It came as a huge surprise to the legions of Mac owners lied to over the years about the likelihood of their computers being infected by malware, but the aftermath of the Tsunami Trojan isn’t a simple case of the problem being overcome with the Mac OS X anti-malware utility.
Instead, the aptly named Tsunami Trojan is more than likely the symbol of change, an indicator to those that have been expecting an attack on the Mac’s UNIX-derived platform that with an increased user base follows a greater prospect of vulnerabilities being found or created and then exploited.
Over the years third-party companies such as McAfee have attempted to sell their security software to Mac users with a limited amount of success. A lack of high-profile malware targeting Mac OS X is likely the cause of this. But with another Mac-targeting Trojan already in the wild, if Apple is unable to secure their operating system against these new threats then using a third-party solution is the only alternative for Mac users.
You and the Tsunami Trojan
Following its initial discovery it became clear that the Tsunami Trojan doesn’t actually do anything – yet. But the groundwork has been established, leading to the creation of a working Trojan that will be able to initiate malicious software stored in its payload.
Several iterations of the Trojan have been discovered, indicating that the developers – whoever they might be – are testing how successful it might be in the event of an all-out attack of malware against the Mac OS X population. While the Tsunami Trojan can be primarily defined as harmless, the fact that it is able to find its way onto your Mac is worrying, as is the fact that it has been ported from Linux (a Trojan called Kaiten).
As UNIX-like operating systems, Linux and Mac OS X share some common elements, and this has led to strong, overarching security afforded to users. The concern now is that if one piece of malware can be ported from Linux, so can others.
So how can you protect your Mac from the Tsunami Trojan?
Finding and Deleting the Tsunami Trojan
It has been reported that the variants of this Trojan open connections to some IRC channels and servers, and thanks to this they can be detected. Additionally, searching your /usr/sbin folder for a file called logind will provide evidence of infection (a legitimate file called "logind" can be found in System/Library/CoreServices/ – this is safe).
Using the logind name is significant; Mac OS X developers identify daemon processes (those working in the background) with a “d" in the filename. As a result this piece of malware fools the user into running it by appearing to be a genuine piece of software.
When executed the fake logind process hijacks the genuine com.apple.logind.plist system launch daemon, dropping its own code in that causes the Trojan to be launched each time your Mac reboots.
If you suspect that your Mac has the Tsunami Trojan installed, the first thing you should do is run a detection tool such as Little Snitch, which is a firewall application that can also detect network activity by malware. Attempts to access IRC servers such as pingu.anonops.li, x.lisp.su or any server via port 6667 should be immediately investigated.
Removal of the Trojan is best achieved via Mac-specific software such as F-Secure or Intego, which is much preferable to manually extracting the malware.
Why Mac Users Are Vulnerable
For many years Apple users went about their business safe in the apparent knowledge that their computers were safe from infection. Sadly this isn’t the case as proven by the Tsunami Trojan and earlier incidents such as Mac Defender, software that claimed to be anti-virus software that fooled users into installing it – something that requires administrative privileges.
In the case of Mac Defender, Apple was concerned enough to release internal memos to their AppleCare teams, advising them to deny support (using friendly customer service language) for removing the malware beyond installing the latest Mac OS X updates.
Regardless of the eventual results of the rogue testing of the Tsunami Trojan, the floodgates have already been opened. The DevilRobber Trojan has been identified in the past few weeks, distributed to Macs via BitTorrent websites and is designed to steal and generate Bitcoins by taking control of your GPU (graphics processing unit). Fortunately, the interest in and the value of Bitcoin appears to be slowly crashing which should result in few people installing this particular piece of malware.
However the growing trend continues to alarm.
Improve Your Awareness of Malware Threats
The days of Mac OS X being safe from malware are firmly behind us. Whether Apple releases security fixes to deal with this or not, the truth of the matter remains that the Mac’s most compelling selling point as an alternative to Windows – that it is more secure – is slowly but surely being eroded.
If rogue coders are currently busy working on a Mac-specific Trojan that has already been discovered, what else to they have in development? Only time will tell, but if you’re a Mac user then you represent a growing segment of computer users. As such you will need to take steps to protect your computer and your data.
The first thing that you can do is to familiarize yourself with the possibilities, the risks, and how the existence of one malware-resilient computer platform doesn’t mean that you won’t eventually be hit by maliciously programmed software.
You should also spend time choosing a good online security utility designed specifically for Mac OS X. In the short-term things are changing; long-term, you should be prepared for big changes in the way that Mac OS X is perceived. The Internet is a big place, and by securing your own system you help to ensure the safety of other computers on your network and further afield, whatever operating system they are running.
- Bott, Ed. "Apple to support reps: 'Do not attempt to remove malware'", http://www.zdnet.com/blog/bott/apple-to-support-reps-do-not-attempt-to-remove-malware/3362
- Bell, Killian. "Latest Mac Trojan Attacks Your GPU To Generate Bitcoins", http://www.cultofmac.com/127271/latest-mac-trojan-attacks-your-gpu-to-generate-bitcoins/
- Kessler, Topher. "'Tsunami' Trojan malware bot ported to OS X", http://reviews.cnet.com/8301-13727_7-20127094-263/tsunami-trojan-malware-bot-ported-to-os-x/
- Leyden, John. "Tsunami Trojan: First Mac attack based on Linux crack", http://www.theregister.co.uk/2011/10/26/tsunami_mac_backdoor/
- Camm-Jones, Ben. "New Tsunami Trojan discovered for Mac OS", http://www.computerworlduk.com/news/security/3314483/new-tsunami-trojan-discovered-for-mac-os/
- Image credit: Wikimedia Commons/Sturm