Another day, another Trojan. The malware bot called “Tsunami” that has been developed for Linux systems since around 2002 has been found on OS X.
The malware (OSX/Tsunami.A) is a minimal threat, and as with other Trojans and backdoors for OS X requires you to manually and purposefully install it. While it is almost irrelevant for most users, it is out there and has the potential to cause harm for some.
The malware is an IRC bot, which is a program that connects to Internet Relay Chat (IRC) network servers and channels, where it can then be controlled as a client for distributed denial-of-service (DDoS) attacks on targeted systems and networks. In addition it has the capability to both download files to an infected system and run shell commands (terminal commands) on it.
Current versions of the OS X variants of this malware appear to be nonworking and are suspected to be in testing phases.
IRC bots are common programs used for numerous legitimate activities on IRC servers, but as with other well-intentioned routines, there is the potential for these bots to be developed and used for malicious activities.
Malware-detection group ESET is claiming so far there are two variants of this malware that connect to different IRC servers and channels. As with other malware, this one requires someone to manually open the installer files, which then performs the following actions:
- It installs the malware in the /usr/sbin/ directory.
The malware is cleverly disguised as a command-line tool called “logind” that may appear to be important to the system. In OS X various background programs are called “daemons” and end with a “d” in their name to denote this. The malware both attempts to emulate this, and also places it in a hidden system directory (/usr/sbin) where other background services reside so it may blend in.OS X does have a background tool that is called “logind” but this resides in the /System/Library/CoreServices/ directory and not in the /usr/sbin/ directory.
- It modifies a system launch daemon
The real OS X “logind” process (the one in the system’s “CoreServices” directory) is managed by a system launch daemon called “com.apple.logind.plist” located in the /System/Library/LaunchDaemons/ directory, but when the Tsunami malware is installed, it replaces the contents of this launch daemon file with code that automatically launches the malware at startup and keeps it running on the system.
The correct version of this property list file should read as the following:
If the malware is installed on the system, the contents of this file will be replaced and will read as the following:
As with other Trojan horses, this malware is a minimal threat and also should be caught if you have a tool like Little Snitch installed, which will detect when programs and background services try to contact servers on the Internet. If you have Little Snitch installed and see an attempt by a process try to contact the servers “pingu.anonops.li” or “x.lisp.su” or any other server–especially if it is using the port 6667 (a port commonly used for distributing malware via IRC connections)–then deny it access and check to see if the malware is installed.
To see if the malware is installed on your system, go to the /Macintosh HD/System/Library/LaunchDaemons/ directory and open the file called “com.apple.logind.plist.” Compare it to the screenshots above, and if it looks like the second one, then replace its contents with that of the first screenshot. Since this file is in a system directory, you may need a tool like TextWrangler to be able to authenticate properly and edit the file.
In addition to reverting the changed launch daemon file, check to see if the rogue “logind” process has been installed on your system. In the Finder, choose “Go to Folder” from the “Go” menu and then enter “/usr/sbin” in the text field. The Finder should open the hidden system directory, in which you can search for and remove the file called “logind” if it is present. When you remove it, the system will ask you for an administrator password, so provide it and then delete the file.
Beyond manually removing the malware, since it was found on October 25 various malware definitions including those from F-Secure and Intego have been updated to detect and remove this malware from systems, so be sure to keep antivirus definitions updated.