OSX/Tsunami: flooding new markets

Matt Hartley asks the question “Linux Malware: Are We There Yet?”  It seems strange, after so much exposure to the view that OS X is intrinsically so much safer than Windows, to read a piece calling attention to the fact that Linux users should not be complacent about malware. And, of course, that’s perfectly correct, but it still seems bizarre to see it supported by a statement like “Even worse, is the realization that OS X's own built-in defenses are easily defeated instead of protecting the end-user.” It sometimes seems that the big three operating systems are arranged in a perceived security hierarchy where the open source Linux users look down on the more proprietary Apple users, who look down on the victims of the evil empire from Redmond. Perhaps I’ll come back to that in a future article.

Coincidentally, in the past few days we’ve seen an interesting example of something close to cross-platform malware that shines a dark light on both OS X and Linux. The malware family variously known as Linux/Tsunami or Troj/Kaiten is an elderly (c. 2002) Linux backdoor Trojan that, once it manages to install itself, listens for instructions transmitted over IRC. While its command set is largely focused on various DDoS (Distributed Denial of Service) attacks, its ability to execute shell commands potentially gives it a much wider repertoire, though in real life it’s had comparatively little impact. A couple of days ago, however, ESET telemetry picked up a version ported to OS X: in other words, it’s been recompiled as a 64-bit Mach-O binary, not its original ELF format native to Linux. That version was functionally the same as the Linux version except that the IRC channel, server and password had been changed: see Robert Lipovsky’s summary here and Graham Cluley’s here.
This is all less dramatic than it may sound: the original source code has been seen on the web since 2009, the number of actual infected machines found has been tiny, and the indeterminate nature of the infection vector suggests a tryout rather than serious attack. However, subsequent reports here and here suggest a work still in progress, rather than a one-off. The main differences in later samples include:
  • Unlike the first sample, newer versions will survive a reboot (which makes it “persistent” in a technical sense, but not, I hasten to add, an APT: no 0-days or leading-edge techniques here so far)
  • A new C&C (command and control) server and IRC channel are being used. However, neither C&C is responding at present.
  • These builds work on 32-bit Intel x86-driven and Motorola PowerPC-driven Macs, not just x64.
Hat tips to Robert Lipovsky, Graham Cluley, Philippe Devallois of Intego, ESET’s Pierre-Marc Bureau, and Mac Virus’s pseudonymous “Old Mac Bloggit” for some of the information cited here.

What’s Hot on Infosecurity Magazine?