Comments on: Linux Tsunami hits OS X http://www.welivesecurity.com/2011/10/25/linux-tsunami-hits-os-x/ News, Views, and Insight from the ESET Security Community Mon, 03 Feb 2014 08:49:00 +0000 hourly 1 http://wordpress.org/?v=3.7 By: David Harley http://www.welivesecurity.com/2011/10/25/linux-tsunami-hits-os-x/#comment-3671 Thu, 03 Nov 2011 11:25:43 +0000 http://blog.eset.com/?p=10037#comment-3671 It would be naive to say that any blog article doesn’t have potential PR value. Otherwise, security vendors would be less inclined to pay people to do it. Incidentally, the blog you’re complaining about was written by a labrat (sorry, Robo!) not a PR guy. I don’t know what you mean by the “intended” name, and I don’t see anything strange in the phrasing.

I don’t know what you know, but you certainly have no idea what I know. I agree that it would be foolish to state that this will definitely develop into something major, and as far as I know, no-one has. To state that it definitely won’t seems to me equally foolish and not a little arrogant.

The fact that there is so little OS X malware makes this interesting and in some sense significant. In principle, the same applies to Linux malware. In practice, whether an issue gets as far as being blogged is different to whether it “warrants” a blog. There are no full-time bloggers on this team AFAIK, and we simply can’t cover everything. I don’t blog on a fraction of the issues I’d _like_ to talk about, and I publish more blogs than most people.

I find it curious that on one hand you virtually accuse me of defending blatant hype, and yet you assume I’m going to approve and respond to your rather over-the-top criticism. Don’t you think that if this was a purely-PR-targeting blog, I’d simply trash it?

]]>
By: J Random http://www.welivesecurity.com/2011/10/25/linux-tsunami-hits-os-x/#comment-3670 Wed, 02 Nov 2011 19:27:46 +0000 http://blog.eset.com/?p=10037#comment-3670 I’m just saying, you can’t deny the fact that it DOES make good headlines to pair the words “OS X” and “malware” in a headline. A quick google will show how the story got picked up, spread around and hyped. I’m not saying this was done on purpose by ESET; but I’m sure no one over at ESET is complaining.

Regarding kaiten being the alternative name, I just think the phrasing was funny. Kaiten is the *intended* name, Tsunami is the alternative name.

You and I both know that a kaiten port of OS X will never develop into something major. Pretending otherwise is fairly foolish.

Just out of curiosity, if you saw a Linux 3.0 port of something like knark or adore, would that warrant a blog post? I just think this article was written primarily for hype.

]]>
By: David Harley http://www.welivesecurity.com/2011/10/25/linux-tsunami-hits-os-x/#comment-3669 Tue, 01 Nov 2011 08:52:15 +0000 http://blog.eset.com/?p=10037#comment-3669 Did you guys miss the part in the original article that says “It is actually an OS X port of the Linux family of backdoors that we have been detecting since 2002 as Linux/Tsunami”, or the comment that says “But yes, Kaiten is an alternative name for the Linux malware ESET calls Linux/Tsunami”? Sorry you find the name uncreative, but when you see as much malware as ESET does, you tend to save your creativity for more pressing concerns.

You’re perfectly right: the AV industry has made a point over the years of not giving malware the name apparently intended by the author. Why do you think this is a problem? In any case, in recent years, that’s become much less relevant because of (1) Malware-as-a-Service doesn’t care what we call it (2) detections have become much more generic and may include literally millions of loosely related target binaries: naming isn’t very relevant in today’s binary glut.

Did you also miss the follow-up blog that said “It is our belief that the people behind this threat are in the process of testing their creation. They are probably adapting the code, originally written for Linux, to the OS X platform…”? Headline? This isn’t the News of the World: we’re entitled to write about stuff that’s interesting and may develop into something major, irrespective of platform. No-one said it’s the beginning of the Apocalypse, or even that it’s fully functional malware.

Yes, it’s easy to find the Linux code. That doesn’t mean we have to go out of our way to direct people to it. Though actually, the stripping of URLs in comment is primarily about comment spam including advertising or malicious URLs.

]]>
By: J Random http://www.welivesecurity.com/2011/10/25/linux-tsunami-hits-os-x/#comment-3668 Tue, 01 Nov 2011 03:13:05 +0000 http://blog.eset.com/?p=10037#comment-3668 Wow, way to make a big deal out of nothing. As was stated above it's just a kaiten bot (btw real creative ESET, naming it after the first DDoS attack it lists in the file. Of course I know the AV industry doesn't give malware its intended name; but that's another discussion) . It uses raw sockets (which require uid0) for most of the DDoS functionality, so unless it comes with a bundeled local exploit its not even capable of functioning at full capacity. Also this is not "secret" malware; anyone can google the snippets in the comment header you posted and locate a download. Packetstorm anyone? Kind of sad that you all sold out your integrity for a chance to pair the words "OS X" and "malware" in a headline.

]]>
By: David Harley http://www.welivesecurity.com/2011/10/25/linux-tsunami-hits-os-x/#comment-3667 Sun, 30 Oct 2011 16:57:16 +0000 http://blog.eset.com/?p=10037#comment-3667 all URLs are automatically stripped, but we wouldn’t have approved a link to known malwarae anyway. But yes, Kaiten is an alternative name for the Linux malware ESET calls Linux/Tsunami.

]]>
By: Johan http://www.welivesecurity.com/2011/10/25/linux-tsunami-hits-os-x/#comment-3666 Sat, 29 Oct 2011 01:49:50 +0000 http://blog.eset.com/?p=10037#comment-3666  ""You don’t have to know everything about malware for it to be of interest""
I totally agree David! Especially when we talk about Mac OS X malware :)

]]>
By: David Harley http://www.welivesecurity.com/2011/10/25/linux-tsunami-hits-os-x/#comment-3665 Fri, 28 Oct 2011 16:58:51 +0000 http://blog.eset.com/?p=10037#comment-3665 There’s no “without even” about this. It’s not a virus: the infection mechanism isn’t some sort of routine in the malware. It probably relies on social engineering to get a foothold on the system, if that’s what you mean, but we don’t know how the collected samples were installed. You don’t have to know everything about malware for it to be of interest. It doesn’t even have to be in the wild, necessarily. This looks like testing a concept rather than an attempt at an epidemic, but that doesn’t make it insignificant.

]]>
By: Joe Brockmeier http://www.welivesecurity.com/2011/10/25/linux-tsunami-hits-os-x/#comment-3664 Fri, 28 Oct 2011 16:04:39 +0000 http://blog.eset.com/?p=10037#comment-3664 "We’re still gathering pieces of the jigsaw." Wait, really? You published something about a "threat" to OS/X without even having the information on how this spreads? Sigh.

]]>
By: Lolwat http://www.welivesecurity.com/2011/10/25/linux-tsunami-hits-os-x/#comment-3663 Fri, 28 Oct 2011 04:58:05 +0000 http://blog.eset.com/?p=10037#comment-3663 This actually has been around since early 2001, knows as "kaiten". You can download it here:

 

]]>
By: lyecdevf http://www.welivesecurity.com/2011/10/25/linux-tsunami-hits-os-x/#comment-3662 Thu, 27 Oct 2011 10:24:51 +0000 http://blog.eset.com/?p=10037#comment-3662 Well OSX is based on unix so a backdoor designed for linux is not such a huge leap to make.  I think all those apple users out there who believe that there apple computers are immune to viruses, trojans,…should rethink!

]]>
By: AdamD http://www.welivesecurity.com/2011/10/25/linux-tsunami-hits-os-x/#comment-3661 Thu, 27 Oct 2011 07:31:59 +0000 http://blog.eset.com/?p=10037#comment-3661 I think this is a good thing. Obviously virii in the wild is never good, but it may make the general consumer more aware of the weaknesses in Mac software that is marketed as being infallible!

]]>
By: David Harley http://www.welivesecurity.com/2011/10/25/linux-tsunami-hits-os-x/#comment-3660 Wed, 26 Oct 2011 21:03:20 +0000 http://blog.eset.com/?p=10037#comment-3660 We’re still gathering pieces of the jigsaw. More information soon.

]]>
By: McMalph http://www.welivesecurity.com/2011/10/25/linux-tsunami-hits-os-x/#comment-3659 Tue, 25 Oct 2011 23:39:32 +0000 http://blog.eset.com/?p=10037#comment-3659 So what's the infection vector? Can this side-step the OS X built-in warning on installing software? Does it require user interaction to authorize installation?

]]>