Mac trojan "decimates" built-in OSX Security

[funkydude]

Quote:

According to F-Secure, after users enter their admin passwords into the fake Flash installer, Flashback.C decrypts the paths within XProtectUpdater and proceeds to unload the XProtectUpdater daemon. After that, the malware overwrites the files with an empty space, decimating key files that XProtect needs in order to receive regular updates from Apple.

...

There is a way to remove Flashback.C, though it involves running a virus/malware scanner in order to find infected files.

http://arstechnica.com/apple/news/20...rotections.ars

I guess it was bound to happen eventually?

[Hungry Man]

Quote:

after users enter their admin passwords into the fake Flash installer

Ehh, hardly decimates their security if it still needs user permission to run.

[funkydude]

Quote:

Originally Posted by Hungry Man

Ehh, hardly decimates their security if it still needs user permission to run.

Err, the same could be said about a user entering a UAC password to elevate, makes no difference.

[Hungry Man]

Yes. And if a program requires UAC to elevate I would hardly say it's "decimated" Microsoft's security.

Bypassing it via social engineering, sure. Decimating? Hardly.

Though I would say that bypassing the win7 default UAC level is "decimating" except that I'd probably not say decimating since it isn't quite reducint it to 1/10th of the size =p but that's not the point.

[funkydude]

You clearly only read the first sentence of the article, and not what the Trojan does after it's installed. Please read it, it's even in my quote.

[m00nbl00d]

HM, this is what "decimates" implies...

Quote:

...decrypts the paths within XProtectUpdater and proceeds to unload the XProtectUpdater daemon. After that, the malware overwrites the files with an empty space, decimating key files that XProtect needs in order to receive regular updates from Apple.

[Hungry Man]

Yeah, great. My only point is that they shouldn't say it's bypassing the system security if it's literally not bypassing the system security. Yeah, once it gets admin it gets full reign. But it needs to get admin.

It removes the XProtect function of updating the system against malware. But it's hardly bypassing the systems security. It can only do this once the user allows it to.

Yeah, it's pretty bad. No, Apple's built in OSX security is not decimated.

[Hungry Man]

Quote:

Originally Posted by m00nbl00d

HM, this is what "decimates" implies...

I'm not saying it doesn't do this lol I'm just saying it's hardly super impressive that a program with admin access turns off the security. And it's hardly bypassing the security, it first has to be installed.

[m00nbl00d]

Quote:

Originally Posted by Hungry Man

I'm not saying it doesn't do this lol I'm just saying it's hardly super impressive that a program with admin access turns off the security. And it's hardly bypassing the security, it first has to be installed.

OK. I misunderstood your post. Somehow, I believed you didn't realize the part I quoted.

But, yes, you're right. I'd consider the security to be decimated, if the user wouldn't have to give administrator rights. Once given... You're the weakest link. Goodbye!

[funkydude]

Quote:

Originally Posted by Hungry Man

My only point is that they shouldn't say it's bypassing the system security if it's literally not bypassing the system security.

It clearly is bypassing security, (completely ignoring the social engineering part) not only does in unload it from its active state, it completely wipes it off the drive, from existence. Something AVs these days call "self-defence" I guess.

The funny part (which you've clearly missed) is the fact that you need an AV to locate and fix the affected files, something you're "not supposed to need for a mac". Even after this, you're left without XProtect on your mac.

This is a prime example of the "evolution" of mac malware, because a simple "definitions" update cannot fix this, as the service is completely gone, uninstalled. You'd need an update which in essence reinstalls the service, are they going to do that every month just in case someone is infected?

[Hungry Man]

So let me ask you... if I get a little popup from Comodo sandboxing a virus and I say "don't sanadbox again" and then Irun it again and the virus turns Comodo off... do you think Comodo was bypassed?

Quote:

This is a prime example of the "evolution" of mac malware, because a simple "definitions" update cannot fix this, as the service is completely gone, uninstalled.

Definitiosn update would prevent it from installing. The only time this program can "decimate" the security is after it's already been given admin rights by the user.

No, I did not miss that. I just didn't mention it.

In my opinion the built-in security was not broken through, it was allowed through, and then the malware protected itself by shutting down and removing a service.

[PJC]

http://www.f-secure.com/weblog/archives/00002256.html

[J_L]

Does it work on Lion?

[siljaline]

More on Mac malware

[siljaline]

Tsunami Trojan: First Mac attack based on Linux crack

Slips in Mac OS X backdoor, phones home

Quote:

Malware writers have derived a new Trojan for Mac OS X by porting an older Linux backdoor Trojan horse onto another platform.

The newly discovered Tsunami Trojan is derived from an earlier Linux-infecting backdoor Trojan, called Kaiten, which phoned home from infected machines to an IRC channel for further instructions. Security firms are still in the process of analysing Tsunami but early speculation suggests it may be a DDoS attack tool.

Full article, more from Sophos, ESET and arstechnica, add breaking news link from ESET