Site icon The Mac Security Blog

Apple Updates XProtect Malware Definitions for NetWeirdRC

Apple has updated its XProtect malware definitions file to version 2082 to provide rudimentary protection against certain Mac threats. This update detects two malware variants, which XProtect identifies as OSX.Netwire.A and OSX.Bundlore.B. Additionally, Apple updated the Plugin Black List to essentially ban out-of-date Flash Player versions prior to Adobe Flash Player 23.0.0.162.

A backdoor called OSX/NetWeirdRC, which XProtect detects as OSX.Netwire.A, is a remote access tool that affects OS X (versions 10.6 and higher), Windows, Linux and Solaris. The backdoor offers a number of different functions to perform actions and spy on the user of the infected machine.

Intego VirusBarrier with current virus definitions protects Mac users against this malware, detected as OSX/NetWeirdRC. In addition, VirusBarrier can detect malware downloaded via any application, while Apple’s XProtect system only functions with files downloaded by certain programs, notably Apple software such as Safari, Mail and iChat.

Apple also added a new code to XProtect for OSX.Bundlore.B, based on Yara rules.

It’s interesting to note that it appears Apple is now using the Yara engine with XProtect. Yara is a text based tool, developed by Google, used by malware researchers to identify and classify malware samples. The benefit of Yara is to provide complex and powerful rules based on conditions.

Apple’s XProtect offers basic protection against some Mac threats downloaded by certain programs, and as of this latest update appears to only detect new threats on OS X El Capitan and macOS Sierra. Furthermore, XProtect does not offer real-time malware scanning, protection against Windows threats or phishing sites, or other protection that full-featured antivirus software can provide. Intego VirusBarrier users with up-to-date virus definitions are protected from these threats, and more.

Share this: