Hackers port ancient Linux Trojan to Mac OS X

The Tsunami malware is in limited circulation and is likely still being tested, say experts


Hackers are testing new Mac malware that they've ported from a nine-year-old Trojan horse originally written for Linux, according to security experts.

The malware, dubbed "Tsunami," has been circulating in limited numbers since last week, said researchers at the Slovakian antivirus firm, ESET Security.

[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. ]

Tsunami first popped up last week, when ESET malware researcher Robert Lipovsky provided some bare bones information on the Trojan.

"We've seen backdoors [on the Mac] before, but these malware writers are simply reusing existing code instead of writing something new," said Lipovsky in an interview at the time. "It's a lot easier for them."

Lipovsky was referring to the code similarities between the Mac malware and a line of backdoor Trojans that targeted Linux machines as far back as 2002.

"The Linux [malware] is not directly compatible with the Mac OS X platform, but has to be recompiled," said Lipovsky. Unlike the older Linux malware -- also named Tsunami for one of its commands that launches a DDoS (distributed denial-of-service) attack -- the original Mac version was 64-bit.

In most other instances, however, Tsunami on the Mac is strikingly similar to its Linux ancestor, letting attackers issue commands to the infected computer via an IRC (Internet Relay Chat) channel to conduct DDoS attacks, or download additional malware and Trojan updates.

Tsunami for the Mac has been updated, added another ESET researcher, to insure it launched each time an infected Mac desktop or laptop was booted. The newer version, labeled "Tsunami.A," also used a different IRC channel and server for command-and-control, said ESET's Pierre-Marc Bureau in a follow-up blog post .

Lipovsky was unable to pin down how Tsunami's controllers infected Macs with the Trojan; Bureau also said that ESET wasn't sure what tactic attackers were using to plant the malware on machines.

But the short interval between editions and the limited use of the malware led ESET to believe that Tsunami's creators are still testing the Trojan. "They are [still] probably adapting the code, originally written for Linux, to the OS X platform," said Bureau.

U.K.-based Sophos said its analysis showed Tsunami's makers had also come up with a 32-bit version that would execute on older Macs that rely on the PowerPC processor.

Both ESET and Sophos rated the threat as minor.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.
See more articles by Gregg Keizer.
Read more about security in Computerworld's Security Topic Center.

This story, "Hackers port ancient Linux Trojan to Mac OS X" was originally published by Computerworld.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies