There's something new brewing in Mac malware development (again).
Recent analysis has revealed to us that Trojan-Downloader:OSX/Flashback.C disables the automatic updater component of XProtect, Apple's built-in OS X anti-malware application.
First, Flashback.C decrypts the paths of XProtectUpdater files that are hardcoded in its body:
Flashback.C decrypts the path of the plist file of XProtectUpdater
Flashback.C decrypts the path of the XProtectUpdater binary
The malware then unloads the XProtectUpdater daemon:
Finally, the malware overwrites the XProtectUpdater files with a " " character:
Flashback.C overwrites the plist file of XProtectUpdater
Flashback.C overwrites the XProtectUpdater binary
The action described above wipes out certain files, thus, preventing XProtect from automatically receiving future updates.
Attempting to disable system defenses is a very common tactic for malware — and built-in defenses are naturally going to be the first target on any computing platform.
Update: MD5 hash of Flashback.C sample (actual .pkg): 041ec03a36598a9823fb342cd9840acc MD5 hash of Flashback.C sample (postinstall): e24979f7bd55a458a33247c5201a6a7d