According to Dennis Fisher, editor of Kaspersky Lab's ThreatPost wire, the authors of the trojan either have experience writing Windows-based malware or are simply paying close attention to what's been working for Windows malware for all of these years.
Fisher noted that the trojan works by overwriting the IT security module of OS-X and preventing it from updating.
“Windows-based malware variants have been using similar tactics for a long time now. In many cases, one of the first things that a piece of malware does once it's on a new machine is to check for running anti-malware programs and attempt to either kill those processes or find another way to disable them”, he said in his latest security posting.
“It's a simple technique, but if successful, it can at least buy the malware a little bit of time on the machine to do its work before the anti-malware system or a sharp user discovers its presence”, he added.
Citing research from F-Secure, Fisher goes on to say that the Flashback malware decrypts a specific XProtect file and then decrypts the path of the XProtectUpdater binary.
The next step, he noted, is for Flashback to unload the XProtectUpdater daemon and then overwrite certain components.
This is, he said, the latest example of Mac-based malware taking on some of the more successful ploys of traditional Windows malware.
Last month, he added, researchers at F-Secure also found that the Imuler Trojan was being spread through malicious PDFs, a common infection mechanism in the Windows world.