Wednesday, October 19, 2011

Flashback Trojan Now Disabling Mac XProtect

Via -

Mac-based malware is still a relatively rare occurrence when compared to the flood of malicious programs aimed at Windows. But, it appears that the attackers who are creating the more recent Mac malware either have experience writing Windows-based malware or are simply paying close attention to what's been working for Windows malware for all of these years. The latest evidence of this being the discovery that the Flashback Mac Trojan has the ability to overwrite the Mac's built-in antimalware component and prevent it from updating.


Now, researchers have found that a recently discovered piece of Mac malware known as the Flashback Trojan is using a similar technique to hamper the XProtect antimalware system that's included in newer versions of OS X. Once resident on a newly infected Mac, the Flashback malware will decrypt a specific XProtect file and then decrypt the path of the XProtectUpdater binary, according to an analysis by researchers at F-Secure. The next step is for Flashback to unload the XProtectUpdater daemon and then overwrite certain components.

"The action described above wipes out certain files, thus, preventing XProtect from automatically receiving future updates," the analysis says.


For some reason, Apple is failing to learn the lessons of the last 10+ years. They only need to look back of how malware started out and then dominated the Windows world.

Apple has been increasing their use of anti-expoitation mitigations (i.e. ASLR, sandboxing) in each verison of OS X released, but as long the malware authors contiune to see a positive cost benefit in attacking OS X, they will contiune to go after Mac users.

I use Sophos' free home edition (at home of course) and haven't had any issues wth it on MBP.

Sophos Anti-Virus for Mac Home Edition (It's Free)

No comments:

Post a Comment