Pierre-Marc Bureau reported last night on ESET’s further discovery of Updates on OSX/Tsunami.A, a Mac OS X Trojan. The new binary has a couple of significant differences to the version previously described:
- After infection, it will now restart after each reboot.
- The new binary uses a new C&C (Command and Control) server and IRC channel.
At the time of writing, neither C&C is responding, and telemetry indicates very low distribution. The infection vector remains indeterminate, and that will have a bearing on how significant the impact of these and any future versions will be. Pierre-Marc believes it’s likely that the author(s) are still testing the water (sorry!).
Sophos also have further information on the previous sample: Tsunami backdoor for Mac OS X discovered. Kudos to Graham Cluley for linking to the ESET blog – not all vendor blogs are so scrupulous. Some sources nevertheless seem to be assuming that the bigger company “owns” the discovery. I’m trying to persuade David to say something on the topic of information and sample sharing here or at Infosecurity Magazine, but I think he may be having a bad attack of diplomacy.