When the MacDefender fake antivirus malware was making its rounds early last year, there was a daily cat-and-mouse game between the criminals developing the software and various malware detection companies, plus Apple with its XProtect routine that establishes its "Safe Downloads" list.
While MacDefender has been properly addressed and is no longer an issue, the latest cat-and-mouse game appears to be revolving around the recent Flashback malware that was found for OS X. Flashback is a Trojan horse that is distributed as a fake version of Adobe's Flash player program. When installed it will insert a payload program into applications like Safari and Firefox, which when run will attempt to send personal information to remote servers.
Since its initial discovery in September 2011, the Flashback malware has undergone around 10 revisions in an effort to get around malware detection software, with the latest one aptly being discovered today, on Friday the 13th. The new variant, called OSX/Flashback.J ("J" indicating that it's the 10th variant), is distributed in a package called "FlashPlayer-11-7-macos.pkg," but the package in fact contains another installer package that will run and install the malware.
While the progressive release of variants shows the malware is actively being developed, it does not really appear to be changing much. Intego is reporting that this latest release is fully detectable by the malware definitions that were built to detect previous variants of the malware. Intego also claims that it's likely the current definitions will also detect future versions of the malware, indicating that current samples that the definitions use might be some core aspect of Flashback's code, which would give detection software a leg up on the malware developers.
On Wednesday, January 11, just before this latest variant was released, Apple updated its XProtect routines again to tackle some of the latest malware variants that have been developed for OS X, though so far the definitions include definitions for Flashback variants A through C only.
There is no word on whether the definitions for the first three variants included in Apple's XProtect list are likewise enough to detect all currently known variants of the malware.