<<<
NEWS FROM THE LAB - Wednesday, October 19, 2011
>>>
 

 
Mac Trojan Disables XProtect Updates Posted by ThreatSolutions @ 07:46 GMT

There's something new brewing in Mac malware development (again).

Recent analysis has revealed to us that Trojan-Downloader:OSX/Flashback.C disables the automatic updater component of XProtect, Apple's built-in OS X anti-malware application.

First, Flashback.C decrypts the paths of XProtectUpdater files that are hardcoded in its body:

xprotectupdater_plist, Trojan-Downloader:OSX/Flashback.C
Flashback.C decrypts the path of the plist file of XProtectUpdater

xprotectupdater, Trojan-Downloader:OSX/Flashback.C
Flashback.C decrypts the path of the XProtectUpdater binary

The malware then unloads the XProtectUpdater daemon:

unload1, Trojan-Downloader:OSX/Flashback.C

unload2, Trojan-Downloader:OSX/Flashback.C

Finally, the malware overwrites the XProtectUpdater files with a " " character:

wipe_xprotectupdater_plist, Trojan-Downloader:OSX/Flashback.C
Flashback.C overwrites the plist file of XProtectUpdater

wipe_xprotectupdater, Trojan-Downloader:OSX/Flashback.C
Flashback.C overwrites the XProtectUpdater binary

The action described above wipes out certain files, thus, preventing XProtect from automatically receiving future updates.

Attempting to disable system defenses is a very common tactic for malware — and built-in defenses are naturally going to be the first target on any computing platform.

Update:
MD5 hash of Flashback.C sample (actual .pkg): 041ec03a36598a9823fb342cd9840acc
MD5 hash of Flashback.C sample (postinstall): e24979f7bd55a458a33247c5201a6a7d



Threat Solutions post by — Brod