Tweaked Trojan Disables Automatic Updating of OS X Anti-Malware Tools

MacRumors · Oct 19, 2011

Last month, we noted as part of a report on an update to the anti-malware tools in OS X that a new trojan horse threat known as Flashback.A had surfaced, with the malware masquerading as a Flash Player installer. While Apple has continued to update its XProtect.plist to detect Flashback.A, security firm F-Secure now reports (via ZDNet) that a revised version of the trojan which disables the auto-updating feature of Apple's anti-malware tools has appeared.

There's something new brewing in Mac malware development (again).

Recent analysis has revealed to us that Trojan-Downloader:OSX/Flashback.C disables the automatic updater component of XProtect, Apple's built-in OS X anti-malware application.

The report walks through how the modified trojan overwrites XProtectUpdater files, preventing infected systems from performing their daily check for updated malware definitions and thus keeping the door open for future attacks.

Flashback.C installer

The Flashback.C trojan is capable of connecting to a remote host in order to download and execute further code, but it is unclear what the exploit is being used for at this time. Users are of course advised to download Flash Player and other software from trusted sources so as to avoid infecting their systems with trojans such as Flashback.C.

Update: MacRumors has heard and Sophos has confirmed that Apple had already updated its XProtect.plist entries to detect Flashback.C by the time news of it broke to the public. Consequently, users encountering the malware on Mac OS X Snow Leopard or OS X Lion should be automatically warned of the threat prior to mounting the package.

Article Link: Tweaked Trojan Disables Automatic Updating of OS X Anti-Malware Tools

MultiMediaWill · Oct 19, 2011

i tH0uGh7 m4c d0Nt g3T v1rus

Unggoy Murderer · Oct 19, 2011

MultiMediaWill said:
i tH0uGh7 m4c d0Nt g3T v1rus

They don't, this is a Trojan. Big difference

Aduntu · Oct 19, 2011

Unggoy Murderer said:
They don't, this is a Trojan. Big difference

Your sarcasm meter is obviously broken.

jmpnop · Oct 19, 2011

MultiMediaWill said:
i tH0uGh7 m4c d0Nt g3T v1rus

tRoj4n is n0t v1rus.

435713 · Oct 19, 2011

OH noes!!!

bender o · Oct 19, 2011

Damn you Flash!! When are you gonna go extinct!! you suck!!

daxomni · Oct 19, 2011

MultiMediaWill said:
i tH0uGh7 m4c d0Nt g3T v1rus

The Reality Distortion Field that previously protected all Macs from all attacks appears to have dissipated.

iStudentUK · Oct 19, 2011

Quick everyone download MacDefender!

(My team of lawyers require me to note that I'm not actually suggesting anyone download MacDefender.)

roadbloc · Oct 19, 2011

It's happening more and more.

RoboCop001 · Oct 19, 2011

I don't understand why these fools waste everyone's time by writing viruses, and I mean for any platform. Can't they put that energy and effort into something positive?

igazza · Oct 19, 2011

iOS is the future

Mad-B-One · Oct 19, 2011

daxomni said:
The Reality Distortion Field that previously protected all Macs from all attacks appears to have dissipated.

It changed size and is only hovering over iOS at this time.

iStudentUK said:
Quick everyone download MacDefender!

(My team of lawyers require me to note that I'm not actually suggesting anyone download MacDefender.)

Would be a solution. Two Trojan horses fighting each other. Maybe they block each other then? Someone please try that in a VM

CodeBreaker · Oct 19, 2011

So have they managed to scare anyone?

435713 · Oct 19, 2011

RoboCop001 said:
I don't understand why these fools waste everyone's time by writing viruses, and I mean for any platform. Can't they put that energy and effort into something positive?

I'm actually with ya on that. I feel so bad when anyone on any platform has to deal with this crap. Lock as many up as possible and throw em in camps. Put em on a PPV where they are tortured like in Hostel, they'll learn sooner or later.

Not actually serious about torture and stuff to be clear.

ndpitch · Oct 19, 2011

Looks like this could be a leadup into needing anti-virus/anti-malware/anti-spyware on the Mac.

hobo.hopkins · Oct 19, 2011

I foresee this discussion degrading very quickly...

In reality all one needs to do is be cautious of where they are downloading files, and this wouldn't be a problem.

tubular · Oct 19, 2011

A couple questions

1 - how can we tell if a machine is infected?
2 - how, if infected, can we remove it, short of a clean install?

Shrink · Oct 19, 2011

MultiMediaWill said:
i tH0uGh7 m4c d0Nt g3T v1rus

Oh, god, here we go again with the virus vs malware vs trojan vs etc., etc.

Malware is a generic category (malicious software). Viruses, trojans, spyware and all other crap that f***ks with your computer are malware.

Macs have never been infected by a virus up to this date. Yes, it is possible sometime in the future a virus could be developed that will infect a Mac. Nothing to this date!

Trojan is NOT a virus - it is a form of malware. Unlike a virus which can infect a computer without action on the part of the user, trojans have to be invited in. In short - the user has to screw up.

The best defense is an educated user.

(GGJstudios - How did I do??

)

stage1 · Oct 19, 2011

CRAP!! I downloaded a flash update today on my macbook!

What should I do help!! I'm not joking.

Memo86 · Oct 19, 2011

Well... i was a PC user in the XP era and i didn't get any virus (and there are thousands of windows wiruses, right?) so, I think that is REALLY HARD to get your mac infected. ¿Who would download flash from other site than Adobe.com?

igazza · Oct 19, 2011

Best idea is to use chrome as your browser

RoboCop001 · Oct 19, 2011

tubular said:
1 - how can we tell if a machine is infected?
2 - how, if infected, can we remove it, short of a clean install?

I can't completely give you those answers but one way is Time Machine. If you're infected or fear that you are infected just restore your whole HD to a previous state.

Memo86 · Oct 19, 2011

stage1 said:
CRAP!! I downloaded a flash update today on my macbook!

What should I do help!! I'm not joking.

If you downloaded from Adobe Updater or from Adobe.com i'm sure you're safe... if you downloaded from some pr0n site or crappy page maybe you're in trouble...

Unggoy Murderer · Oct 19, 2011

Aduntu said:
Your sarcasm meter is obviously broken.

No, not really. Functioning perfectly fine the last time I checked.

Tweaked Trojan Disables Automatic Updating of OS X Anti-Malware Tools

macrumors bot

macrumors 68000

macrumors 65816

macrumors 6502a

macrumors 6502a

macrumors 6502a

macrumors 6502

macrumors 6502

macrumors 65816

macrumors G3

macrumors 68000

macrumors 6502a

macrumors 6502a

macrumors 6502

macrumors 6502a

macrumors 6502

macrumors 6502a

macrumors 65816

macrumors G3

macrumors newbie

macrumors newbie

macrumors 6502a

macrumors 68000

macrumors newbie

macrumors 65816

Our Staff