Mac-based malware is still a relatively rare occurrence when compared to the flood of malicious programs aimed at Windows. But, it appears that the attackers who are creating the more recent Mac malware either have experience writing Windows-based malware or are simply paying close attention to what’s been working for Windows malware for all of these years. The latest evidence of this being the discovery that the Flashback Mac Trojan has the ability to overwrite the Mac’s built-in anti-malware component and prevent it from updating.
Windows-based malware variants have been using similar tactics for a long time now. In many cases, one of the first things that a piece of malware does once it’s on a new machine is to check for running anti-malware programs and attempt to either kill those processes or find another way to disable them. It’s a simple technique, but if successful, it can at least buy the malware a little bit of time on the machine to do its work before the anti-malware system or a sharp user discovers its presence.
Now, researchers have found that a recently discovered piece of Mac malware known as the Flashback Trojan is using a similar technique to hamper the XProtect anti-malware system that’s included in newer versions of OS X. Once resident on a newly infected Mac, the Flashback malware will decrypt a specific XProtect file and then decrypt the path of the XProtectUpdater binary, according to an analysis by researchers at F-Secure. The next step is for Flashback to unload the XProtectUpdater daemon and then overwrite certain components.
“The action described above wipes out certain files, thus, preventing XProtect from automatically receiving future updates,” the analysis says.
This is the latest example of Mac-based malware taking on some of the more successful ploys of traditional Windows malware. Last month researchers at F-Secure also found that the Imuler Trojan was being spread through malicious PDFs, a common infection mechanism in the Windows world.