OSX/Tsunami-A, a new backdoor Trojan horse for Mac OS X, has been discovered.
What makes Tsunami particularly interesting is that it appears to be a port of Troj/Kaiten, a Linux backdoor Trojan horse that once it has embedded itself on a computer system listens to an IRC channel for further instructions.
Typically code like this is used to rally compromised computers into a DDoS (distributed denial-of-service) attack, flooding a website with traffic.
If you were wondering where the name “Tsunami” comes from, that should probably help explain things.
It’s not just a DDoS tool though. As you can see by the portion of OSX/Tsunami’s source code that I have reproduced below, the bash script can be given a variety of different instructions and can be used to remotely access an affected computer.
Sophos’s Mac anti-virus products (including our free anti-virus for Mac home users) have been updated to detect OSX/Tsunami-A.
The big question, of course, is how would this code find itself on your Mac in the first place? It could be that a malicious hacker plants it there, to access your computer remotely and launch DDoS attacks, or it may even be that you have volunteered your Mac to participate in an organised attack on a website.
But remember this – not only is participating in a DDoS attack illegal, it also means that you have effectively put control of your Mac into someone else’s hands. If that doesn’t instantly raise the hairs on the back of your neck, it certainly should.
Mac users are reminded that even though there is far less malware in existence for Mac OS X than for Windows, that doesn’t mean the problem is non-existent. You only need to read our short history of Mac malware to realise that.
We fully expect to see cybercriminals continuing to target poorly protected Mac computers in the future. If the bad guys think they can make money out of infecting and compromising Macs, they will keep trying.
My advice to Mac users is simple: don’t be a soft target, protect yourself.
For further information read this blog entry from our friends at ESET.
Update: Some new variants of OSX/Tsunami have now been discovered. Read about them here.
21 comments on “Tsunami backdoor for Mac OS X discovered”
I still prefer my macs BIG, probably explains the diabetes and blood pressure issues
I don't doubt that the the Trojan exists, but this is VERY much like and advert for your products. Talk about vested interest Jeeez
Other free anti-virus products for Mac are available.
If you decide to use ours we don't make any money. In fact, it costs us money.
So, not the greatest advert if you think about it. 🙂 But hopefully it will help some Mac users protect themselves from the various threats in existence.
I agree with you. I thank you for making a free AV program for us Mac users. We should all be more thankful to you. Sophos and you, Graham Cluley, know what you are doing and provide us with protection that we need. I find Sophos is a good company that knows what it is doing and I love the Naked Security Blog. I read it everyday and find each entry informative and entertaining. I love the videos that are posted every once in awhile (The 60 second security videos) and think that Graham is a good person providing an important service.
Thank you Sophos.
Thank you Graham.
Get a clue, why don’t you! I have used Free Sophos For Mac since it came out, and it’s great. I tried McAfee both on my Mac and on my wife’s PC, it made them run like treacle.
Sophos, on the other hand runs smoothly in the background, you don’t even notice it running. Thank you Graham for providing such an excellent product for the Mac community. Sorry for the ingrates who are clueless.
I have had problems with free Sophos, so while I appreciate it, this is tempered by the many frustrations. It freezes and crashes my old MBP on occasions. The crash happened every time that I tried to do a complete scan. I suspect it was somehow trying to do my NAS box or possibly choking on my Bootcamp partition, but I don't have time to dig into it any deeper.
Hi. We're not able to do support for Sophos products through this forum, but please feel free to join the free Sophos Anti-Virus for Mac support community online at http://openforum.sophos.com/macav
Remember, the medical profession has a vested interest in us becoming ill. Companies that help do taxes have a vested interest that folks will be confused then come to them. There are a gazillion other examples of 'vested interest' as well. They all charge money while Sophos does not charge. So, Jeeez your point is?
"once it has embedded itself on a computer system"
" It could be that a malicious hacker plants it there, to access your computer remotely and launch DDoS attacks, or it may even be that you have volunteered your Mac to participate in an organised attack on a website."
Considering the methods mentioned above, a hacker plants it there or the user volunteers to partake in a DDoS attack:
The former leaves me questioning, just how a hacker could plant the trojan and the latter would lead me to conclude that such an individual who would partake voluntarily in a DDoS attack would not care too much about security considering they would be allowing access intentionally.
Still, the bigger question is exactly how would someone plant this trojan? Physical access? Remote access but granted privileges? There is not enough information involving the particulars listed here or on any website that has mentioned the trojan.
Can you elaborate?
Seriously trojans do not embed themselves; they are planted or trick users into installing them. We get it Mac aren't immune to malware but try not to act like all malware behave like viruses (self-replicating).
I found this post to be pretty uninformative. It does not tell how one actually GETS this trojan on their machine in the first place.
By downloading and executing a dmg file just like any other virus…..
Not quite, viruses are a different subset of malware which self-replicate. Most trojans rely on social engineering. They can be spread by other means but they are generally hidden in things that seem legitimate as to trick the user into bringing them onto their system (read the the story of the Trojan horse from Iliad for a real world example).
Yeah, how does the trojan actually end up running on someone's machine? Does it require the execution of a program to install (for example, the user being tricked into installing it)? Or is there some kind of unpatched OS X exploit that is being used?
You said you “discovered” it.
That implies it got there through stealth.
Alternately, if all you “discovered” is that shell scripts that work on Linux will probably work just fine in OSX then “congratulations”.
Have been using Sophos for years on both platforms in a school district setting of 800 computers with 1600 user’s .. They are the best.. With a incredible support center..trust Sophos completely.
It is called a Trojan for a reason. It requires some sort of social engineering to get the user to download it and turn it loose.
Still no hint as to exactly how a Mac acquires this Trojan? Infected shareware? Visiting a website? A nefarious computer technician? Opening an email? Opening a PDF?
If we find out, we'll let you know.
So far we haven't had reports from our customers. It could be deliberately installed by folks who want to take part in an organised DDoS for the "lulz" (not a good idea in my opinion – it's not only illegal, but it also allows a third-party to have remote access to your Mac), or it could – as you suggested – be planted by a malicious hacker.
I would suspect a common vector by installing pirated Mac software on OS X. Only 2 Dollars in the Russian Market in Phnom Penh but comes with free Trojans.