New Mac Trojan found (Backdoor.OSX.SabPub.a or SX/Sabpab-A) [merged]

Discussion in 'macOS' started by supertonic, Apr 14, 2012.

  1. supertonic, Apr 14, 2012
    Last edited by a moderator: Apr 16, 2012
  2. supertonic thread starter macrumors member

    May 5, 2010
    The article says:

    Anybody know if this is Mac HD/Library/Preferences or Users/user/Library/Preferences?
  3. GGJstudios macrumors Westmere


    May 16, 2008
    The former. If it were the latter, it would be shown as ~/Library/Preferences

    This trojan, like Flashback and other Java-exploiting malware, can be avoided by unchecking "Enable Java" in Safari Preferences. Read the other thread for details.
  4. JoeRito macrumors 6502a


    Apr 12, 2012
    New England, USA
    LuckyCat Trojan -NEW-

    Anyone encounter the latest Mac trojan, so-called "LuckyCat"? Evidently this affects Word docs opened on a Mac. Sounds like another exploit of Java. Any advice for the masses?
    Thanks everyone.
  5. GGJstudios macrumors Westmere


    May 16, 2008
    The vulnerability it exploits in Word was already patched almost 3 years ago, as described in the Microsoft Security Bulletin MS09-027. Anyone who hasn't applied updates for 3 years is certainly not practicing safe computing.

    Macs are not immune to malware, but no true viruses exist in the wild that can run on Mac OS X, and there never have been any since it was released over 10 years ago. The only malware in the wild that can affect Mac OS X is a handful of trojans, which can be easily avoided by practicing safe computing (see below). Also, Mac OS X Snow Leopard and Lion have anti-malware protection built in, further reducing the need for 3rd party antivirus apps.
    1. Make sure your built-in Mac firewall is enabled in System Preferences > Security > Firewall

    2. Uncheck "Open "safe" files after downloading" in Safari > Preferences > General

    3. Disable Java in your browser. (For Safari users, uncheck "Enable Java" in Safari > Preferences > Security.) This will protect you from malware that exploits Java in your browser, including the recent Flashback trojan. Leave this unchecked until you visit a trusted site that requires Java, then re-enable only for the duration of your visit to that site. (This is not to be confused with JavaScript, which you should leave enabled.)

    4. Change your DNS servers to OpenDNS servers by reading this.

    5. Be careful to only install software from trusted, reputable sites. Never install pirated software. If you're not sure about an app, ask in this forum before installing.

    6. Never let someone else have access to install anything on your Mac.

    7. Don't open files that you receive from unknown or untrusted sources.

    8. For added security, make sure all network, email, financial and other important passwords are long and complex, including upper and lower case letters, numbers and special characters.

    9. Always keep your Mac and application software updated. Use Software Update for your Mac software. For other software, it's safer to get updates from the developer's site or from the menu item "Check for updates", rather than installing from any notification window that pops up while you're surfing the web.
    That's all you need to do to keep your Mac completely free of any virus, trojan, spyware, keylogger, or other malware. You don't need any 3rd party software to keep your Mac secure.
  6. markfrautschi macrumors member

    Jan 6, 2004
    Rockville, MD
    Remember Mary Mallon

    I have no technical objections with GGJStudios, however, I suppose I have a philosophical difference.

    I like to ask Windows, Mac and Linux users 'Do you know who Mary Mallon was?" To Mary, I imagine she was just an Irish-American cook who worked in New York City in the early years of the 20th century. We know her better of course as 'Typhoid Mary', because she carried the typhoid virus while remaining immune and free of symptoms.

    My philosophical objection then is that unfortunately all of GGJStudio's excellent advice leaves Macs as the perfect Typhoid Mary's for Windows malware. Perfect because they are clothed in a false sense of heightened security by their users as they are carried past corporate and personal firewalls and connected to LANs. They can forward virus-laden e-mails.

    Perhaps where I differ from GGJStudios is that I feel it is worthwhile for Mac users to pay in money, in time, and in reduced performance to install third party tools on their machines to fight windows malware that will never directly threaten them. (At some point these will reside on the motherboard, and life will be better. Will Intel VPro ever come to the Mac?)

    It does seem unfair and unjust. Yet, I see no other way. None of us are secure unless all of are. As Martin Luther King said, we are bound together in an inextricable web of mutuality. That's the internet. That's a LAN. That is in the file formats and other standards we share. I believe that it is in our best interest to watch out for our brothers' and sisters' security even when they use different platforms than we do. Naturally, many of us are cross-platform ourselves, or work in places that are, or live in families that are. So we may not need to look very far to find our self-interest on another platform.

    Again, it seems a high price to pay, but I can imagine no alternative that will deny the Mac as a vector for distributing windows malware.

    Sophos made their endpoint security for Mac free several years ago. It was recently updated to version 8. In my opinion it is a good tool. (It can even help remove windows viruses from an NTFS drive mounted on a Mac! It will not scan the windows registry, however!)
  7. dukebound85 macrumors P6


    Jul 17, 2005
    5045 feet above sea level
    ^^While I get what you are saying, the onus of safe computing is on the individual, not the people who interact with them.

    If exploits exists on the windows side transmitted via my mac, then those windows users should have updated security software, not me. If I am not affected, then I am not going to be scrubbing my system for the benefit of others especially if I have to fork over the cost of the services.
  8. GGJstudios macrumors Westmere


    May 16, 2008
    Read the Mac Virus/Malware FAQ I posted, specifically the section: What about sending files to Windows users?
    I recommend that you avoid using Sophos, as it could actually increase your Mac's vulnerability, as described here and here.

    If you still want to run antivirus for some reason, ClamXav (which is free) is one of the best choices, since it isn't a resource hog, detects both Mac and Windows malware and doesn't run with elevated privileges. You can run scans when you choose, rather than leaving it running all the time, slowing your system. ClamXav has a Sentry feature which, if enabled, will use significant system resources to constantly scan. Disable the Sentry feature. You don't need it. Also, when you first install ClamXav, as with many antivirus apps, it may perform an initial full system scan, which will consume resources. Once the initial scan is complete, periodic on-demand scans will have much lower demands on resources.
  9. unowen macrumors newbie


    Oct 2, 2011
    NYC, Eliz. Bay, NSW, and 'Hell-A'
    RE: SabPub - Thanks for where to look

    I downloaded the Java update from Aple, then, thanks to supertonic's head's-up, I found the PubSabAGent.plist.

    Wow. In all my (many) Mac years, I've NEVER had anything.

    Hey: I'd still buy/use a Mac - NEVER would buy a WinTel PC.

    Thanks, supertonic!:cool:
  10. GGJstudios macrumors Westmere


    May 16, 2008
    I recommend against using Sophos. Read post #9 in this thread.
  11. Tumbleweed666 macrumors 68000


    Mar 20, 2009
    Near London, UK.
    The problem with that theoretical statement is that it does not take into account the fact there are perhaps hundreds of millions of Windows machines running none or grossly insufficient anti-malware software.

    Now in the case the Typhoid Mary Mac is sending malware on to one of those unprotected Windows systems, it doesn't matter since using that analogy, they will already have not just Typhoid, but the Plague, Smallpox, MRSA, AIDS and many other infections.

    In the case of the Typhoid Mary Mac sending malware on to one of the minority of Windows systems with good anti-Malware, they wont get infected.

    So the Mac user is spending their time, effort and money to protect only Windows users who cannot be bothered to protect themselves, and to pointlessly protect against infections they likely already have anyway. So why bother?
  12. xxfury2xx macrumors member

    Mar 27, 2009
    I actually had this damn thing on my system. I'm just wondering how the hell it got there. Damn Java. Anyhow, I used the guide in the OP along with the SecureList guide to get rid of it, at least I hope.

    Also, the damn files showed up in my time machine backups that go back to March 25, 2012. So it's definitely unnerving to know that it has been in my system for that long doing God knows what. :mad:
  13. MonkeySee.... macrumors 68040


    Sep 24, 2010
    You have the patience of a Saint. :D

    I tip my hat to you.
  14. majordude macrumors 68020


    Apr 28, 2007
    Does ClamAV detect the two Trojans on OSX this past week?
  15. GGJstudios macrumors Westmere


    May 16, 2008
    You don't need any antivirus app to detect the trojans. Instructions have been posted everywhere on how to locate them.
  16. majordude macrumors 68020


    Apr 28, 2007
    If I wanted to manually do that every time this would be a great response instead of a snarky, condescending response. I want to do it automatically and preferably soon after new variants are discovered in the wild.
  17. GGJstudios macrumors Westmere


    May 16, 2008
    My response was neither snarky nor condescending. I simply stated facts, with no emotion at all expressed or implied.
  18. Mal macrumors 603


    Jan 6, 2002
    Then don't depend on any antivirus program, because none have reliably caught ever variant within a reasonable timeframe. Following the steps that GGJstudios has posted everywhere on this forum will, however, block every form of malware that has yet been discovered for the Mac, and that includes the variants that have come out after those steps were originally posted (like this Flashback variant).


Share This Page