
New Mac OS X malware disables Apple's malware protection - ghurlman
http://www.zdnet.com/blog/security/new-mac-os-x-malware-disables-apples-malware-protection/9665
======
bradleyland
This is HN. Can we skip the blogspam and link directly to F-Secure? There is
nothing of value in the blog post.

Actual content:

<http://www.f-secure.com/weblog/archives/00002256.html>

It's important to note that this is a trojan virus, which means the user must
download and run it. It would be far more significant if this were a drive-by
attack.

One interesting item I noticed in the information about the trojan itself is
this bit:

===QUOTE===

On installation, the installer first checks if the following file is found in
the system:

* /Library/Little Snitch/lsd

Little Snitch is a firewall program for Mac OS X. If the program is found, the
installer will skip the rest of its routine and proceed to delete itself.

===QUOTE===

So if you're running Little Snitch, this trojan deletes itself. Effective.

~~~
guns
That's interesting. I love Little Snitch; there's no parallel in the Linux
world, sadly, and I miss it when I'm configuring outbound firewall rules on my
Arch box.

However, I think the trojan is giving up a little easily. Little Snitch has a
checkbox titled "Prevent Rule Editing" which is unchecked by default, which
implies that a process with the same privileges as the logged in user can
create its own "allow" rule through a little bit of AppleScript (or whatever
else).

------
brudgers
Original Source:

<http://www.f-secure.com/weblog/archives/00002256.html>

------
stephenr
This requires the user to download the malware and install it - the only way
this happens is if people are stupid enough to install Flash Player from
somewhere other than Adobe.com

~~~
RexRollman
Something like this would probably never infect any of us but I know quite a
few people who will install anything from anywhere.

