Posted by: David Harley | April 16, 2012

OSX/SabPab: more information

In an earlier blog, I mentioned that this malware, which like the highly prevalent Flashback variant exploits CVE-2012-0507, seems to have been around for longer than Symantec’s recent write-up might indicate. Kaspersky’s Costin Raiu has, in the course of a useful description of the malware, confirmed that it seems to have been created on 16th March. In fact, Intego’s Philippe Devallois has suggested it might even have been a little earlier.

Even more interesting is Raiu’s subsequent blog confirming a link between SabPab (or SabPub – vendor detection names vary) and APT attacks labelled Luckycat. He suggests a link with attacks on Tibetan activists and notes the use of a number of Word documents exploiting the CVE-2009-0563 buffer overflow vulnerability in Microsoft Office.

An article by The Register’s Richard Chirgwin also refers.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: