New Targeted Mac OS X Trojan Requires No User Interaction

An anonymous reader writes "Another Mac OS X Trojan has been spotted in the wild; this one exploits Java vulnerabilities just like the Flashback Trojan. Also just like Flashback, this new Trojan requires no user interaction to infect your Apple Mac. Kaspersky refers to it as 'Backdoor.OSX.SabPub.a' while Sophos calls it at 'SX/Sabpab-A.'"

Re:No user interaction

[firex726]

It Just Gets Infected!

Apple Culture

[ninetyninebottles]

I hope the recent rash of Malware for the Mac will serve to change the culture of security at Apple. They have a lot of really good technology in that regard and many very good coders who work with security as a priority (they have a lot of oldschool UNIX guys these days). The problem is, it is not a priority for Apple or part of their culture. Some Apple software ships with what looks like no security review at all and no real consideration, while other software clearly was architected with that as a design goal.

They have some very nice sandboxing, but they don't apply it very widely within OS X, even when there is no pain to the user or developer. It is like they just don't want to spend money and resources on that sort of hardening. You send a security hole to Apple and sometimes you hear back the next day and it is fixed in short order. Other times you hear nothing or malware is known and spreading for weeks before Apple bothers to issue a filtering signature.

Hey Apple! Wake up and smell the coffee. Dump some of your cash reserves into expanding work in security and having some experts paying attention and getting things done. "Think Different" about security and listen to the people you already have that have created groundbreaking security systems elsewhere.

Re:Missing from summary

[Anonymous Coward]

I didn't consider mac users lording their "super advanced security and magical virus immunity" as "good times."

But we sure did!

Re:Disable Java

[H0p313ss]

No one NEEDS Java enabled in a web browser in 2012

Corrected that for you.

Re:Missing from summary

[jedidiah]

The malware writers could in theory do the same thing to Linux
distros. However the openjdk and java on Linux is essentially
different in as much as the methods to run and install to a user
home directory a downloaded .so the way this malware does
cannot happen on Linux distros in as much as the user is the
only one on Linux who can direct which binaries run from within
a user profile at login.

If you are able to alter the user's files, then you can pretty much do anything you want with their account. The trick is just figuring out how to do so based what ever GUI they happen to be running. For Macs there just happens to be a single approach. There's no reason this approach couldn't be tailored to Linux and sort itself out with GNOME and KDE. If there's a similar autostart mechanism, then the virus can just manipulate that.

At the very least, it could install itself at the end of .login or .bashrc.

Re:Missing from summary

[SplashMyBandit]

Funny thing is, these exploits are not 0-day. Oracle patched the Java they control. It was Apple (as you correctly pointed out) who dropped the ball (both the hole in the Mac OS user abilities *and* not patching Java).

It is a real shame Apple hate Java with a passion. It makes sense since Java can and does run well everywhere it is permitted to - but Steve Jobs wanted to silo Apple, so he could make more money (didn't extend his life though [too soon?]). As a developer that attitude really pissed me off, I can write software in Java that runs wonderfully in Windows and Linux, but I'm limited to older officially-supported versions of Java (eg 6 rather than 7) on my (otherwise wonderful) MacBook Pro and not at all on my iPhone.

Apple are wankers in this regard. Tidbit: IIRC the earlier iPhones had JVMs in hardware (part of the chipset the phones used - as did many Java enabled phones a few years ago). Apple had to spend development effort to block the Java capabilities on the phones. They cited Java as being insecure (same with Flash) when this example clearly shows that the security problem is Apple's (since Oracle could repair Java vulnerabilities very quickly for Windows and Linux).

What, No Tinfoil Hat People?

[Greyfox]

When the first one came out, I thought Apple might use it as a justification for dropping OS/X support for Java completely. It's always seemed like a red-headed stepchild on the platform. It seems like the only one where updates come from someone other than Sun (Well, Oracle now,) and those updates have always seemed like they're few and far between. I bet very few tears would be shed over at Apple if Java just went away.

Re:Missing from summary

[errandum]

I assume you are talking about Time Machine. I've lost more than one "whole install" to corrupt time machine backups. Worse, one of the computers wouldn't even boot after it It was a new computer, changed it for a another, same thing - just ended up restoring my documents only and loosing a shitload of things in the process.

And FYI, windows also does the time machine thing, they just don't call it "time machine" and don't make it a default option. It's a tool that you need to decide to use and it'll freeze your current computer state into an external hard drive or dvd's.

The idea of the Time Machine is good, but it's not well executed. From deleting old backups automatically for space (I might want to save some of those old things) to using a nth degree differential backups that depend on the root and the entire backup tree to work... Each time it runs you risk corrupting something so bad the backups will be worthless. I'd rather apple would let me chose folders and just do full zipped/encrypted copies of those I choose. Time Machine just lulls most into a false sense of security