'Tsunami' Trojan malware bot ported to OS X

A variant of the "Tsunami" IRC-based distributed denial-of-service bot that has been developed for Linux over the past 10 years has been found for OS X systems.

Another day, another Trojan. The malware bot called "Tsunami" that has been developed for Linux systems since around 2002 has been found on OS X.

The malware (OSX/Tsunami.A) is a minimal threat, and like other Trojans and backdoors for OS X requires you to manually install it. While it is almost irrelevant to most users, it is out there and has the potential to cause harm for some.

The malware is an IRC bot, which is a program that connects to Internet Relay Chat (IRC) network servers and channels, where it can be controlled as a client for distributed denial-of-service (DDoS) attacks on targeted systems and networks. In addition it has the capability to both download files to an infected system and run shell commands (terminal commands) on it.

The current OS X variants of this malware appear not to work and may be in testing phases.

IRC bots are common programs used for numerous legitimate activities on IRC servers, but as with other well-intentioned routines, there is the potential for these bots to be developed and used for malicious activities.

Malware detection group ESET is claiming that so far there are two variants of this malware that connect to different IRC servers and channels. Both variants require someone to manually open the installer file, which then performs the following actions:

  1. It installs the malware in the /usr/sbin/ directory.
    The malware is cleverly disguised as a command-line tool called "logind" that may appear to be important to the system. In OS X various background programs are called daemons and end with a "d" in their name to denote this. The malware both attempts to emulate this, and also places it in a hidden system directory (/usr/sbin) where other background services reside so it may blend in.

    OS X does have a background tool that is called "logind" but this resides in the /System/Library/CoreServices/ directory and not in the /usr/sbin/ directory.

  2. It modifies a system launch daemon.
    The real OS X logind process (the one in the system's CoreServices directory) is managed by a system launch daemon called "com.apple.logind.plist" located in the /System/Library/LaunchDaemons/ directory, but when the Tsunami malware is installed, it replaces the contents of this launch daemon file with code that automatically launches the malware at startup and keeps it running on the system.

The correct version of this property list file should read as the following:

Healthy logind property list
A healthy version of the OS X logind property list should look like this (click for larger view). Screenshot by Topher Kessler

If the malware is installed on the system, the contents of this file will be replaced and you will instead see the following:

Infected version of the logind property list
On an infected system, the logind property list will look like this (click for larger view). Screenshot by Topher Kessler

As with other Trojan horses, this malware is a minimal threat, and also should be caught if you have a tool installed like Little Snitch, which will detect when programs and background services try to contact servers on the Internet. If you have Little Snitch installed and see an attempt by a process try to contact the servers "pingu.anonops.li" or "x.lisp.su"--or, for that matter, or any other server, especially if it is using the port 6667 (a port commonly used for distributing malware via IRC connections)--then deny it access and check to see if the malware is installed.

To see if the malware is installed on your system, go to the /Macintosh HD/System/Library/LaunchDaemons/ directory and open the file called "com.apple.logind.plist." Compare it with the screenshots above, and if it looks like the second one, then replace its contents with what's shown in the first screenshot. Since this file is in a system directory, you may need a tool like TextWrangler to be able to authenticate properly and edit the file.

In addition to reverting the changed launch daemon file, check to see if the rogue logind process has been installed on your system. In the Finder, choose "Go to Folder" from the Go menu and then enter "/usr/sbin" in the text field. The Finder should open the hidden system directory, in which you can search for and remove the file called "logind" if it is present. When you remove it, the system will ask you for an administrator password, so provide it and then delete the file.

Rogue logind program in hidden /usr/sbin/ folder
If you locate this file in the /usr/sbin/ directory, remove it (click for larger view). Screenshot by Topher Kessler

Beyond manually removing the malware, since the Mac version of Tsunami was found on October 25 various malware definitions, including those from F-Secure and Intego, have been updated to detect and remove this malware from systems, so be sure to keep your computer's antivirus definitions updated.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

Featured Video

Outcry over iPhone 'Error 53' and bad USB Type-C cables

Be careful when replacing parts. Poorly made cables can fry a laptop, and iPhones will stop working if the Touch ID button is repaired outside of Apple. It's a lesson some are learning the hard way.

by Bridget Carey