Fresh off the news that more than 650,000 Mac computers have been infected with a nasty Trojan horse virus called “Flashback”, another Apple threat is on the prowl.
According to anti-virus software provider Kaspersky Lab, a Trojan called SabPub — or more formally, Backdoor.OSX.SabPub.a — has recently been spreading via Java and could be infecting computers when people open email messages with suspicious links that direct users to malware.
“The Flashback and the SabPub Trojans are totally different,” Alex Gostev, chief security expert of Kaspersky Lab, told Mashable. “SabPub is classic backdoor Trojan, so it opens full access to a victim’s system for attackers. Flashback and its known variants is downloader and clickjacking bot, which means it conducts click fraud scam by hijacking people’s search engine results inside their web browsers.”
That said, the latest malware has the potential to reach far more computers than the Flashback Trojan.
“The latest version of the SabPub Trojan can infect more people than previous versions of this malware, which appeared earlier this year,” Gostev said. “In February, SabPub was exploiting a Microsoft Word vulnerability, which was fixed long time ago. The latest version of SabPub uses the Java exploit to spread infection in a more effective way because the Java exploit is delivered via a drive by download, which occurs when people click on URLs with malware via email.”
Gostev also noted that SabPub is also being used to attack specific targets: “It would seem that the attackers have an extremely select list of victims that is not very large.”
Although Mac users may think they are safe from viruses, Kaspersky Lab noted that before 2012 about 300 variants of Mac malware had been detected. Now, however, more than 70 have been detected in the past three months.
Last week, Apple released a security patch for Java that prevents the Flashback Trojan — called “Flashfake” — from exploiting the vulnerability to infect computers. Since then, Kaspersky Lab said it has seen a decline in the number of active bots for Flashfake, dropping from more than 650,000 infected computers to just 237,000.
However, the decrease in infected bots does not mean the botnet is on its way out. The numbers represent the active bots connected to Flashfake during the past few days – it is not the equivalent of the exact number of infected machines. Infected computers that were inactive during Easter weekend would not be communicating with Flashfake, which makes them not appear as an infected bot, Kaspersky said.
Sign up for Computerworld eNewsletters.