Posted by: oldmacbloggit | October 27, 2011

OSX/Tsunami: a little more water with that

A little more news following  David’s blog yesterday (OSX/Tsunami.A: old code, new platform) pointing to Robert Lipovský’s blog Linux Tsunami hits OS X.

Pierre-Marc Bureau reported last night on ESET’s further discovery of Updates on OSX/Tsunami.A, a Mac OS X Trojan. The new binary has a couple of significant differences to the version previously described:

  • After infection, it will now restart after each reboot.
  • The new binary uses a new C&C (Command and Control) server and IRC channel.

At the time of writing, neither C&C is responding, and telemetry indicates very low distribution. The infection vector remains indeterminate, and that will have a bearing on how significant the impact of these and any future versions will be. Pierre-Marc believes it’s likely that the author(s) are still testing the water (sorry!).

Sophos also have further information on the previous  sample: Tsunami backdoor for Mac OS X discovered. Kudos to Graham Cluley for linking to the ESET blog – not all vendor blogs are so scrupulous. Some sources nevertheless seem to be assuming that the bigger company “owns” the discovery. I’m trying to persuade David to say something on the topic of information and sample sharing here or at Infosecurity Magazine, but I think he may be having a bad attack of diplomacy.

Old MacNag

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: