OSX/Tsunami-A, a new backdoor Trojan horse for Mac OS X, has been discovered.
What makes Tsunami particularly interesting is that it appears to be a port of Troj/Kaiten, a Linux backdoor Trojan horse that once it has embedded itself on a computer system listens to an IRC channel for further instructions.
Typically code like this is used to rally compromised computers into a DDoS (distributed denial-of-service) attack, flooding a website with traffic.
If you were wondering where the name “Tsunami” comes from, that should probably help explain things.
It’s not just a DDoS tool though. As you can see by the portion of OSX/Tsunami’s source code that I have reproduced below, the bash script can be given a variety of different instructions and can be used to remotely access an affected computer.
Sophos’s Mac anti-virus products (including our free anti-virus for Mac home users) are being updated to detect OSX/Tsunami-A.
The big question, of course, is how would this code find itself on your Mac in the first place? It could be that a malicious hacker plants it there, to access your computer remotely and launch DDoS attacks, or it may even be that you have volunteered your Mac to participate in an organised attack on a website.
But remember this – not only is participating in a DDoS attack illegal, it also means that you have effectively put control of your Mac into someone else’s hands. If that doesn’t instantly raise the hairs on the back of your neck, it certainly should.
Mac users are reminded that even though there is far less malware in existence for Mac OS X than for Windows, that doesn’t mean the problem is non-existent. You only need to read our short history of Mac malware to realise that.
We fully expect to see cybercriminals continuing to target poorly protected Mac computers in the future. If the bad guys think they can make money out of infecting and compromising Macs, they will keep trying.
My advice to Mac users is simple: don’t be a soft target, protect yourself.
For further information read this blog entry from our friends at ESET.
Leave a reply