Flashback C Trojan Goes for Mac OS X Defense Mechanism

Security experts say it’s time for the Mac user base to wake up and smell the roses

By on October 20th, 2011 13:14 GMT

Security researchers at F-Secure have found a new variant of the Flashback Trojan masquerading as an Adobe Flash installer package, this time its purpose being to disable the actual XProtect  defense mechanism in Mac OS X tasked with stopping such attacks.

“There's something new brewing in Mac malware development (again),” say the people at F-Secure in a blog post.

“Recent analysis has revealed to us that Trojan-Downloader:OSX/Flashback.C disables the automatic updater component of XProtect, Apple's built-in OS X anti-malware application,” the company writes.

The original variant of Flashback was discovered by Austin, Texas-based Intego in September. Intego deals exclusively with Mac malware.

The team of researchers at F-Secure has found that Flashback C prevents XProtect from automatically receiving future updates, therefore leaving Mac OS X vulnerable to similar attacks, as well as this one.

F-Secure acknowledges that “Attempting to disable system defenses is a very common tactic for malware — and built-in defenses are naturally going to be the first target on any computing platform.”

According to Graham Cluley, senior technology consultant at Sophos, “XProtect isn't really comparable to a real anti-virus product on your Mac, but it does provide a limited amount of protection.”

Cluley believes “[it’s] time for Apple owners to wake up.”

“The fact that Mac malware is now being written to prevent XProtect from updating itself with new security definitions underlines that cybercriminals are keen to infect Apple computers because of the potential financial rewards,” explains Mr. Cluley.

Apple will be updating its malware definitions soon. In the meanwhile, you can use Sophos's Mac anti-virus products, such as the company’s free anti-virus for Mac home users. The program has been detecting the malware as a member of the OSX/FlshPlyr malware family since October 12th, according to Sophos.

Comments