This Trojan poses as a Flash Player installer. It requires an administrator password before it continues the installation.
It connects to a link to download additional installation and configuration files. However, as of this writing, site is inaccessible.
It restarts any instances of Safari.
It disables the Xprotect, an antimalware system built in to recent releases of Mac OS X. It unloads the XProtectUpdater daemon then modifies files by deleting their contents.
This Trojan may be unknowingly downloaded by a user while visiting malicious websites.
File size: 147,614 bytes
File type: Other
Initial samples received date: 20 Oct 2011
Payload: Downloads files
Arrival Details
This Trojan may be unknowingly downloaded by a user while visiting malicious websites.
It may be downloaded from the following remote sites:
- http://{BLOCKED}pdatemanager.org/FlashPlayer-11-4-macos.zip
- http://{BLOCKED}pdatemanager.org/flashplugin/4ff
NOTES:
This malware poses as a Flash Player installer:
It requires an administrator password before it continues the installation.
This malware checks if the following file is present on the system:
- /Library/Little Snitch/lsd
Little Snitch is a firewall software for outgoing internet connections for Mac OS X.
If the said file is present, the malware stops the installation and deletes itself. If not, it proceeds with its installation.
It connects to the following links to download additional installation and configuration files:
- http://{BLOCKED}.43.31//counter/{hex}
- http://{BLOCKED}.com/counter/{hex}
However, as of this writing, the said sites are inaccessible.
It restarts any instances of Safari.
This malware disables the Xprotect, an anti-malware system built in to recent releases of Mac OS X. It unloads the XProtectUpdater daemon then modifies the following files by deleting their contents:
- /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist
- /usr/libexec/XProtectUpdater
Connect with us on
| | | |