Yet another malware has been found to exploit the CVE-2012-0507 Java vulnerability with a drive by download. SabPab is a backdoor that seeks to connect to remote command and control servers, presumably to harvest information on infected Macs. This malware installs in the user’s /Library/LaunchAgents folder, so no administrator password is needed. It places its code in the user’s /Library/Preferences folder (the com.apple.PubSabAgent.pfile):
Initially, the command and control server that this malware tried to connect to was off-line, but Intego’s malware researchers have found it to be accessible today. Intego has seen a few samples, but this malware does not yet seem to be widely distributed, and the risk is low.
It is worth noting that the Java vulnerability this malware uses was patched by Apple ten days ago. So Mac users should make sure that they have their Java up to date.
Intego’s Mac antivirus, VirusBarrier X6 with malware definitions dated April 12, 2012 or later, will detect and remove the SabPab backdoor.