Linux Tsunami hits OS X

Hackers adapt Linux malware to attack Macs.

ESET’s researchers have just come across an IRC controlled backdoor that enables the infected machine to become a bot for Distributed Denial of Service attacks. The interesting part about it is that it’s a Mach-O binary – targeting Mac OS X.

ESET’s research team compared this to samples in our malware collection and discovered that this code is derived from something seen before. It is actually an OS X port of the Linux family of backdoors that ESET has been detecting since 2002 as Linux/Tsunami. The analyzed sample contains a hardcoded list of IRC servers and channel that it attempts to connect to. This client then listens and interprets commands from the channel. The list of accepted commands can be seen in the following comment block from the C source code of the Linux variant.

https://i1.wp.com/blog.eset.com/wp-content/media_files/Linux_Tsunami.png

ESET’s malware researcher Robert Lipovsky commented: “The malware can also execute shell commands, giving it the ability to essentially take control of the affected machine. In terms of functionality, the Mac variant of the backdoor is similar to its older Linux brother, with only the IRC server, channel and password changed and the greatest difference being that it’s a 64-bit Mach-O binary instead of an ELF binary.”

In addition to enabling DDoS attacks, the backdoor can enable a remote user to download files, such as additional malware or updates to the Tsunami code.

ESET security software (including ESET Cybersecurity for Mac) detects the malware as OSX/Tsunami.A.

Robert Lipovsky
Malware Researcher

Updates on OSX/Tsunami.A, a Mac OS X Trojan

Yesterday, ESET announced the discovery of a new threat against the Apple Mac OS X platform. Today, we have found a new version of the same threat. The new version is similar to the previous version with two important differences. The first addition to this threat is that it now implements persistence on an infected system. It also has updated command and control information.

OSX/Tsunami.A now has the ability to copy itself to /usr/sbin/logind. It then creates a file named /System/Library/LaunchDaemons/com.apple.logind.plist with the content shown in the following screenshot to ensure that the malicious binary is started after each reboot.

https://i1.wp.com/blog.eset.com/wp-content/media_files/plist2.png

The second difference identified in the new binary is a new command and control IRC server and IRC channel. At the time of writing, neither IRC servers are not responding.

Although the samples we have received come from two different countries on two different continents, our telemetry data still indicates that there are very few hosts infected with this malware.

It is our belief that the people behind this threat are in the process of testing their creation. They are probably adapting the code, originally written for Linux, to the OS X platform. We are still unaware of any specific infection vector for this threat. It can be installed manually by an attacker or in an automated way.

This threat does not have the sophistication or complexity of TDL4 or Win32/Duqu, so we think the risk to Mac users is limited. We will continue to watch the situation closely.

Pierre-Marc Bureau
Senior Malware Researcher


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s