A mutated version of a trojan designed to incapacitate Mac OS X Lion anti-malware has been found, F-Secure Security Labs revealed.
Its recent analysis found Trojan-Downloader:OSX/Flashback.C can disable the automatic updater component of XProtect, the built-in OS X anti-malware application Apple provides in its operating system.
The research lab first discovered Trojan-Downloader:OSX/Flashback.A in September, posing as a Flash Player installer.
But the latest iteration of the Trojan also targets the update facility of XProtect that enables the automatic update of malware definitions, rendering it useless and the OS vulnerable to new, undefined attack vectors.
“Attempting to disable system defences is a very common tactic for malware – and built-in defences are naturally going to be the first target on any computing platform,” wrote F-Secure researchers in a blog post.
Flashback.C works by decrypting the .plist file and binary paths of XProtectUpdater hardcoded in its body. The malware then drops the XProtectUpdater daemon, enabling the malware to overwrite both files with a specified character.
F-Secure found these actions wipe out certain key files required by XProtect to automatically receive future updates.
The security firm advised users to run virus and malware scans to find the particular infected files and eliminate Flasback.C. It also detailed the way to remove a specific entry from two files located within Safari and Firefox .plist files.
Flashback.B, discovered last week, performs a "vmcheck" and aborts itself if virtualised instances of OS X are found. Apple introduced its virtual client capability with the release of Lion earlier this year.
The security firm said at the time that the move was designed to anticipate and hamper researchers’ efforts to use virtualised environments during analysis as the number of Mac-targeted threats continues to grow.
This article originally appeared at itpro.co.uk
Copyright © ITPro, Dennis Publishing
Issue: 315 | May 2013
Access CRN's extensive online resources including; email bulletins, community discussions and unique online news.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can log on to the CRN website or start posting comments on articles.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain '@crn.com.au' to your white-listed senders.