Malware + Recommended

SabPab Backdoor Exploits Java Vulnerability

Posted on April 16th, 2012 by

Yet another malware has been found to exploit the CVE-2012-0507 Java vulnerability with a drive by download. SabPab is a backdoor that seeks to connect to remote command and control servers, presumably to harvest information on infected Macs. This malware installs in the user’s /Library/LaunchAgents folder, so no administrator password is needed. It places its code in the user’s /Library/Preferences folder (the com.apple.PubSabAgent.pfile):



Initially, the command and control server that this malware tried to connect to was off-line, but Intego’s malware researchers have found it to be accessible today. Intego has seen a few samples, but this malware does not yet seem to be widely distributed, and the risk is low.

It is worth noting that the Java vulnerability this malware uses was patched by Apple ten days ago. So Mac users should make sure that they have their Java up to date.

Intego’s Mac antivirus, VirusBarrier X6 with malware definitions dated April 12, 2012 or later, will detect and remove the SabPab backdoor.

  • Al Varnell

    >Yet another malware has been found to exploit the CVE-2012-0507 Java vulnerability

    Are you certain of that? I know Kaspersky originally said that it does, but now they and others are reporting it’s actually an MS Word vulnerability CVE-2009-0563 that was patched in June 2009.

    • http://www.intego.com Intego

      There are two versions of this malware, each exploiting a different vulnerability: one is Java, the other Word.

Join Our Awesome Email Newsletter

Enter your email address below to start receiving the best Mac Security Updates.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}