The Latest in IT Security

Mac Trojan Disables XProtect Updates

19
Oct
2011

There’s something new brewing in Mac malware development (again).

Recent analysis has revealed to us that Trojan-Downloader:OSX/Flashback.C disables the automatic updater component of XProtect, Apple’s built-in OS X anti-malware application.

First, Flashback.C decrypts the paths of XProtectUpdater files that are hardcoded in its body:

xprotectupdater_plist, Trojan-Downloader:OSX/Flashback.C
Flashback.C decrypts the path of the plist file of XProtectUpdater

xprotectupdater, Trojan-Downloader:OSX/Flashback.C
Flashback.C decrypts the path of the XProtectUpdater binary

The malware then unloads the XProtectUpdater daemon:

unload1, Trojan-Downloader:OSX/Flashback.C

unload2, Trojan-Downloader:OSX/Flashback.C

Finally, the malware overwrites the XProtectUpdater files with a ” ” character:

wipe_xprotectupdater_plist, Trojan-Downloader:OSX/Flashback.C
Flashback.C overwrites the plist file of XProtectUpdater

wipe_xprotectupdater, Trojan-Downloader:OSX/Flashback.C
Flashback.C overwrites the XProtectUpdater binary

The action described above wipes out certain files, thus, preventing XProtect from automatically receiving future updates.

Attempting to disable system defenses is a very common tactic for malware — and built-in defenses are naturally going to be the first target on any computing platform.

Threat Solutions post by — Brod

Leave a reply


Categories

FRIDAY, OCTOBER 20, 2017

Featured

Archives

Latest Comments

Social Networks