We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Flashback targets XProtect

Published October 20th, 2011 at 9:51 AM EDT , modified March 5th, 2013 at 2:18 PM EST

Security firm F-Secure reported yesterday on a new variant of Flashback that targets the built-in malware protection in Mac OS X.  Apparently, this variant deletes and overwrites the XProtectUpdater process, which is responsible for keeping the XProtect malware definitions up-to-date.  This means that, if you get infected, repairing the damage becomes more difficult.  Even if you remove the malware, XProtect will have been crippled, making it easier for you to be infected by other malware in the future.

Of course, this does not change the fact that you can avoid this malware easily by simply never downloading a Flash update from anywhere but Adobe’s web site.  In addition, this variant is evidently not that new.  Intego responds that they spotted this variant a week ago.  (Amusingly, they take a slightly snarky tone in saying they’d already spotted this, and yet their report said nothing about the disabling of XProtect.)

Since this variant isn’t actually new, as of the F-Secure report, it’s possible this malware has already made it into the XProtect definitions.  (Due to the naming inconsistency between security companies, mentioned by Intego, it’s hard to be sure.)  If that is the case, anyone using a browser that supports Quarantine is already protected, though of course the bigger danger would be that a new variant would be able to sneak past XProtect and then disable it.

If you believe that you have been infected and that XProtect has been disabled, there is probably no reliable way to recover manually.  The best choice would be to reinstall your system.  There is no need to erase the hard drive first, just install your system over the existing system, and any removed or damaged files will be replaced.  Of course, before doing this, you will want to be sure to remove Flashback.

Tags: , , , , ,

This post is more than 90 days old and has been locked. No further comments are allowed.