Sabpab malware mimics Flashback
Published April 13th, 2012 at 9:10 PM EDT , modified April 13th, 2012 at 9:19 PM EDT
Sophos announced the discovery of more new malware for the Mac today. Called Sabpab, it uses the same Java vulnerability as Flashback to install itself as a “drive-by download.” Users of older versions of Java now have still more malware to worry about. If you are using Mac OS X 10.6, or if you have Mac OS X 10.7 and have installed Java, you should immediately install the latest Java update. It will be available in Software Update if your machine needs it.
Sabpab, according to Sophos, installs a backdoor that allows the hackers to capture screen snapshots, upload or download files and execute commands on infected Macs remotely. That is obviously a significant concern, especially since the malware can sneak in unannounced. Worse, existing tools made for combatting Flashback not have any effect on this malware, since it works a little differently. It apparently installs two files:
(The ‘~’ in those paths represents your user folder.) Although one variant of Flashback installed a file in the LaunchAgents folder, not all tools for detecting Flashback do anything with that folder.
To check for and remove these files, simply look in those folders. Unlike with Flashback, none of these files are invisible, so they should be easy to find. (The exception is the Library folder, which is invisible by default in Lion. To access your user Library folder, hold down the option key while clicking the Go menu in the Finder, and while still holding down the option key, choose Library.)
Of course, these details may change in a future variant of Sabpab. It is critical to update Java ASAP and close the holes that the malware can sneak in through!
Sophos Anti-Virus for Mac Home Edition can, of course, already recognize this malware, if properly updated.