Following the outbreak of the Flashback Mac Trojan, security researchers have spotted two more cases of Mac OS X malware. The good news is most users have little reason to worry about them.Both cases are variants on the same Trojan, called SabPub, Kaspersky Lab Expert Costin Raiu wrote on Securelist.
The first variant is known as Backdoor.OSX.SabPub.a.Like Flashback, this new threat was likely spread through Java exploitson Web sites, and allows for remote control of affected systems. It wascreated roughly one month ago.
Fortunately, this malware isn’t a threat to most users for a fewreasons: It may have only been used in targeted attacks, Raiu wrote,with links to malicious Web sites sent via e-mail, and the domain usedto fetch instructions for infected Macs has since been shut down.
Furthermore, Apple’s securityupdate for Flashback helps render future Java-based attacksharmless. In addition to removing the Flashback malware, the updateautomatically deactivates the Java browser plug-in and Java Web Startif they remain unused for 35 days. Users must then manually re-enableJava when they encounter applets on a Web page or a Web Startapplication.
The secondSabPub variant is old-school compared to its sibling. Insteadof attacking through malicious Web sites, it uses infected MicrosoftWord documents as vector, distributed by e-mail.
Apple’snew standalone fix
Like the other SabPub variant, this one was used only in targetedattacks, possibly against Tibetan activists. So unless you’re workingwith a pro-Tibet organization–and you have a habit of openingsuspicious Word documents–there’s little reason for alarm. At most,SabPub is more evidence that Macs aren’t immune to attacks–a pointthat Flashback already made perfectly clear.
If you’re still stressed about the Flashback Trojan horse, takecomfortin the fact that late Friday, Apple released the creatively-namedFlashback Malware Removal Tool, which the company says “removes themost common variants of the Flashback malware.”
This is not the same as the Java update that Apple releasedearlier last week, which also removes Flashback.
The standalone removal tool is geared towards those Lionusers who haven’t installed Java. Although the most recent variants ofthe Flashback malware exploited Javavulnerabilities, earlier variantsused other attack vectors, such as masquerading as an installer forAdobe Flash; hence the need for this non-Java based utility.
Apple notes that, in certain cases, the removal tool willneed to restart your Mac to complete the malware removal process.