Tsunami Wave Of Mac DDoS Malware Spells Danger

Formerly a Unix backdoor, the Tsunami Trojan targets Macs for a DDoS bot army

Malware authors have ported Tsunami, a Trojan originally written for Linux systems, to hijack Mac OS X systems, security researchers found.

It appears to be derived from Kaiten, an old backdoor Trojan dating back at least to 2002, which was designed to infect Linux systems, blogged Robert Lipovsky, a malware researcher at security firm ESET. The compromised Macs could be used to launch distributed denial-of-service (DDoS) attacks, control the Mac remotely or to download further malware.

Recruiting a bot army

Tsunami derives its name from its primary goal: to force infected computers to become part of a bot network that will flood targeted Web servers with traffic and cause them to stop responding in a DDoS attack, according to Graham Cluley, a senior technology consultant at Sophos.

“Even though there is far less malware in existence for Mac OS X than for Windows, that doesn’t mean the problem is nonexistent,” Cluley wrote on the Sophos Naked Security blog.

The Tsunami Trojan program works by latching onto a host. Once it has been copied onto the system, either intentionally or maliciously, the malware attempts to connect to an Internet Relay Chat (IRC) channel to receive further instructions. The malware can launch DDoS attacks at a targeted server, download additional malware on the machine, and provide remote access to the system, Cluley said.

Pierre-Marc Bureau, an ESET senior malware researcher, said the new variant has the ability to launch automatically on reboot, causing it to be more persistent on the system, said . It also has an updated command and control IRC server and channel than the previous version. The Trojan is also evolving pretty quickly, as ESET researchers have already discovered at least one new variant, according to Bureau.

A work in progress

There are “very few hosts” infected with this malware, he said, noting that the program’s developers are most likely still in the process of testing the application.

On its blog, Mac security company Intego noted that the Kaiten source code has been publicly available since at least September 2009, and it was “trivial” to compile the code to create a Mac-executable using Apple’s XCode. Intego also noted that people may intentionally install the Trojan on their systems to voluntarily take part in specific DDoS attacks, such as those supporting Anonymous’ operations.

These “volunteers” have “effectively put control” of their Macs into someone else’s hands, Cluley said.

While there have been many instances of Windows malware re-engineered for the Mac platform, Tsunami appears to be the first that takes advantage of the fact that Mac OS X is based on BSD (Berkeley Software Distribution) Unix, an operating system with many similarities to Linux.

“If the bad guys think they can make money out of infecting and compromising Macs, they will keep trying,” Cluley said, predicting more malware targeting “poorly defended Mac computers”.

A flood of Mac malware

There has been a flurry of Mac malware activity recently. Beginning in September when F-Secure researchers found the Revir/Imuler Trojan, which was spread through malicious PDF files.

Another Trojan – called Flashback because it masquerades as an update to Adobe Flash or Flash Player installer – was detected later in September and went through various iterations this month, according to F-Secure. New capabilities include the ability to detect if the Mac had a firewall installed, as well as the ability to search for virtual machines and to delete itself if these were found.

The latest Flashback is far more sinister as it could disable Apple’s built-in Xprotect malware detection system by overwriting certain Xprotect files to prevent the system from getting new signature updates. Intego said Flashback was the first Mac malware that could “intentionally” damage system files. Removing the malware and restoring the system could be time-consuming, Intego noted.

“We hope Mac malware doesn’t use similar techniques in the future that would require a full installation of Mac OS X to repair damage,” Intego said.

Cluley warned Mac users to protect themselves from cyber-threats with proper security software. “Don’t be a soft target; protect yourself,” he said.