Being the resident VRT Apple fanboy that I am, I frequently am assigned every piece of Apple malware and Apple-related vulnerability research that comes through the office. Luckily that's not very much. (Fanboy jabs with his right!)
However, lately, the variants of Flashback (some AV vendors are calling it Flashfake) and "Sabpub" have kept me busy.
While Sabpub got a lot of press, there were only 3 variants of it; ClamAV detected all of them with one name (OSX.Subpub). Flashback had many more variants to it; officially we are up to Flashback.K (11 variants). Most of the Flashback variants going around seem to be based off of two "masters", which were the most copied, changed, and redistributed. ClamAV calls these two OSX.Flashback-8 and OSX.Flashback-12.
As of the writing of this blog post I've written 20 signatures for Flashback and only one for "Subpub". More variants will come in, I'm quite sure, and we'll keep our eye for them.
In the meantime, it might be a good idea for you to install ClamAV on OSX. Information on our "On Access" Scanner is here, with instructions on how to install ClamAV to properly use the on access scanner. There are a lot of people out there that use the "ClamXav" tool for OSX to use ClamAV on their Mac, which is great for scheduled scans, however, right now, I don't believe that tool has been updated to use the "On Access" tool we've written. Hopefully they will and we'll be able to see even greater adoption in the usage of ClamAV on OSX. All of these tools and installs are totally FREE.
For a couple of good articles on Subpub and Flashback, check out this article, Fsecure's take on Subpub, and another article from Fsecure on Flashback.
Make sure you download the Flashback removal tool from Apple: http://support.apple.com/kb/DL1517. Upon install it'll remove flashback for you, you don't have to run the tool manually or anything.
As far as coverage for Snort goes, we've had it covered for the same amount of time as ClamAV.
Sid: 21877 covers Sabpub (Subpub)
Sid: 20762, 21755, 21756, 21757, 21758, and 21910 cover Flashback
Good luck out there. Don't install anything if you don't know where it came from. Hopefully Gatekeeper will help stem the tide of this nonsense.