Mac malware: Tsunami backdoor variants discovered

Filed Under: Apple, Denial of Service, Malware

WavesAs our friends at ESET have mentioned on their blog, new variants of the latest Mac malware - the Tsunami backdoor Trojan - have been discovered.

SophosLabs has received a few new samples of the malware - which can be used both to launch denial-of-service attacks and by remote hackers to gain access to your computer.

The new versions, which Sophos is adding detection for as OSX/Tsunami-Gen, are builds for 32-bit Intel x86 and PowerPC Mac computers, whereas the original version was 64-bit only. In addition, the new samples use a different IRC domain for their command & control server.

Some folks have questioned why the computer security industry has dubbed this threat "Tsunami", and I must admit that I find myself feeling somewhat uncomfortable with the name because of the devastating natural disasters that have struck in some parts of the world.

The truth is, however, that the name derives from one of the commands that can be sent to computers running the malicious code, to flood a target with internet traffic.

Tsunami command

It's actually the same command that was built into the Linux version of the attack tool (which Sophos calls Troj/Kaiten) first seen some years ago.

Because we see considerably less malware for Mac OS X than we do for Windows, new Mac threats tend to make the news headlines. It's important to note that the sky is not falling, and we believe the threat posed by OSX/Tsunami is currently quite low. Indeed, we have not received any reports from customers yet of infections by this Mac malware.

Nevertheless, it's clear that someone is working on developing new versions of this code for the Mac platform and you have to presume they are not doing it purely for the intellectual challenge. (If they are, Lord help them.. it's not much of a challenge)

Mac users would be wise to take preventative steps against this, and the other malware which we see for the Mac OS X platform. Free anti-virus software is available for Mac home users - so there's really no excuse.

More details about OSX/Tsunami can be read in our earlier article on the topic.

, , , , , , , , ,

You might like

4 Responses to Mac malware: Tsunami backdoor variants discovered

  1. Moot · 1400 days ago

    How does it get in the machine? Is there a specific .pkg?

  2. Charlie · 1399 days ago

    What about this new threat I do not see anything about on this Security Blog. Would you please address this.

    has discovered a new malware called DevilRobber.A. This malware, which has been found in several applications distributed via BitTorrent trackers, steals data and Bitcoin virtual money, and uses CPU and GPU time on infected Macs to perform “Bitcoin mining.”

    This malware is complex, and performs many operations. It is a combination of several types of malware: it is a Trojan horse, since it is hidden inside other applications; it is a backdoor, as it opens ports and can accept commands from command and control servers; it is a stealer, as it steals data and Bitcoin virtual money; and it is a spyware, as it sends personal data to remote servers.

    DevilRobber has been found in a small number of Mac applications that are distributed via BitTorrent trackers, including a popular graphic program.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley