<<< NEWS FROM THE LAB - Wednesday, October 19, 2011 >>> ARCHIVES | SEARCH Mac Trojan Disables XProtect Updates Posted by ThreatSolutions @ 07:46 GMT There's something new brewing in Mac malware development (again).



Recent analysis has revealed to us that Trojan-Downloader:OSX/Flashback.C disables the automatic updater component of XProtect, Apple's built-in OS X anti-malware application.



First, Flashback.C decrypts the paths of XProtectUpdater files that are hardcoded in its body:





Flashback.C decrypts the path of the plist file of XProtectUpdater





Flashback.C decrypts the path of the XProtectUpdater binary



The malware then unloads the XProtectUpdater daemon:











Finally, the malware overwrites the XProtectUpdater files with a " " character:





Flashback.C overwrites the plist file of XProtectUpdater





Flashback.C overwrites the XProtectUpdater binary



The action described above wipes out certain files, thus, preventing XProtect from automatically receiving future updates.



Attempting to disable system defenses is a very common tactic for malware — and built-in defenses are naturally going to be the first target on any computing platform.



Update:

MD5 hash of Flashback.C sample (actual .pkg): 041ec03a36598a9823fb342cd9840acc

MD5 hash of Flashback.C sample (postinstall): e24979f7bd55a458a33247c5201a6a7d







Threat Solutions post by — Brod









