Flashback Trojan Creators Scared of Xcode, But Not Norton Antivirus

On Wednesday, a Russian antivirus firm announced that over 600,000 Macs were infected with the Flashback trojan, exploiting a Java vulnerability to create the first significant malware infection in OS X history.

If you’re running a botnet, the goal is to avoid detection for as long as possible. Flashback took an interesting approach to hiding itself — if one of several popular antivirus or monitoring tools is detected, it immediately deletes itself. Merely installing a utility like Avast, Clam Antivirus, Little Snitch or HTTP Scoop was enough to protect you, even if you didn’t keep them running.

Funny enough, major commercial antivirus utilities like Norton Antivirus, McAfee VirusScan, and F-Secure weren’t included in the blacklist. It seems the Flashback authors aren’t afraid of the effectiveness of those utilities or, maybe, the technical expertise of their customers.

From the threat description:

On execution, the malware checks if the following path exists in the system:

/Library/Little Snitch

/Developer/Applications/Xcode.app/Contents/MacOS/Xcode

/Applications/VirusBarrier X6.app

/Applications/iAntiVirus/iAntiVirus.app

/Applications/avast!.app

/Applications/ClamXav.app

/Applications/HTTPScoop.app

/Applications/Packet Peeper.app

If any of these are found, the malware will skip the rest of its routine and proceed to delete itself.

Note the presence of Xcode, Apple’s IDE for Mac and iOS development. To a virus author, the presence of development tools like Xcode is a perfect indicator of a tech-savvy user… the kind of person most likely to detect your work.

If you want to stay safe, or see if you were infected, Macworld has the best roundup.

5 thoughts on “Flashback Trojan Creators Scared of Xcode, But Not Norton Antivirus

  1. So basically as on needs to do is keep their Mac OS up-to-date and install XCode which is free from the app store if you run Mac OS X Lion 🙂

  2. Just create the directory(ies): /Developer/Applications/Xcode.app/Contents/MacOS/Xcode

  3. We try to warn people that NO system is 100% safe from malicious exploits and intrusions, not even Macintoshes. Interesting that the presence of X-Code Tools will “discourage” the Trojan. I have X-Code tools because I use Macports to install and maintain UNIX utilities on my Macbook.

Comments are closed.