Posted by: David Harley | April 16, 2012

OSX/SabPab: more information

In an earlier blog, I mentioned that this malware, which like the highly prevalent Flashback variant exploits CVE-2012-0507, seems to have been around for longer than Symantec’s recent write-up might indicate. Kaspersky’s Costin Raiu has, in the course of a useful description of the malware, confirmed that it seems to have been created on 16th March. In fact, Intego’s Philippe Devallois has suggested it might even have been a little earlier.

Even more interesting is Raiu’s subsequent blog confirming a link between SabPab (or SabPub – vendor detection names vary) and APT attacks labelled Luckycat. He suggests a link with attacks on Tibetan activists and notes the use of a number of Word documents exploiting the CVE-2009-0563 buffer overflow vulnerability in Microsoft Office.

An article by The Register’s Richard Chirgwin also refers.

David Harley CITP FBCS CISSP

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

Follow

Get every new post delivered to your Inbox.

Join 37 other followers

%d bloggers like this: