Tsunami backdoor for Mac OS X discovered

Filed Under: Apple, Denial of Service, Featured, Malware

TsunamiOSX/Tsunami-A, a new backdoor Trojan horse for Mac OS X, has been discovered.

What makes Tsunami particularly interesting is that it appears to be a port of Troj/Kaiten, a Linux backdoor Trojan horse that once it has embedded itself on a computer system listens to an IRC channel for further instructions.

Typically code like this is used to rally compromised computers into a DDoS (distributed denial-of-service) attack, flooding a website with traffic.

If you were wondering where the name "Tsunami" comes from, that should probably help explain things.

It's not just a DDoS tool though. As you can see by the portion of OSX/Tsunami's source code that I have reproduced below, the bash script can be given a variety of different instructions and can be used to remotely access an affected computer.

Tsunami source code

Sophos's Mac anti-virus products (including our free anti-virus for Mac home users) have been updated to detect OSX/Tsunami-A.

The big question, of course, is how would this code find itself on your Mac in the first place? It could be that a malicious hacker plants it there, to access your computer remotely and launch DDoS attacks, or it may even be that you have volunteered your Mac to participate in an organised attack on a website.

But remember this - not only is participating in a DDoS attack illegal, it also means that you have effectively put control of your Mac into someone else's hands. If that doesn't instantly raise the hairs on the back of your neck, it certainly should.

Tsunami snapshot

Mac users are reminded that even though there is far less malware in existence for Mac OS X than for Windows, that doesn't mean the problem is non-existent. You only need to read our short history of Mac malware to realise that.

We fully expect to see cybercriminals continuing to target poorly protected Mac computers in the future. If the bad guys think they can make money out of infecting and compromising Macs, they will keep trying.

My advice to Mac users is simple: don't be a soft target, protect yourself.

For further information read this blog entry from our friends at ESET.

Update: Some new variants of OSX/Tsunami have now been discovered. Read about them here.

, , , , , , ,

You might like

21 Responses to Tsunami backdoor for Mac OS X discovered

  1. Craig · 908 days ago

    I still prefer my macs BIG, probably explains the diabetes and blood pressure issues

  2. Independant Nobody · 907 days ago

    I don't doubt that the the Trojan exists, but this is VERY much like and advert for your products. Talk about vested interest Jeeez

    • Other free anti-virus products for Mac are available.

      If you decide to use ours we don't make any money. In fact, it costs us money.

      So, not the greatest advert if you think about it. :) But hopefully it will help some Mac users protect themselves from the various threats in existence.

      • Charlie · 907 days ago

        I agree with you. I thank you for making a free AV program for us Mac users. We should all be more thankful to you. Sophos and you, Graham Cluley, know what you are doing and provide us with protection that we need. I find Sophos is a good company that knows what it is doing and I love the Naked Security Blog. I read it everyday and find each entry informative and entertaining. I love the videos that are posted every once in awhile (The 60 second security videos) and think that Graham is a good person providing an important service.

        Thank you Sophos.

        Thank you Graham.

    • deanbar · 907 days ago

      Get a clue, why don't you! I have used Free Sophos For Mac since it came out, and it's great. I tried McAfee both on my Mac and on my wife's PC, it made them run like treacle.

      Sophos, on the other hand runs smoothly in the background, you don't even notice it running. Thank you Graham for providing such an excellent product for the Mac community. Sorry for the ingrates who are clueless.

      • Tempered gratitude · 798 days ago

        I have had problems with free Sophos, so while I appreciate it, this is tempered by the many frustrations. It freezes and crashes my old MBP on occasions. The crash happened every time that I tried to do a complete scan. I suspect it was somehow trying to do my NAS box or possibly choking on my Bootcamp partition, but I don't have time to dig into it any deeper.

    • annibal · 906 days ago

      totally agree

    • BubbaJones · 906 days ago

      Remember, the medical profession has a vested interest in us becoming ill. Companies that help do taxes have a vested interest that folks will be confused then come to them. There are a gazillion other examples of 'vested interest' as well. They all charge money while Sophos does not charge. So, Jeeez your point is?

  3. jpmhughes · 907 days ago

    "once it has embedded itself on a computer system"

    " It could be that a malicious hacker plants it there, to access your computer remotely and launch DDoS attacks, or it may even be that you have volunteered your Mac to participate in an organised attack on a website."

    Considering the methods mentioned above, a hacker plants it there or the user volunteers to partake in a DDoS attack:
    The former leaves me questioning, just how a hacker could plant the trojan and the latter would lead me to conclude that such an individual who would partake voluntarily in a DDoS attack would not care too much about security considering they would be allowing access intentionally.

    Still, the bigger question is exactly how would someone plant this trojan? Physical access? Remote access but granted privileges? There is not enough information involving the particulars listed here or on any website that has mentioned the trojan.

    Can you elaborate?

    • ScifiterX · 906 days ago

      Seriously trojans do not embed themselves; they are planted or trick users into installing them. We get it Mac aren't immune to malware but try not to act like all malware behave like viruses (self-replicating).

  4. DWalla · 907 days ago

    I found this post to be pretty uninformative. It does not tell how one actually GETS this trojan on their machine in the first place.

    • haredx · 907 days ago

      By downloading and executing a dmg file just like any other virus.....

      • ScifiterX · 906 days ago

        Not quite, viruses are a different subset of malware which self-replicate. Most trojans rely on social engineering. They can be spread by other means but they are generally hidden in things that seem legitimate as to trick the user into bringing them onto their system (read the the story of the Trojan horse from Iliad for a real world example).

  5. billy · 907 days ago

    Yeah, how does the trojan actually end up running on someone's machine? Does it require the execution of a program to install (for example, the user being tricked into installing it)? Or is there some kind of unpatched OS X exploit that is being used?

  6. pedant · 907 days ago

    You said you "discovered" it.

    That implies it got there through stealth.

    How?

    Alternately, if all you "discovered" is that shell scripts that work on Linux will probably work just fine in OSX then "congratulations".

  7. Mark · 907 days ago

    Have been using Sophos for years on both platforms in a school district setting of 800 computers with 1600 user's .. They are the best.. With a incredible support center..trust Sophos completely.

  8. JustMe · 907 days ago

    It is called a Trojan for a reason. It requires some sort of social engineering to get the user to download it and turn it loose.

  9. xooberant · 906 days ago

    Still no hint as to exactly how a Mac acquires this Trojan? Infected shareware? Visiting a website? A nefarious computer technician? Opening an email? Opening a PDF?

    • If we find out, we'll let you know.

      So far we haven't had reports from our customers. It could be deliberately installed by folks who want to take part in an organised DDoS for the "lulz" (not a good idea in my opinion - it's not only illegal, but it also allows a third-party to have remote access to your Mac), or it could - as you suggested - be planted by a malicious hacker.

  10. I would suspect a common vector by installing pirated Mac software on OS X. Only 2 Dollars in the Russian Market in Phnom Penh but comes with free Trojans.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.