Just as the Flashback Trojan for Mac was being dealt with by OS X users across the world, a new version of a backdoor Trojan for Apple’s operating system capitalizes on an exploit in Microsoft Word in order to spread.
The security firms have been very busy over the past few weeks, and the latest exploit – called "LuckyCat" has been discovered by an expert from Kaspersky Lab. Having carried out tests on dummy infected machine, he found it could be taken over by a remote user who began analyzing the machine as well as helping him or herself to documents present on the Mac.
Costin Raiu, the expert behind the findings, gave his take on proceedings:
"We are pretty confident the operation of the bot was done manually — which means a real attacker, who manually checks the infected machines and extracts data from them."
The new Trojan, named "Backdoor.OSX.SabPub.a," is only a threat to Mac users, and utilizes a Java exploit to infect a machine it has targeted. Once it has infiltrated the Mac, it then spreads via Microsoft Word documents which exploit a vulnerability called "CVE-2009-0563."
It managed to stay under the radar for over six weeks on the machine before it sprang into action and began siphoning documents and files from the dummy machine. There are thought to be two separate strains of the "SabPub" Trojan, which is labeled as an "active attack."
New variants of the bot are expected to surface in the coming weeks, but let’s hope the situation doesn’t reach the level of widespread panic demonstrated in the last couple of weeks regarding Flashback. The Trojan infected more than 600,000 Macs worldwide, but Apple, with the assistance of a few Java updates, managed to remove Flashback from the machines of those affected. First discovered way back in September, Flashback operated under the guise of an Adobe Flash installer – giving Mac users another reason (if a reason was even necessary), to hate Flash.
Apple proudly declares its Mac OS X doesn’t suffer from the same level of viruses and attacks as Windows, and while this may be correct, there are certainly a few folks out there trying to hinder that reputation.