XProtect updated - 2013.02.26

On Feb 19, 2013 11:48 PM Topher Kessler releases his article for CNET that New Mac malware opens secure reverse shell is out, “but has not yet been determined to be much of a threat”. His article properly sources Intego’s original article on the matter. In short it uses a modified implementation of openssl to establish a secure connection to a remote server thus creating a botnet or Command and Control (C&C) environment.

Things like this is why Apple updates XProtect and they should update it often (not to mention vulnerable plugins like Java or Flash). I’ve written about XProtect before and how it works back in 2011. Just letting you know that in the mist of Mac SysAdmin pains of XProtect (such as disabling Java or Flash overnight) it can also work FOR you. There have been a couple of GitHub projects that are trying to help Mac SysAdmins in managing XProtect which can be found at:

I’m not recommending one or the other, I’m just giving some quick links. One item I will point out is that I do keep track of XProtect for my personal system via a quick and dirty LaunchDaemon that watches the XProtect.plist file, and when it changes it copies that version to /Users/Shared/XProtect/ folder, this way I can always do a diff between the last two files to see what has changed.

You can clone a copy of XProtectWatch for your personal needs by going to https://github.com/justinrummel/XProtectWatch.

A final option is to utilize changedection.com and simply ‘watch’ for Apple’s clientConfiguration.plist file to be updated. I’ve established one for version 3 of clientConfiguration here.

To see the diff for today’s Xprotect update here are the resulting diff gist’s:


Leave a Comment

Your email is used for Gravatar image and reply notifications only. Address will not be published. *