Flashback OS X malware variant disables XProtect
The latest malware threat for OS X is a minor and obscure Trojan horse of which new versions have been found recently.
The latest malware scam that has been found for OS X is a fairly obscure installer program that is being disguised as an Adobe Flash Player installer. It wasin late September.
This Trojan horse is a minimal threat. It works by installing a payload executable file on the system and then configures environmental variables on the system so that the payload will be launched when certain applications are opened. The payload then communicates with a remote server in an apparent attempt to steal personal information.
The initial version of the malware installed the payload in various locations in the user's home directory, but the Safari and Firefox and launched when these applications were opened. Yesterday, the malware detection team at F-Secure uncovered a third variant of this Trojan, OSX/Flashback.C, which shows the criminals behind this malware are still trying to get a foothold for their scheme., found earlier this month, changed this so the payload was placed in application packages like
The latest revision appears to have been altered slightly so it now targets Apple's XProtect system and disables it by removing the XProtect scanner and updater in addition to depositing its payloads.
As we mentioned in previous coverage of Flashback, revisions like these are expected and do not indicate a sudden rampant increase in malware for OS X systems. To put things in perspective, in the week or two between the discovery of the second variant and this third one there have been nearly 190 new and updated malware programs detected (based on malware definitions from Sophos) for Windows systems.
Also, in order to operate, Flashback still needs you to download it, purposefully open the installer, and provide your password to run so it can make alterations to your system. Therefore, although revisions may bring slightly different behaviors, OS X systems aren't at any greater risk from the new variant.
Additionally, malware like this is usually distributed on underground Websites and peer-to-peer file-sharing services. Therefore, an easy way to avoid it besides avoiding such services is to adopt the habit of never running any program unless you have intentionally and directly downloaded it either from the developer's Web site or from a reputable software distribution site like CNET's Download.com.
This habit is practically all that's needed to avoid any Trojan horse malware on any system.
Like previous variants of Flashback, this one cannot work if you have the reverse firewall Little Snitch installed, which monitors outbound traffic and warns you when a program tries to communicate with a service on the Internet. So far if the malware's installer detects the presence of Little Snitch then it will shut down and not attempt to install on your system, since this program will prevent it from working and provide a quick way of detecting the unwanted server connection attempts.
F-Secure's malware definitions were the first to include the new variant, but others should soon follow suit. Oddly, as of this writing Apple's XProtect malware scanning system has been updated with the ability to catch the first variant of this malware found in late September, but does not have definitions for the second or third; however, Apple's XProtect system is updated daily, so when Apple implements new definitions they will be pushed to users within the following 24 hours.
Again, this malware is very rare and will not affect most Macs out there, but if you suspect one of your Macs has been infected then you can do a rudimentary check on your system by running the following two commands in the Terminal (copy and paste them):
defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment
These commands will read the property list within the applications and check to see if they have been modified to launch other applications when opened. In the output for these commands, if you see text that includes "DYLD_INSERT_LIBRARIES" followed by a path that points to a specific file, then your system has been infected. If you do not see this text output and instead see "The domain/default pair...does not exist," then your system has not been infected.
In the rare event that a system is found to be infected, the simplest method of removing the malware is to delete the program containing it and download it again. This will remove both the payload application and the alterations that cause it to be launched. Safari for OS X is readily available for download from Apple's Web site and Firefox is available from Mozilla's Web site.