Want CNET to notify you of price drops and the latest stories?

Apple issues late XProtect update for Flashback Trojan

Apple has updated its XProtect malware scanner to contend with the second revision of the Flashback malware, though this update comes after a bit of a delay.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
4 min read

As with many modern operating systems, OS X is relatively difficult to infect with self-propagating malware attacks like viruses or worms, so malware developers have resorted to social engineering and trickery, with Trojan horse programs being the main mode of attack on home computer systems.

A Trojan horse is a piece of maliciously crafted software that is disguised as a legitimate software package, but which when installed by an unsuspecting user will corrupt files, break down system security measures, or send personal information to external servers among other malicious activity.

Malware generally is distributed via underground Web sites, though in some cases search engine optimization poisoning has resulted in malware distribution sites becoming prominent in Web search results, as with the "MacDefender" malware and its variants showing up on various popular Web sites like Google and MSN in May of this year.

Flashback malware site errors
Sites that distribute Flashback may show errors similar to this that request you install the Flash update that they provide. Only download Flash directly from Adobe or from a reputable download repository like CNET's Download.com. Intego

The chances that an average user will run into malware on OS X are still very low; however the risk is there and is increasing as more malware makes its way on the scene. To help combat this, Apple has incorporated a feature into OS X called XProtect, which is a rudimentary scanner for newly downloaded files that notifies you if they contain malware.

Unfortunately, as with any malware attempt, when the scanner's definitions are updated criminals will release new variants of the malware, playing a cat-and-mouse game with Apple and other security software developers. Currently there is no new known malware for OS X, but criminals behind one of the newer attacks, called Flashback, have been busy creating new variants of this malware.

Flashback was first found in late September packaged as an installer for the popular Flash Player plug-in. When run, the malware installed a loader into the user's preferences folder. In its second revision (found in late October), the malware changed to inject code into Web browser applications (Safari and Firefox), which would launch the malware when these programs were run. In both cases, when launched the malware attempts to send personal information to remote servers.

Flashback definitions for XProtect
Apple's malware definitions file was updated today to include definitions for OSX/Flashback.B. Screenshot by Topher Kessler

Apple's XProtect definitions were updated to tackle the first Flashback malware (OSX/Flashback.A); however, XProtect was last updated November 1 to include definitions for the DevilRobber malware. Today Apple has updated XProtect again to deal with Flashback--however, despite there being a number of new Flashback variants, today's update only includes definitions for the second release of Flashback (OSX/Flashback.B), which was found about a month ago.

Security company Intego recently reported that the Flashback malware has undergone a number of changes that allow the code to slide past malware detection schemes, even though the behavior of the malware has not changed much. This relatively slow response from Apple is a bit disappointing to see. When the MacDefender malware scam was going on, as MacDefender went through its changes, taking on new names and slight alterations to its mode of delivery, Apple released updates to XProtect within days to combat the changes. However, MacDefender was a more prevalent threat, which may explain the more immediate attention it received from Apple.

XProtect settings in the system preferences
Toggle this option in the Security system preferences to force XProtect to update itself. Screenshot by Topher Kessler

At any rate, the update to XProtect is welcome news. Nevertheless, it would be nice to see Apple tackle malware more quickly to help protect those who do not have third-party malware scanners installed. Systems should be updated automatically within 24 hours, though you can force your computer to update by unchecking and checking the option to automatically update the safe downloads list in Apple's Security system preferences.

Even though the Flashback malware is not very prevalent and getting infected requires the purposeful installation of applications that were not obtained from a legitimate download source, it may still be wise to have an option for scanning for and detecting it, especially if you are uncertain about computing practices that could lead to getting malware on a system.

Recently I took a look at options from Intego, and its VirusBarrier tool is a robust anti-malware option. Other anti-malware tools include iAntiVirus, Kaspersky, Sophos, Norton, and ClamXav, which all should be able to detect these malware developments. If you already have a malware scanner but want additional security, an option--since most Trojan horse attacks attempt to contact external servers--is a reverse firewall that will monitor all outgoing connection attempts.

Intego's VirusBarrier includes a nice reverse firewall, and the tool Little Snitch is another robust reverse firewall option. Recent versions of Flashback and DevilRobber have just canceled their installations on detecting the presence of Little Snitch, suggesting that its mere presence is at times enough to thwart malware attacks.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.