New variants of the SabPab backdoor that we recently wrote about have been found using Word documents to deliver the same payload as the first variant. This variant uses the same technique to install files on Macs as the Tibet.C malware that we discussed in March.
These two types of malware use Word documents in an interesting way. Each file has three parts: the first part is the exploit that takes advantage of a Word vulnerability. The second part is the malware that is then installed on Macs. And the third part is an actual Word document that displays when a users double-clicks the file. The samples Intego found display a document in Tibetan:
These Word documents exploit a Word vulnerability that was corrected in June, 2009, but also take advantage of the fact that many users don't update such software. Word 2004 and 2008 are vulnerable, but the latest version, Word 2011 is not. Also, this vulnerability only works with .doc files, and not the newer .docx format.
In our article on the Tibet.C malware, we said, "it is worth pointing out that the code in these Word documents is not encrypted, so any malware writer who gets copies of them may be able to alter the code and distribute their own versions of these documents." This is exactly what has happened. In fact, Intego has found samples of the first part of this file; in other words, anyone wishing to create their own poisoned Word files can do so by taking that first part, concatenating it with the other two parts, and distributing it.
While we have found samples of this new variant of SabPab, it's not clear if these are widely distributed. Generally, malware of this type is distributed by e-mail, by spamming large numbers of users. Because of that, it's hard to track down exactly where it comes from. For now, however, the risk is low.
Intego's Mac antivirus, VirusBarrier X6 with malware definitions dated April 12, 2012 or later, will detect and remove the SabPab backdoor, and other malware using the same technique in Word documents.