Tsunami-A OS X trojan spotted in the wild

Security researchers have identified a new backdoor trojan targeting systems running Mac OS X.

Interestingly enough, Tsunami appears to be a port of Troj/Kaiten, a Linux Trojan that embeds itself on a computer system and monitors an IRC channel for further instructions.

As Sophos Security researcher Graham Cluley notes, trojans like Tsunami/Kaiten are typically used to drag infected computers into coordinated DDoS (distributed denial-of-service) attacks, which flood a targeted website server with a massive amount of traffic.

“It’s not just a DDoS tool though. As you can see by the portion of OSX/Tsunami’s source code, the bash script can be given a variety of different instructions and can be used to remotely access an affected computer,” he explained.

“The big question, of course, is how would this code find itself on your Mac in the first place? It could be that a malicious hacker plants it there, to access your computer remotely and launch DDoS attacks, or it may even be that you have volunteered your Mac to participate in an organized attack on a website.”

Cluley also warned that he “fully expected” to see cyber criminals target poorly protected Mac computers in the future. 

“If the bad guys think they can make money out of infecting and compromising Macs, they will keep trying,” he added.

To be sure, an evolving trojan that disables the automatic updater component of XProtect, Apple’s built-in OS X anti-malware app, was recently spotted in the wild. 

Flashback.C – which poses as an update to Adobe Flash – first decrypts the paths of XProtectUpdater files that are hardcoded in its body.

This action wipes out certain files, effectively preventing XProtect from automatically receiving future updates. 

“Attempting to disable system defenses is a very common tactic for malware,” explained Brod of F-Secure. “[As such], built-in defenses are naturally going to be the first target on any computing platform.”