Flashback OS X malware variant disables XProtect

The latest malware threat for OS X is a minor and obscure Trojan horse of which new versions have been found recently.

The latest malware scam that has been found for OS X is a fairly obscure installer program that is being disguised as an Adobe Flash Player installer. It was first discovered in late September.

This Trojan horse is a minimal threat. It works by installing a payload executable file on the system and then configures environmental variables on the system so that the payload will be launched when certain applications are opened. The payload then communicates with a remote server in an apparent attempt to steal personal information.

The initial version of the malware installed the payload in various locations in the user's home directory, but the second revision, found earlier this month, changed this so the payload was placed in application packages like Safari and Firefox and launched when these applications were opened. Yesterday, the malware detection team at F-Secure uncovered a third variant of this Trojan, OSX/Flashback.C, which shows the criminals behind this malware are still trying to get a foothold for their scheme.

The Flashback installer looks like the upper window above, whereas the official Adobe Flash installer looks like the lower window. Intego and CNET

The latest revision appears to have been altered slightly so it now targets Apple's XProtect system and disables it by removing the XProtect scanner and updater in addition to depositing its payloads.

As we mentioned in previous coverage of Flashback, revisions like these are expected and do not indicate a sudden rampant increase in malware for OS X systems. To put things in perspective, in the week or two between the discovery of the second variant and this third one there have been nearly 190 new and updated malware programs detected (based on malware definitions from Sophos) for Windows systems.

Also, in order to operate, Flashback still needs you to download it, purposefully open the installer, and provide your password to run so it can make alterations to your system. Therefore, although revisions may bring slightly different behaviors, OS X systems aren't at any greater risk from the new variant.

Additionally, malware like this is usually distributed on underground Websites and peer-to-peer file-sharing services. Therefore, an easy way to avoid it besides avoiding such services is to adopt the habit of never running any program unless you have intentionally and directly downloaded it either from the developer's Web site or from a reputable software distribution site like CNET's

This habit is practically all that's needed to avoid any Trojan horse malware on any system.

Like previous variants of Flashback, this one cannot work if you have the reverse firewall Little Snitch installed, which monitors outbound traffic and warns you when a program tries to communicate with a service on the Internet. So far if the malware's installer detects the presence of Little Snitch then it will shut down and not attempt to install on your system, since this program will prevent it from working and provide a quick way of detecting the unwanted server connection attempts.

F-Secure's malware definitions were the first to include the new variant, but others should soon follow suit. Oddly, as of this writing Apple's XProtect malware scanning system has been updated with the ability to catch the first variant of this malware found in late September, but does not have definitions for the second or third; however, Apple's XProtect system is updated daily, so when Apple implements new definitions they will be pushed to users within the following 24 hours.

Again, this malware is very rare and will not affect most Macs out there, but if you suspect one of your Macs has been infected then you can do a rudimentary check on your system by running the following two commands in the Terminal (copy and paste them):

defaults read /Applications/ LSEnvironment

defaults read /Applications/ LSEnvironment

These commands will read the property list within the applications and check to see if they have been modified to launch other applications when opened. In the output for these commands, if you see text that includes "DYLD_INSERT_LIBRARIES" followed by a path that points to a specific file, then your system has been infected. If you do not see this text output and instead see "The domain/default pair...does not exist," then your system has not been infected.

OS X Terminal
When the Terminal commands are run, if you see this output then your system is not infected. Screenshot by Topher Kessler

In the rare event that a system is found to be infected, the simplest method of removing the malware is to delete the program containing it and download it again. This will remove both the payload application and the alterations that cause it to be launched. Safari for OS X is readily available for download from Apple's Web site and Firefox is available from Mozilla's Web site.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.