As our friends at ESET have mentioned on their blog, new variants of the latest Mac malware – the Tsunami backdoor Trojan – have been discovered.
SophosLabs has received a few new samples of the malware – which can be used both to launch denial-of-service attacks and by remote hackers to gain access to your computer.
The new versions, which Sophos is adding detection for as OSX/Tsunami-Gen, are builds for 32-bit Intel x86 and PowerPC Mac computers, whereas the original version was 64-bit only. In addition, the new samples use a different IRC domain for their command & control server.
Some folks have questioned why the computer security industry has dubbed this threat “Tsunami”, and I must admit that I find myself feeling somewhat uncomfortable with the name because of the devastating natural disasters that have struck in some parts of the world.
The truth is, however, that the name derives from one of the commands that can be sent to computers running the malicious code, to flood a target with internet traffic.
It’s actually the same command that was built into the Linux version of the attack tool (which Sophos calls Troj/Kaiten) first seen some years ago.
Because we see considerably less malware for Mac OS X than we do for Windows, new Mac threats tend to make the news headlines. It’s important to note that the sky is not falling, and we believe the threat posed by OSX/Tsunami is currently quite low. Indeed, we have not received any reports from customers yet of infections by this Mac malware.
Nevertheless, it’s clear that someone is working on developing new versions of this code for the Mac platform and you have to presume they are not doing it purely for the intellectual challenge. (If they are, Lord help them.. it’s not much of a challenge)
Mac users would be wise to take preventative steps against this, and the other malware which we see for the Mac OS X platform. Free anti-virus software is available for Mac home users – so there’s really no excuse.
More details about OSX/Tsunami can be read in our earlier article on the topic.
4 comments on “Mac malware: Tsunami backdoor variants discovered”
How does it get in the machine? Is there a specific .pkg?
What about this new threat I do not see anything about on this Security Blog. Would you please address this.
has discovered a new malware called DevilRobber.A. This malware, which has been found in several applications distributed via BitTorrent trackers, steals data and Bitcoin virtual money, and uses CPU and GPU time on infected Macs to perform “Bitcoin mining.”
This malware is complex, and performs many operations. It is a combination of several types of malware: it is a Trojan horse, since it is hidden inside other applications; it is a backdoor, as it opens ports and can accept commands from command and control servers; it is a stealer, as it steals data and Bitcoin virtual money; and it is a spyware, as it sends personal data to remote servers.
DevilRobber has been found in a small number of Mac applications that are distributed via BitTorrent trackers, including a popular graphic program.
We’re in the process of analysing it.
Details here: http://nakedsecurity.sophos.com/2011/10/29/devilr…
We call it OSX/Miner-D.