Mac Malware Disables Protection

Friday, October 21, 2011 @ 01:10 PM gHale


Malware authors updated a Mac Trojan to disable the anti-malware protection Apple built into its OS X platform.

A new variant of the “Flashback” backdoor Trojan, called Flashback.C, attempts to disable the automatic updater component of XProtect, the built-in Mac OS X anti-malware application, researchers at anti-virus firm F-Secure said. Like earlier variants, the malware masquerades as an update to Adobe Flash Player, and to install it users must enter their administrator password.

RELATED STORIES
ICS Threat Brewing; Target Unclear
Old Becomes New: DLL Loading is Back
Weak Sites Victimize Visitors
Beware of Printers Spreading Malware

“Attempting to disable system defenses is a very common tactic for malware — and built-in defenses are naturally going to be the first target on any computing platform,” F-Secure wrote in a blog.

Researchers do not know how many users suffered from this infection with the latest variant of Flashback, but the number right now is “very small,” said Mikko Hypponen, chief research officer at F-Secure.

The first variant of the malware, Flashback.A, came into public view in late September, and classified as a low-risk threat by Mac security firm Intego. Once installed, the strain connected to a remote server and sent back pilfered information, such as the infected computer’s MAC address, a unique identifier.

Last week, researchers discovered a second variant, Flashback.B. It ended up coded to prevent itself from installing on machines running Mac OS X in a virtualized environment, a technique commonly seen in the Windows world to prevent researchers from analyzing the malware, since many do so using virtual machines.

The latest variant, Flashback.C, now prevents the XProtect anti-malware system from updating itself with security definitions. Apple first introduced XProtect in late 2009, with the release of Snow Leopard (OS X 10.6).

The evolution of the Flashback Trojan indicates that its creators are trying to maximize their financial gain, said Graham Cluley, senior technology consultant at Sophos.

“Clearly, the Mac malware authors are not resting on their laurels,” Cluley wrote. “Maybe if you have a Mac, you shouldn’t be too laid back about the genuine threat that exists.”



Leave a Reply

You must be logged in to post a comment.