Another dangerous Mac OS X piece of malware has appeared — and it's already changed its method of attack.
The new bug, a botnet Trojan called "SabPub" or "SabPab," has links to the Chinese "Luckycat" attacks that were discovered last month targeting Tibetan and Japanese PC and Mac users.
When SabPab was first spotted Friday (April 13), it exploited the same Java vulnerability that the unrelated Flashback Trojan had used to build up a botnet that in early April totaled 600,000 infected Macs.
Yesterday (April 15), researchers at Kaspersky Lab in Moscow cross-checked the database at the global malware repository VirusTotal and found that an earlier version of SabPab, unnamed and unidentified, had been added on Feb. 25.
There was one crucial difference: The February version of SabPab had a different way into Macs. It exploited the same 2009 flaw in the Mac version of Microsoft Office Word that Luckycat had. (Other versions of Luckycat exploited a 2011 Java flaw on Macs.)
In fact, both versions of SabPab used the same command-and-control server as did Luckycat, further connecting the two malware families.
As is the case with Flashback, the Mac user is neither notified nor prompted for an administrative password when Sabpab installs itself. Fully patched later-model Macs should be safe from either version. (Users of PowerPC Macs should disable Java.)
Last month, the New York Times, using information supplied by the security firm TrendMicro, connected Luckycat to a single Chinese computer scientist, who refused to comment when contacted by the newspaper. (The Chinese government is believed to be outsourcing much of its cyberespionage dirty work to patriotic freelancers.)
Does this mean that all Mac users are under attack from the Chinese government? Not really. The Luckycat attacks had specific targets, and it is assumed SabPab will as well.
The controllers of SabPab, like the controllers of Flashback, in late March probably just saw an opportunity to attack Macs using the then-unpatched Java flaw.
What SabPab does confirm, however, is that hackers working for the Chinese government have added Mac malware to their arsenal. They will probably use it to attack Macs again.
If you use a Mac at the office and you work for a Western or Asian organization or corporation whose business might be of interest to Beijing — defense, Tibet, Taiwan, security, financial policy, software, diplomacy, political campaigns, technology, industrial infrastructure, Internet communications — please contact your IT personnel today and ask them to install anti-virus software on your Mac.