On Wednesday, a Russian antivirus firm announced that over 600,000 Macs were infected with the Flashback trojan, exploiting a Java vulnerability to create the first significant malware infection in OS X history.
If you’re running a botnet, the goal is to avoid detection for as long as possible. Flashback took an interesting approach to hiding itself — if one of several popular antivirus or monitoring tools is detected, it immediately deletes itself. Merely installing a utility like Avast, Clam Antivirus, Little Snitch or HTTP Scoop was enough to protect you, even if you didn’t keep them running.
Funny enough, major commercial antivirus utilities like Norton Antivirus, McAfee VirusScan, and F-Secure weren’t included in the blacklist. It seems the Flashback authors aren’t afraid of the effectiveness of those utilities or, maybe, the technical expertise of their customers.
From the threat description:
On execution, the malware checks if the following path exists in the system:
If any of these are found, the malware will skip the rest of its routine and proceed to delete itself.
Note the presence of Xcode, Apple’s IDE for Mac and iOS development. To a virus author, the presence of development tools like Xcode is a perfect indicator of a tech-savvy user… the kind of person most likely to detect your work.
If you want to stay safe, or see if you were infected, Macworld has the best roundup.