Flashback Trojan Horse: New Variants with New Features

Posted on by

A security firm has published some information on a new variant of the Flashback Trojan horse, which Intego discovered in September. This new variant, which they are calling Flashback.C is the variant that Intego spotted a week ago, Flashback.D. (It’s not uncommon for different security companies to name variants differently; we may have more variants than other companies.)

Some of the information published about this variant is interesting, notably the fact that it can disable Apple’s Xprotect malware detection system. When disabling the Xprotect system, the Trojan horse overwrites certain files (notably the info.plist file for the XProtectUpdater daemon, which prevents Mac OS X from getting updates to this file), which means that VirusBarrier X6 cannot repair the damage. (In order to repair it, VirusBarrier X6 would need to re-install a new version of the file; the program cannot simply erase changes made, since the file is overwritten entirely.)

Some companies have published instructions for manually removing this malware, but it is important to note that such instructions only discuss removing code added to the Safari or Firefox web browsers; given the damage done to the XProtect system, manual repair is impossible. (It is technically possible to recover the XProtect file from a backup, if a user has cloned their startup volume, such as with Intego Personal Backup, which is part of Internet Security Barrier, or made a full system backup with Apple’s Time Machine; this entails restoring the /usr/libexec/XProtectUpdater daemon. Users should be very careful if they do this manually, as opposed to using the restoration function of Personal Backup or Time Machine, as permissions on the file could cause the daemon to not function correctly.)

This is the first malware affecting Mac OS X that we have seen that intentionally damages system files. Because of this, repairing damage can be very time-consuming. Even with the appropriate, up-to-date backups, it still takes time to restore the operating system. In the Windows world, the most common method for dealing with this type of file corruption is to re-install the entire operating system. We hope Mac malware doesn’t use similar techniques in the future that would require a full installation of Mac OS X to repair damage. Of course, it is wise to protect one’s Mac with antivirus software to ensure that such damage doesn’t occur in the first place.

Since Intego discovered this variant of the Flashback Trojan horse, the command and control servers that the malware contacts have been inoperable. However, now that this Trojan horse is in the news again, these servers have awakened, and Intego has seen activity today, sending updates to installed malware.

Intego VirusBarrier X6, with malware definitions dated October 13, 2011, or later, detects and blocks this malware.