Lazy hackers port ancient Linux Trojan to Mac OS X
It's in limited circulation, likely still being tested, say experts
Computerworld - Hackers are testing new Mac malware that they've ported from a nine-year-old Trojan horse originally written for Linux, according to security experts.
The malware, dubbed "Tsunami," has been circulating in limited numbers since last week, said researchers at the Slovakian antivirus firm, ESET Security.
Tsunami first popped up last week, when ESET malware researcher Robert Lipovsky provided some bare bones information on the Trojan.
"We've seen backdoors [on the Mac] before, but these malware writers are simply reusing existing code instead of writing something new," said Lipovsky in an interview at the time. "It's a lot easier for them."
Lipovsky was referring to the code similarities between the Mac malware and a line of backdoor Trojans that targeted Linux machines as far back as 2002.
"The Linux [malware] is not directly compatible with the Mac OS X platform, but has to be recompiled," said Lipovsky. Unlike the older Linux malware -- also named Tsunami for one of its commands that launches a distributed denial-of-service (DDoS) attack -- the original Mac version was 64-bit.
In most other instances, however, Tsunami on the Mac is strikingly similar to its Linux ancestor, letting attackers issue commands to the infected computer via an IRC (Internet Relay Chat) channel to conduct DDoS attacks, or download additional malware and Trojan updates.
Tsunami for the Mac has been updated, added another ESET researcher, to insure it launched each time an infected Mac desktop or laptop was booted. The newer version, labeled "Tsunami.A," also used a different IRC channel and server for command-and-control, said ESET's Pierre-Marc Bureau in a follow-up blog post.
Lipovsky was unable to pin down how Tsunami's controllers infected Macs with the Trojan; Bureau also said that ESET wasn't sure what tactic attackers were using to plant the malware on machines.
But the short interval between editions and the limited use of the malware led ESET to believe that Tsunami's creators are still testing the Trojan. "They are [still] probably adapting the code, originally written for Linux, to the OS X platform," said Bureau.
U.K.-based Sophos said its analysis showed Tsunami's makers had also come up with a 32-bit version that would execute on older Macs that rely on the PowerPC processor.
Both ESET and Sophos rated the threat as minor.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!