Trojan disables Mac OS XProtect

Posted by Trent Nouveau

Security researchers have positively identified an evolving trojan that disables the automatic updater component of XProtect, Apple's built-in OS X anti-malware app.



According to F-Secure, Flashback.C - which poses as an update to Adobe Flash - first decrypts the paths of XProtectUpdater files that are hardcoded in its body. 



Trojan disables Mac OS XProtectThis action wipes out certain files, effectively preventing XProtect from automatically receiving future updates. 



"Attempting to disable system defenses is a very common tactic for malware," explained Brod of F-Secure.

"Built-in defenses are naturally going to be the first target on any computing platform."



Meanwhile, Sophos security expert Graham Cluley warned that many OS X users are failing to protect themselves from the growing threat of Mac-based malware - despite a salient increase in trojans over the past 12 months.

"The fact that Mac malware is now being written to prevent XProtect from updating itself with new security definitions underlines that cybercriminals are keen to infect Apple computers because of the potential financial rewards," he opined.

"Clearly the Mac malware authors are not resting on their laurels. Maybe if you have a Mac you shouldn't be too laid back about the genuine threat that exists also?"

Although Sophos's Mac anti-virus products have detected Flashback.C as a member of the OSX/FlshPlyr malware family since October 12th, Apple's integrated XProtect isn't (yet) detecting the latest iteration of the Trojan.