Mac OS X Trojan Running

Friday, October 28, 2011 @ 01:10 PM gHale

There is a new backdoor Trojan targeting systems running Mac OS X.

The Trojan, Tsunami, appears to be a port of Troj/Kaiten, a Linux Trojan that embeds itself on a computer system and monitors an IRC channel for further instructions.

Mac Malware Disables Protection
ICS Threat Brewing; Target Unclear
Old Becomes New: DLL Loading is Back
Weak Sites Victimize Visitors

Trojans like Tsunami/Kaiten typically drag infected computers into coordinated DDoS (distributed denial-of-service) attacks, which flood a targeted website server with a massive amount of traffic, said Sophos Security researcher Graham Cluley.

“It’s not just a DDoS tool though,” he said. “As you can see by the portion of OSX/Tsunami’s source code, the bash script can be given a variety of different instructions and can be used to remotely access an affected computer.”

“The big question, of course, is how would this code find itself on your Mac in the first place? It could be that a malicious hacker plants it there, to access your computer remotely and launch DDoS attacks, or it may even be that you have volunteered your Mac to participate in an organized attack on a website.”

Cluley said he “fully expected” to see cyber criminals target poorly protected Mac computers in the future.

“If the bad guys think they can make money out of infecting and compromising Macs, they will keep trying,” he said.

An evolving Trojan that disables the automatic updater component of XProtect, Apple’s built-in OS X anti-malware app, is now up and running in the wild.

Flashback.C – which poses as an update to Adobe Flash first decrypts the paths of XProtectUpdater files hardcoded in its body.

This action wipes out certain files, effectively preventing XProtect from automatically receiving future updates.

Leave a Reply

You must be logged in to post a comment.