Skip the navigation

Lazy hackers port ancient Linux Trojan to Mac OS X

It's in limited circulation, likely still being tested, say experts

October 31, 2011 02:50 PM ET

Computerworld - Hackers are testing new Mac malware that they've ported from a nine-year-old Trojan horse originally written for Linux, according to security experts.

The malware, dubbed "Tsunami," has been circulating in limited numbers since last week, said researchers at the Slovakian antivirus firm, ESET Security.

Tsunami first popped up last week, when ESET malware researcher Robert Lipovsky provided some bare bones information on the Trojan.

"We've seen backdoors [on the Mac] before, but these malware writers are simply reusing existing code instead of writing something new," said Lipovsky in an interview at the time. "It's a lot easier for them."

Lipovsky was referring to the code similarities between the Mac malware and a line of backdoor Trojans that targeted Linux machines as far back as 2002.

"The Linux [malware] is not directly compatible with the Mac OS X platform, but has to be recompiled," said Lipovsky. Unlike the older Linux malware -- also named Tsunami for one of its commands that launches a distributed denial-of-service (DDoS) attack -- the original Mac version was 64-bit.

In most other instances, however, Tsunami on the Mac is strikingly similar to its Linux ancestor, letting attackers issue commands to the infected computer via an IRC (Internet Relay Chat) channel to conduct DDoS attacks, or download additional malware and Trojan updates.

Tsunami for the Mac has been updated, added another ESET researcher, to insure it launched each time an infected Mac desktop or laptop was booted. The newer version, labeled "Tsunami.A," also used a different IRC channel and server for command-and-control, said ESET's Pierre-Marc Bureau in a follow-up blog post.

Lipovsky was unable to pin down how Tsunami's controllers infected Macs with the Trojan; Bureau also said that ESET wasn't sure what tactic attackers were using to plant the malware on machines.

But the short interval between editions and the limited use of the malware led ESET to believe that Tsunami's creators are still testing the Trojan. "They are [still] probably adapting the code, originally written for Linux, to the OS X platform," said Bureau.

U.K.-based Sophos said its analysis showed Tsunami's makers had also come up with a 32-bit version that would execute on older Macs that rely on the PowerPC processor.

Both ESET and Sophos rated the threat as minor.

covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at Twitter @gkeizer, on Google+ or subscribe to Gregg's RSS feed Keizer RSS. His e-mail address is gkeizer@computerworld.com.

See .

Read more about Security in Computerworld's Security Topic Center.



Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!