnings were issued about a new Mac malware attack that embedded itself inside boobytrapped Word documents. Those attacks exploited a known security vulnerability (MS09-027) in Word, which allow hackers to remotely execute code on your computer without your knowledge.
Now the same technique is being used by cybercriminals to spread OSX/Sabpab. In both incidents, the Word document displayed appears to relate to Tibet. Unlike the earlier sightings of Sabpab, there is nothing about this attack which relates to the Java vulnerability exploited by theFlashback botnet. So, any Mac users who believe that they have protected themselves because they don’t use Java probably needs to realize that that’s not an effective defense.
And although there’s no reason to believe that this attack is widespread, it’s clearly time for some people to wake up to the reality of Mac malware. Mac users – please get an anti-virus, for goodness sake. If you don’t want to pay for one, there is free anti-virus for Mac home users available for download. Of course, it would also be sensible to update your installation of Microsoft Word – as a patch has been available for the vulnerability being exploited here since 2009. You can find out more about the threat in Costin Raiu’s post on the Kaspersky blog.