Lazy hackers port ancient Linux Trojan to Mac OS X

It's in limited circulation, likely still being tested, say experts

Hackers are testing new Mac malware that they've ported from a nine-year-old Trojan horse originally written for Linux, according to security experts.

The malware, dubbed "Tsunami," has been circulating in limited numbers since last week, said researchers at the Slovakian antivirus firm, ESET Security.

Tsunami first popped up last week, when ESET malware researcher Robert Lipovsky provided some bare bones information on the Trojan.

"We've seen backdoors [on the Mac] before, but these malware writers are simply reusing existing code instead of writing something new," said Lipovsky in an interview at the time. "It's a lot easier for them."

Lipovsky was referring to the code similarities between the Mac malware and a line of backdoor Trojans that targeted Linux machines as far back as 2002.

"The Linux [malware] is not directly compatible with the Mac OS X platform, but has to be recompiled," said Lipovsky. Unlike the older Linux malware -- also named Tsunami for one of its commands that launches a distributed denial-of-service (DDoS) attack -- the original Mac version was 64-bit.

In most other instances, however, Tsunami on the Mac is strikingly similar to its Linux ancestor, letting attackers issue commands to the infected computer via an IRC (Internet Relay Chat) channel to conduct DDoS attacks, or download additional malware and Trojan updates.

Tsunami for the Mac has been updated, added another ESET researcher, to insure it launched each time an infected Mac desktop or laptop was booted. The newer version, labeled "Tsunami.A," also used a different IRC channel and server for command-and-control, said ESET's Pierre-Marc Bureau in a follow-up blog post.

Lipovsky was unable to pin down how Tsunami's controllers infected Macs with the Trojan; Bureau also said that ESET wasn't sure what tactic attackers were using to plant the malware on machines.

But the short interval between editions and the limited use of the malware led ESET to believe that Tsunami's creators are still testing the Trojan. "They are [still] probably adapting the code, originally written for Linux, to the OS X platform," said Bureau.

U.K.-based Sophos said its analysis showed Tsunami's makers had also come up with a 32-bit version that would execute on older Macs that rely on the PowerPC processor.

Both ESET and Sophos rated the threat as minor.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is

See more articles by Gregg Keizer.

Copyright © 2011 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon