The Latest in IT Security

Mac Trojan Disables XProtect Updates

19
Oct
2011

There’s something new brewing in Mac malware development (again).

Recent analysis has revealed to us that Trojan-Downloader:OSX/Flashback.C disables the automatic updater component of XProtect, Apple’s built-in OS X anti-malware application.

First, Flashback.C decrypts the paths of XProtectUpdater files that are hardcoded in its body:

xprotectupdater_plist, Trojan-Downloader:OSX/Flashback.C
Flashback.C decrypts the path of the plist file of XProtectUpdater

xprotectupdater, Trojan-Downloader:OSX/Flashback.C
Flashback.C decrypts the path of the XProtectUpdater binary

The malware then unloads the XProtectUpdater daemon:

unload1, Trojan-Downloader:OSX/Flashback.C

unload2, Trojan-Downloader:OSX/Flashback.C

Finally, the malware overwrites the XProtectUpdater files with a ” ” character:

wipe_xprotectupdater_plist, Trojan-Downloader:OSX/Flashback.C
Flashback.C overwrites the plist file of XProtectUpdater

wipe_xprotectupdater, Trojan-Downloader:OSX/Flashback.C
Flashback.C overwrites the XProtectUpdater binary

The action described above wipes out certain files, thus, preventing XProtect from automatically receiving future updates.

Attempting to disable system defenses is a very common tactic for malware — and built-in defenses are naturally going to be the first target on any computing platform.

Threat Solutions post by — Brod

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments