Tweaked Trojan Disables Automatic Updating of OS X Anti-Malware Tools

Last month, we noted as part of a report on an update to the anti-malware tools in OS X that a new trojan horse threat known as Flashback.A had surfaced, with the malware masquerading as a Flash Player installer. While Apple has continued to update its XProtect.plist to detect Flashback.A, security firm F-Secure now reports (via ZDNet) that a revised version of the trojan which disables the auto-updating feature of Apple's anti-malware tools has appeared.
There's something new brewing in Mac malware development (again).

Recent analysis has revealed to us that Trojan-Downloader:OSX/Flashback.C disables the automatic updater component of XProtect, Apple's built-in OS X anti-malware application.
The report walks through how the modified trojan overwrites XProtectUpdater files, preventing infected systems from performing their daily check for updated malware definitions and thus keeping the door open for future attacks.

Flashback.C installer

The Flashback.C trojan is capable of connecting to a remote host in order to download and execute further code, but it is unclear what the exploit is being used for at this time. Users are of course advised to download Flash Player and other software from trusted sources so as to avoid infecting their systems with trojans such as Flashback.C.

Update: MacRumors has heard and Sophos has confirmed that Apple had already updated its XProtect.plist entries to detect Flashback.C by the time news of it broke to the public. Consequently, users encountering the malware on Mac OS X Snow Leopard or OS X Lion should be automatically warned of the threat prior to mounting the package.

Top Rated Comments

(View all)

109 months ago
I don't understand why these fools waste everyone's time by writing viruses, and I mean for any platform. Can't they put that energy and effort into something positive? :mad:
Rating: 31 Votes
109 months ago

They don't, this is a Trojan. Big difference :rolleyes:

Your sarcasm meter is obviously broken.
Rating: 19 Votes
109 months ago
Quick everyone download MacDefender!

(My team of lawyers require me to note that I'm not actually suggesting anyone download MacDefender.)
Rating: 17 Votes
109 months ago
I foresee this discussion degrading very quickly...

In reality all one needs to do is be cautious of where they are downloading files, and this wouldn't be a problem.
Rating: 12 Votes
109 months ago

The irony. Love the self-assured arrogance though, very becoming...:rolleyes:

What Irony ? The guy is basically right, both those posts were grossly misinformed.
Rating: 9 Votes
109 months ago
A couple questions

1 - how can we tell if a machine is infected?
2 - how, if infected, can we remove it, short of a clean install?
Rating: 9 Votes
109 months ago

I don't understand why these fools waste everyone's time by writing viruses, and I mean for any platform. Can't they put that energy and effort into something positive? :mad:

I'm actually with ya on that. I feel so bad when anyone on any platform has to deal with this crap. Lock as many up as possible and throw em in camps. Put em on a PPV where they are tortured like in Hostel, they'll learn sooner or later.

Not actually serious about torture and stuff to be clear.
Rating: 9 Votes
109 months ago

i tH0uGh7 m4c d0Nt g3T v1rus

Oh, god, here we go again with the virus vs malware vs trojan vs etc., etc.

Malware is a generic category (malicious software). Viruses, trojans, spyware and all other crap that f***ks with your computer are malware.

Macs have never been infected by a virus up to this date. Yes, it is possible sometime in the future a virus could be developed that will infect a Mac. Nothing to this date!

Trojan is NOT a virus - it is a form of malware. Unlike a virus which can infect a computer without action on the part of the user, trojans have to be invited in. In short - the user has to screw up.

The best defense is an educated user.

(GGJstudios - How did I do?? :D :p:p)
Rating: 8 Votes
109 months ago
i think this is a little more confusing for most users than people are granting.
- both the real Flash update and the trojan will prompt users to install while randomly browsing the web.
- both the real Flash update and the trojan prompt for admin password since they both need access to system files.

as far as I can tell, the main difference is in the install window you see.
legitimate Flash updates should look like this:

and do not use the standard system installer window like the trojan does:
Rating: 7 Votes
109 months ago

CRAP!! I downloaded a flash update today on my macbook!

What should I do help!! I'm not joking.

If you downloaded from Adobe Updater or from i'm sure you're safe... if you downloaded from some pr0n site or crappy page maybe you're in trouble... :P
Rating: 7 Votes

[ Read All Comments ]