Mac OS X OSX/Sabpab Trojan Detection

critical Nessus Plugin ID 58812


The remote Mac OS X host appears to have been compromised.


Using the supplied credentials, Nessus has found evidence that the remote Mac OS X host has been compromised by a Trojan in the OSX/Sabpab (alternatively known as OSX/Sabpub) family of Trojans.

OSX/Sabpab is typically installed by means of a malicious Word document that exploits a stack-based buffer overflow in Word (CVE-2009-0563). Once installed, it opens a backdoor for a remote attacker to upload or download files, take screenshots, and run arbitrary commands.


Restore the system from a known set of good backups.

See Also

Plugin Details

Severity: Critical

ID: 58812

File Name: macosx_sabpab_trojan.nasl

Version: 1.7

Type: local

Agent: macosx

Published: 4/20/2012

Updated: 11/27/2023

Supported Sensors: Nessus Agent, Nessus

Risk Information

CVSS Score Rationale: Tenable research analyzed the issue and assigned a score for it.


Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: manual

Vulnerability Information

Required KB Items: Host/local_checks_enabled, Host/MacOSX/Version