back to article Tsunami Trojan: First Mac attack based on Linux crack

Malware writers have derived a new Trojan for Mac OS X by porting an older Linux backdoor Trojan horse onto another platform. The newly discovered Tsunami Trojan is derived from an earlier Linux-infecting backdoor Trojan, called Kaiten, which phoned home from infected machines to an IRC channel for further instructions. …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    "Security firms are still in the process of analysing Tsunami but early speculation suggests it may be a DDoS attack tool"

    Well if it is based on Kaiten which is some fairly ancient Nix* trojan code from years back then it will have plenty of DDOS attack code in it.

    I'm guessing however that other than it being ported over to Mac it is a basic backdoor with some IRC command functionality for upload/download/execute commands and !SYN MISCROSOFT type DDOS controls which was pretty much the Kaiten of old. Nothing new here except the porting to Mac really. As trojans go is was good for its time but a little out of date now....

  2. Anonymous Coward
    Anonymous Coward

    While the threat of trojans (note; there are still no know viruses for the Mac in the wild) on the Mac are clearly very real and Mac users blatantly need to be vigilant and careful, the Sophos article reads like a sales pitch. There is no information on how it's contracted and a little bit of what can only be described a scare-mongering ("But remember this - not only is participating in a DDoS attack illegal..." or "Install Sophos or you could be breaking the law"). Tell us how to avoid it (no - installing Sophos isn't helping avoidance).

    1. Anonymous Coward
      Anonymous Coward

      As you mentioned, this is a trojan and not a virus, so "contracting" (infection) if I understand you correctly, would be up to the attackers imagination. Spam it out, p2p it, driveby web infections, cross scripting, the old scroll here trick, simply downloading it to already infected machines, port scanning for vulns, etc etc...

      It's a bit of a non article by Sophos really with the only point of interest being that some geek has ported is over to Mac, just like people have been doing for the past ten years with Kaiten when they port it over to Windows. I have seen a net of 100k+ Kaiten infects on Windows machines, probably a much more interesting story than the Mac one but hidden among the dust due to it being Windows. This was 8 years ago when 100k was a rather large net. I do beleive a large portion of those 100k had came from the Kuang virus if anyone remembers that.

      Now if the happy porter had recoded some sections to make it propagate that would have been an interesting story... Mr Cluely however knows how to garner a tech interest point to further his own media career ;-)

      1. eulampios

        too much imagination

        >>would be up to the attackers imagination. Spam it out, p2p it, driveby web infections, cross scripting, the old scroll here trick, simply downloading it to already infected machines, port scanning for vulns, etc etc...

        That's is the most interesting part. All the mentioned methods might be extremely hard to implement, except for the social engineering (for some people ) or an unknown vuln., weak password. What you are suggesting though is (at least was) pretty mundane in the Windows world.

    2. dr2chase

      According to some quick search and click

      Variant of Linux/Slapper, which uses an OpenSSL exploit:

      http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=99733

      And this is how Slapper does it. Probes port 80, looks for Apache, goes after SSL on port 443.

      Is this really still a vulnerability? This is an old attack.

      http://www.symantec.com/security_response/writeup.jsp?docid=2002-091311-5851-99&tabid=2

    3. Anonymous Coward
      Anonymous Coward

      " (note; there are still no know viruses for the Mac in the wild)" Really?

      May not be currently...but never say never.

      http://www.scmagazineus.com/koobface-exploit-for-macs-circulating-in-the-wild/article/181862/

      http://www.scmagazineus.com/second-mac-virus-in-the-wild/article/32987/

      1. Microphage

        AudiGuy: a social network worm

        "Security firm Intego issued an alert Wednesday announcing that its research team has discovered a Mac version of the notorious Koobface worm, known to propagate on social networking sites"

        http://www.scmagazineus.com/koobface-exploit-for-macs-circulating-in-the-wild/article/181862/

        My understanding is that a WORM probegates from computer to computer on the same network, without human intervention. In this case shouldn't that be a social network worm.

      2. Microphage
        Angel

        AudiGuy: a social network worm

        "Security firm Intego issued an alert Wednesday announcing that its research team has discovered a Mac version of the notorious Koobface worm, known to propagate on social networking sites"

        http://www.scmagazineus.com/koobface-exploit-for-macs-circulating-in-the-wild/article/181862/

        My understanding is that a WORM probegates from computer to computer on the same network, without human intervention. In this case shouldn't that be a social network worm.

        1. eulampios

          >>My understanding is that a WORM probegates from computer to computer on the same network, without human intervention.

          Your understanding appears to be wrong . Just reread that very article, that does mention the user's authorization to run the Java applet in question and says about "several cases in the wild". Compare it with the glorious (yet not the greatest) stuxnet :)

    4. ElReg!comments!Pierre
      Paris Hilton

      OK I'll bite

      "(note; there are still no know viruses for the Mac in the wild)"

      That could be discussed, but what the hell does it have to do with the present case?

      "There is no information on how it's contracted"

      Let me guess, by installing it on your machine? D'oh.

      "Tell us how to avoid it"

      Where have you been for the past 20 years? Don't open dubious mail attachments, don't install "plugins" from porn sites, avoid these "season greetings e-card" things, etc... Sheesh.

      1. eulampios

        scary stuff

        >>Don't open dubious mail attachments

        And if I do what would happen? ( in my Debian GNU/Linux while using the mutt email client)?

        1. ElReg!comments!Pierre
          Facepalm

          @scary stuff

          > And if I do what would happen? ( in my Debian GNU/Linux while using the mutt email client)?

          If you stumble upon the wrong attachment, you'll have your machine pwnd, smartass. See, that's exactly that "arrogant yet ignorant knobface" attitude that makes Mac users a ripe target for black hats right now. It could happen to you, too.

          (Disclaimer: I do run Debian on most of my personal machines. Not a fan of Mutt though)

          1. This post has been deleted by its author

          2. eulampios

            You runnung how many Debians???

            Well, smartie pants, firstly, mutt does not open ANY attachment unless you tell it to and/or teach it how (in muttrc and mailcap) nor do any of the decent email client. Secondly, As far as the spooky thing ito "open dubious" emails is concerned, windbloats systems are known to open/autorun attachments without prior user's permission.

            Anyways, did even "opening" an attachment in any Debian system ever incur any Halloween as it had done on thousands of Windblows systems? Of course I can stumble upon this attachment :

            /bin/sh

            sudo rm -rf /* &&printf "%s\n" "Have a great day! "

            My bad, you must be talking about that one then ... :) Oops I woulds till have to chmod it and give password. I better drop my PC out of the roof of a building (will make sure it is clear) ;-)

            Yes, Mac OS X is much more secure than Windows, it's security is weaker than that of free *BSD's or GNU/Linux.

            PS Persevering in this matter on your side makes me doubt your Debian experience.

            1. ElReg!comments!Pierre

              Read.

              >As far as the spooky thing ito "open dubious" emails is concerned

              Open dubious email _attachments_. Mutt doesn not open them by itself, but the smug Mutt user, falsely confident in his system's immunity, on the other hand...

              >windbloats systems are known to open/autorun attachments without prior user's permission.

              I think you're referring to the old default behaviour of Outlook; I don't use the bloody thing but I think even it was eventually fixed.

              >Of course I can stumble upon this attachment :

              All it takes is to put a line in your xsession -or something- and copy a small script wherever to open a backdoor and/or launch a keylogger everytime you log in. And then there _are_ ways to escalate priviledges...

              >Yes, Mac OS X is much more secure than Windows

              Not.

              >it's security is weaker than that of free *BSD's or GNU/Linux.

              I do think so myself, although, contrarily to what you write, it doesn't mean that GNU/linux systems are intrinsiquely immune, especially not to targetted attacks.

              >You runnung how many Debians???

              I runnung 3 (this one, which never gets to rest; my main home workstation and my main laptop, both used dayly but switched off at night. Then there are a few old boxen but they rarely get switched on so I don't count them). That's almost half my personnal machines, hence the "most".

              1. eulampios

                >>All it takes is to put a line in your xsession -or something- and copy a small script wherever to open a backdoor and/or launch a keylogger everytime you log in. And then there _are_ ways to escalate priviledges...

                Are you changing from email/mutt to xsession? Who would copy a script to my xsession? While I am at lunch and Mr./Miss. hacker boots my lappy into the run level 1 (ro single)? We are not talking about this possibility. As it follows from most of compromised systems (including Debian) ssh policy is the weakest link, (not the technology). This again is a different subject.

                If you have a link to point to any REAL existing cases ( or thousands of cases) when that had happened, I will agree with you. Remember the 50mln machines infected by ILOVEYOU ?

                Note, that I am not asserting that Linux/BSD are so secure, one has to pay zero care to the security. Up-to-date system, strong passwords (no reuses) and so on. However, emailophobia is a paranoia. This is one of many reasons why Windows sucks.

                PS I rarely get "dubious" emails, thanks to gmail's spam filter and my own spamassassin.

                1. ElReg!comments!Pierre

                  That was just an insta-example but...

                  It was only an example from the top of my head, but I'll play along.

                  > Are you changing from email/mutt to xsession?

                  No

                  > Who would copy a script to my xsession?

                  To your xsession file. To which you have write access even in console mode. And any program you run has, too, presumably. All it takes is a vuln in a "3rd party" piece of soft allowing to add a line to a text file you have write access to. (of course most distros don't create a ~/.xsession file anymore by default, but I'm quite sure it would be used if it was to be created...).

                  > While I am at lunch and Mr./Miss. hacker boots my lappy into the run level 1 (ro single)?

                  No

                  > We are not talking about this possibility.

                  indeed

                  > As it follows from most of compromised systems (including Debian) ssh policy is the weakest link, (not the technology). This again is a different subject.

                  The weakest link is actually fancy format with accumulation of bolted-on "functionnalities" over the years (yes, pdf, I'm looking at you).

                  > f you have a link to point to any REAL existing cases ( or thousands of cases) when that had happened, I will agree with you. Remember the 50mln machines infected by ILOVEYOU ?

                  Real-life example of pwned GNU/Linux boxen? There are plenty. However, you are right, fragmentation of the platform, small luserbase and less idiotic default configs mean that it is harder to bulk-compromise millions of machines with the same snippet of code. Targetted attacks against a particular machine or group of machines are still very feasible, and yes, it could be done via a malicious file sent by email. (note that Windows' security dramatically increased since the days of ILOVEYOU. Still not perfect, but it's now swiss cheese instead of cottage cheese!)

                  > Note, that I am not asserting that Linux/BSD are so secure, one has to pay zero care to the security.

                  We do agree then.

                  > Up-to-date system, strong passwords (no reuses) and so on. However, emailophobia is a paranoia. This is one of many reasons why Windows sucks.

                  With a bit of knowledge about one's machine, it is perfectly possible to compromise a Debian machine by tricking a user into opening a malicious email attachment. Maybe not as big athreat as for windows users, but still present.

    5. Grease Monkey Silver badge

      "there are still no know viruses for the Mac in the wild"

      Get over it. It doesn't matter whether you call it a trojan a virus or anything else it's all badware.

  3. Zippy the Pinhead
    Stop

    @ AC

    "As trojans go is was good for its time but a little out of date now"

    How can it be out of date if the Mac shares the same type of vulnerability? Actually the Trojan is quite current... Its the Mac Security against this type of attack that is out of date!

    1. Anonymous Coward
      Anonymous Coward

      It's not a vuln in the typical sense, it is simply installing software to a Mac machine using code created for a *nix machine by porting the code over.

      I can assure you that the code is not current in the same way as MSDOS is not current but of course can still be used.

  4. Ian Davies
    Mushroom

    "My advice to Mac users is simple: stay scared of vague security threats so that we can sell you our products"

    There. Fixed that for you, Graham.

    1. Anonymous Coward
      Anonymous Coward

      alternatively

      continue to insist that Macs are flawless and invulnerable to security threats due to the Holy Word of Jobs and you too can be DDoS zombie and spambot as well as a good little cultist.

      The infection could even be considered a move toward a fully functional Mac, I suppose. Still won't help it with games, though.

      1. Zippy the Pinhead
        Joke

        @ AC 16:51 GMT

        "Holy Word of Jobs"

        How long before Mac Fanbois start a movement to have Jobs made a Saint? LOL

  5. DragonKin37
    Meh

    Nothing New

    Still a long way till Mac's get pwned as much as Win PC's. But the trend is growing.

    1. Pascal Monett Silver badge
      Alert

      Don't see any reason to downvote that comment which stated nothing but the truth. There is indeed a long way to go before Macs get as pwned as PCs.

      That has nothing to do with the vulnerability of Macs, it's just that the Mac is still a rather sheltered platform as far as attacks are concerned.

      And yes, the trend is changing since that's the second Mac attack vector I've heard of in the last month. So there is definitely more activity on that front, which would have been unheard of last year.

  6. Alexis Vallance
    FAIL

    Daily Mail

    Why is the Reg regurgitating commercial press releases and calling them news?

    1. Grease Monkey Silver badge

      That's what the news media have always done. Do keep up.

  7. jai

    worth mentioning perhaps that Sophos make an antivirus tool for OS X that seems pretty reasonable, and it's free too.

    1. N2

      I use it

      Just for the PC users USB sticks...

  8. Anonymous Coward
    Facepalm

    Having...

    Tried Sophos AV on an Apple, I think I'd prefer the Trojan; had to re-install OSX to get TimeMachine to run without corupting backups!

    1. Stupidscript

      Brilliant!

      Clearly your problems had nothing to do with TimeMachine being unable to support anti-virus signatures. And you had to re-install the ENTIRE operating system, just to get a single application running as it originally had? Wow. Bummer for you. Thanks for the warning.

    2. Anonymous Coward
      Anonymous Coward

      Interesting to see

      That OSX is stuck in the 80s land of instability requiring re-installs of the entire OS to fix minor problems. Or perhaps you are overstating things.

  9. Chris 171

    Props for the Hokusai

    That is all.

  10. Anonymous Coward
    Anonymous Coward

    Winblows

    "Mac users are reminded that even though there is far less malware in existence for Mac OS X than for Windows, that doesn't mean the problem is non-existent"

    So I'm glad I no longer use Winblows!

  11. cloudgazer

    SImple way to avoid all future Mac trojans

    get your software from the App Store for Mac

    1. Grease Monkey Silver badge

      Until, that is, somebody manages to sneak some badware on there. And they will.

    2. eulampios

      Or better

      Or better install Linux to be able to get 99.999% of all software from secure and centralized repositories.

      1. Anonymous Coward
        Anonymous Coward

        Like this one?

        http://www.theregister.co.uk/2011/08/31/linux_kernel_security_breach/

        1. eulampios

          not like that though

          http://en.wikipedia.org/wiki/Conficker

  12. Anonymous Coward
    Anonymous Coward

    Makes you proud to own OSX

    I am still of the opinion that the platform is obviously becoming so popular that the scum want to make all this effort. I assume the return on this sort of thing is less than 10% of machines getting infected, for the OSX platform with such small numbers to start with 10% is miniscule and yet it's still worth the effort for the scum to bother writing malware code.

    Gets you right here! ( You can't see but I have my hand on my heart! )

    1. FrankAlphaXII

      I dont think that this is anything but a test. Simply to see what they can infect using an ancient trojan's code.

      Its because Malware authors realized that Mac users are by and large wealthy and fairly dim (sweeping generalization here, not all Mac users are dim. For instance Mac Devs certainly are NOT stupid, hell they're smarter than me, I should have gotten in on the Apple racket sooner, alot of users are though, but I doubt they get off MacRumors to read El Reg).

      Anyway, just think here. What are you going to go after if you're Boris and his sister Svetlana? You going to target a Linux user that is more than likely going to know something's up when weird things start happening or FLASK/SELinux freaks out, a corporate Unix install where they're probably going to notice unauthorized installation on a Sudoer's account during the next audit, a Windows machine that more than likely has some form of AV software making it a harder target (plus they don't tend to have as much money), or a very stereotypical Day Trader Apple Fanboi, with too much money, no AV, and not enough protection because he has a very false sense of security that Apple as a corporation only irresponsibly reinforces.

      If I'm Boris and Svetlana, Im going to go for the softest target, especially one thats not only a Soft Target but a Soft Target with alot of Monetary assets to his or her name.

      Im sure this will enrage the lot of you, but stop and think about the socioeconomics and practical strategic and tactical thinking behind this for a few minutes.

      1. mhenriday
        Boffin

        FrankAlphaXII, your argument is not without its merits,

        but I can't help wondering if must one have a given name like Boris or Svetlana to successfully write Trojan code ? Wouldn't John or Mary - or for that matter, Frank or Henri - do as well ? (Of course, there a some who would claim that the names are more likely to be of the type Mengjin or Lihua, but I don't wish to encourage that type of speculation, to which Reg bloggers are all too prone....)

        Henri

        1. FrankAlphaXII

          Just my background Henri, I'm former US Army, and before the Chinese really got big time into "Cyberwarfare" (a term I really dislike because we only use it to scare politicians) and crimeware, a great number of the attacks we saw came out of Russia or Ukraine. Not a vast majority, but there were alot of them. Hell, its the main reason I use Kaspersky on my Windows machines for AV.

          Not to say we didn't have plenty of attacks from Europe, Israel, Africa, Asia, or within the United States itsself but it was the Russian sphere where we saw alot of things originate from.

          Though I do have to say there were things that European crackers (German authors tended to try this alot and I still have no idea why) would try to do to make themselves look like they were Russian, very creative on their part really. Definitely adversaries to respect. But the technical Linguists could generally tell where something came from with a fair degree of certainty.

    2. eulampios

      chmod +x scary_virus

      That would be true if Mac OS X had security architecture similar to that in MS Windows, and not, as currently , to that in Unix (despite all the Jobs' matters)

  13. Anonymous Coward
    Anonymous Coward

    "good guys win, bad guys lose, and as always, ENGLAND PREVAILS"

    Once upon a time in the military, the term was "adversary". Those colonialism-obsessed colonials changed all that. I don't think that losing yourself in caricatural typification is a good idea, honestly.

    On to the present case. An old linux trojan ported to mac? After what, a decade or so? Not really enough to shed a tear and go "aw theys gone all grown up so fast" now, innit? Notwithstanding the obligatory phearmongering from the snake oil salesman, excuse me, respected industry leading company spokesman.

    It might seem there's a valid comment in people believing themselves secure while there's ways and means to exploit their systems available. Then again, plenty of people using systems far more likely to get infested with something nasty believe themselves safe because {we have a "router",the neighbours' kid takes care of it,the nice guy at $vendor said we'd be safe,they have (outdated) safety blanket software installed,pick any other reason} only to possibly never find out having been part of this or that botnet for ages, unknowingly. So on balance it seems a little overblown to go all stern and full of warning about this, unless indeed the goal is to get people to buy your product.

    The basic problem remains that far too many people have not the wherewithal nor the means to remedy or even detect that they have a problem, quite regardless of system. I think there's a couple open research questions there begging for attention. Just too bad that's not where the easy money is.

  14. b166er

    @AC 20:45

    Or is it that a higher percentage of Mac users can be parted from more of their cash?

  15. mrweekender
    FAIL

    Blatant...

    ...marketing ploy from Sophos - piss off Graham.

  16. raving angry loony
    FAIL

    bugger off.

    No, it does not "slip in the back door". Like every other trojan, it comes in the front door masquerading as something the user might want.

    Why do you think you can get away with flagrantly inaccurate statements in something that is little more than cheap (I'm guessing 3 beers, max.) propaganda for Sophos, when you KNOW most of your readers are fairly technically savvy?

  17. Tom 7

    Surely a trojan

    must take some control of the device away from the user.

    They never had that in the first place.

  18. Stuart Duel
    Pirate

    Use common sense

    I know there's nothing so uncommon of course…

    But anyway, it's fairly easy to avoid these things on the Mac anyway.

    * Don't visit dodgy websites and download things from them.

    * Dodgy email? Delete, delete, deleeeeete! (said in my best Cyberman voice).

    * Have some anti-malware software installed - the Apple supplied one, ClamXAV, etc and run them occcasionally (and every time you get a memory stick or disc of unknown virtuousness.

    * Turn off all but the most essential things on your social networking tools/accounts.

    There may be no Mac OS X viruses out in the wild but as someone else said - never say never - and hopefully you won't be sorry.

This topic is closed for new posts.

Other stories you might like