The Safe Mac

Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!


Sabpab malware mimics Flashback

Posted on April 13th, 2012 at 9:10 PM EDT

Sophos announced the discovery of more new malware for the Mac today.  Called Sabpab, it uses the same Java vulnerability as Flashback to install itself as a “drive-by download.”  Users of older versions of Java now have still more malware to worry about.  If you are using Mac OS X 10.6, or if you have Mac OS X 10.7 and have installed Java, you should immediately install the latest Java update.  It will be available in Software Update if your machine needs it.

Sabpab, according to Sophos, installs a backdoor that allows the hackers to capture screen snapshots, upload or download files and execute commands on infected Macs remotely.  That is obviously a significant concern, especially since the malware can sneak in unannounced.  Worse, existing tools made for combatting Flashback not have any effect on this malware, since it works a little differently.  It apparently installs two files:

~/Library/Preferences/com.apple.PubSabAgent.pfile
~/Library/LaunchAgents/com.apple.PubSabAGent.plist

(The ‘~’ in those paths represents your user folder.)  Although one variant of Flashback installed a file in the LaunchAgents folder, not all tools for detecting Flashback do anything with that folder.

To check for and remove these files, simply look in those folders.  Unlike with Flashback, none of these files are invisible, so they should be easy to find.  (The exception is the Library folder, which is invisible by default in Lion.  To access your user Library folder, hold down the option key while clicking the Go menu in the Finder, and while still holding down the option key, choose Library.)

Of course, these details may change in a future variant of Sabpab.  It is critical to update Java ASAP and close the holes that the malware can sneak in through!

Sophos Anti-Virus for Mac Home Edition can, of course, already recognize this malware, if properly updated.

Tags: , , , ,


9 Comments

  • Philippe says:

    Thanks for your post, Thomas!

    I wonder why Sophos and others call it a “Trojan”! Any idea?

    • Thomas says:

      There is some debate on this. Malware like Sabpab and Flashback can self-install, but that is only one of the characteristics of a virus. Viruses can also self-replicate and may attach themselves to other files, though I do not find those to be critical aspects of a virus. Self-installation should be the primary factor in identifying something as a virus, in my opinion. But others have different opinions.

      One thing is certain, though… this is not a trojan! A trojan is something that tricks the user into manually installing the malware. (That’s why it’s called a trojan, after the famous Trojan horse, which the people of Troy were tricked into voluntarily bringing into the city.) A drive-by download that the user doesn’t even know got installed cannot be argued to be a trojan. What it really is is a matter of interpretation, though, and many Mac users have a knee-jerk reaction that any anti-virus company calling malware a “virus” is lying through their teeth to try to scare people into buying anti-virus software. So maybe they’re just trying to avoid such accusations and get down to the business of solving the problem at hand.

      All this is why I prefer the simpler, all-encompassing term “malware.”

  • Philippe says:

    Yes, I totally agree.

    That version of Sabpab may be called a trojan, though…
    http://nakedsecurity.sophos.com/2012/04/16/sabpab-trojan-mac-word/

    • Thomas says:

      That’s another gray area. You could call it a trojan, since the user is tricked into opening it via a Word file. But opening a word processing file should never execute third-party code! One could argue that, since that happens, this is closer to a virus. It’s messy. I’d say, worry more about what a particular bit of malware is capable of, and less about what it should be classified as, and things will be simpler. :)

  • Philippe says:

    Don’t worry: I do worry more about risk vs. denomination :). I’m just sometimes “slightly annoyed” that a cat is called a dog. But I calm down pretty fast ;).

  • sarah says:

    My mac was corrupted with this trojan or whatever you call it :) I only found one file, though, should I be worried? Is all OK if I don’t have any more problems?

  • sarah says:

    Sabpab I believe. I found one file that you listed above in the library/preferences folder, but there are no files in my LaunchAgents folder. When I removed the one folder my computer was fine for a while, but just started having issues again tonight – my computer shut down randomly and when I turned it back on and logged in, dialog boxes that said “do you want to receive an incoming connection from ______” popped up briefly and disappeared before I could select “deny” or write down the connection name. Firefox is really struggling to connect to the internet and I am being re-directed to sites blocked by my firewall when I try to go anywhere – to my email, fb, etc. Safari isn’t doing much better. :(
    I checked my library/preferences folder and found this file –
    ~/Library/Preferences/com.apple.PubSubAgent.plist
    I’m thinking this is sabpab again? The real PubSub has its own folder, correct? Again, I didn’t find anything (no files at all) in the LaunchAgents folder. Should I download Sophos? Would this take care of it? Your help is greatly appreciated!

  • sarah says:

    BTW, I think that I picked up the sabpab thing from netflix online video streaming.

This post is more than 90 days old and has been locked. No further comments are allowed.

This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.