F-Secure continue to put out useful Mac-related blog articles: today they’ve flagged what looks like another instance of malware authors targeting users of Apple platforms using techniques that mirror approaches tried and tested over years of attacks on Windows users.
This time, it’s the well-worn technique of disabling updating functionality in the system or in protective software, and the target is XProtect, the minimalist anti-malware application that Apple has been using to protect its users from a selection of OS X-specific malware. By unloading the XProtectUpdater daemon and overwriting its files, it removes XProtect’s ability to download updated signatures, if you’ll excuse my use of the “s” word, thus going some way to hiding itself from any future updates that would lead to its detection.
This is rather close to the concept of the retrovirus as used in computer virology, though of course Flashback isn’t a virus. But compare the definition used by Mikko Hypponen in the paper I’ve just cited: “Retrovirus is a computer virus that specifically tries to by-pass or hinder the operation of an anti-virus program or programs. The attack may be specific to a known product or a generic one.”
Since Apple essentially retains control of the system updating mechanism, it shouldn’t be too difficult to take account this defensive measure (and of course, mainstream AV should detect it anyway), but it shows a continuing willingness – and ability – to translate old techniques to a relatively new platform, in terms of malware prevalence.
David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN/Mac Virus