Linux Tsunami hits OS X

We’ve just come across an IRC controlled backdoor that enables the infected machine to become a bot for Distributed Denial of Service attacks. The interesting part about it is that it’s a Mach-O binary – targeting Mac OS X. ESET’s research team compared this to samples in our malware collection and discovered that this code is derived from something we’ve seen before. It is actually an OS X port of the Linux family of backdoors that we have been detecting since 2002 as Linux/Tsunami.

The analyzed sample contains a hardcoded list of IRC servers and channel that it attempts to connect to. This client then listens and interprets commands from the channel. The list of accepted commands can be seen in the following comment block from the C source code of the Linux variant.

In addition to enabling DDoS attacks, the backdoor can enable a remote user to download files, such as additional malware or updates to the Tsunami code.  The malware can also execute shell commands, giving it the ability to essentially take control of the affected machine.

In terms of functionality, the Mac variant of the backdoor is similar to its older Linux brother, with only the IRC server, channel and password changed and the greatest difference being that it’s a 64-bit Mach-O binary instead of an ELF binary.

ESET security software (including ESET Cybersecurity for Mac) detects the malware as OSX/Tsunami.A.


Robert Lipovsky

Malware Researcher

Author Robert Lipovsky, ESET

  • McMalph

    So what's the infection vector? Can this side-step the OS X built-in warning on installing software? Does it require user interaction to authorize installation?

    • David Harley

      We’re still gathering pieces of the jigsaw. More information soon.

  • AdamD

    I think this is a good thing. Obviously virii in the wild is never good, but it may make the general consumer more aware of the weaknesses in Mac software that is marketed as being infallible!

  • lyecdevf

    Well OSX is based on unix so a backdoor designed for linux is not such a huge leap to make.  I think all those apple users out there who believe that there apple computers are immune to viruses, trojans,…should rethink!

  • Lolwat

    This actually has been around since early 2001, knows as "kaiten". You can download it here:


    • David Harley

      all URLs are automatically stripped, but we wouldn’t have approved a link to known malwarae anyway. But yes, Kaiten is an alternative name for the Linux malware ESET calls Linux/Tsunami.

  • Joe Brockmeier

    "We’re still gathering pieces of the jigsaw." Wait, really? You published something about a "threat" to OS/X without even having the information on how this spreads? Sigh.

    • David Harley

      There’s no “without even” about this. It’s not a virus: the infection mechanism isn’t some sort of routine in the malware. It probably relies on social engineering to get a foothold on the system, if that’s what you mean, but we don’t know how the collected samples were installed. You don’t have to know everything about malware for it to be of interest. It doesn’t even have to be in the wild, necessarily. This looks like testing a concept rather than an attempt at an epidemic, but that doesn’t make it insignificant.

  • Johan

     ""You don’t have to know everything about malware for it to be of interest""
    I totally agree David! Especially when we talk about Mac OS X malware :)

  • J Random

    Wow, way to make a big deal out of nothing. As was stated above it's just a kaiten bot (btw real creative ESET, naming it after the first DDoS attack it lists in the file. Of course I know the AV industry doesn't give malware its intended name; but that's another discussion) . It uses raw sockets (which require uid0) for most of the DDoS functionality, so unless it comes with a bundeled local exploit its not even capable of functioning at full capacity. Also this is not "secret" malware; anyone can google the snippets in the comment header you posted and locate a download. Packetstorm anyone? Kind of sad that you all sold out your integrity for a chance to pair the words "OS X" and "malware" in a headline.

    • David Harley

      Did you guys miss the part in the original article that says “It is actually an OS X port of the Linux family of backdoors that we have been detecting since 2002 as Linux/Tsunami”, or the comment that says “But yes, Kaiten is an alternative name for the Linux malware ESET calls Linux/Tsunami”? Sorry you find the name uncreative, but when you see as much malware as ESET does, you tend to save your creativity for more pressing concerns.

      You’re perfectly right: the AV industry has made a point over the years of not giving malware the name apparently intended by the author. Why do you think this is a problem? In any case, in recent years, that’s become much less relevant because of (1) Malware-as-a-Service doesn’t care what we call it (2) detections have become much more generic and may include literally millions of loosely related target binaries: naming isn’t very relevant in today’s binary glut.

      Did you also miss the follow-up blog that said “It is our belief that the people behind this threat are in the process of testing their creation. They are probably adapting the code, originally written for Linux, to the OS X platform…”? Headline? This isn’t the News of the World: we’re entitled to write about stuff that’s interesting and may develop into something major, irrespective of platform. No-one said it’s the beginning of the Apocalypse, or even that it’s fully functional malware.

      Yes, it’s easy to find the Linux code. That doesn’t mean we have to go out of our way to direct people to it. Though actually, the stripping of URLs in comment is primarily about comment spam including advertising or malicious URLs.

  • J Random

    I’m just saying, you can’t deny the fact that it DOES make good headlines to pair the words “OS X” and “malware” in a headline. A quick google will show how the story got picked up, spread around and hyped. I’m not saying this was done on purpose by ESET; but I’m sure no one over at ESET is complaining.

    Regarding kaiten being the alternative name, I just think the phrasing was funny. Kaiten is the *intended* name, Tsunami is the alternative name.

    You and I both know that a kaiten port of OS X will never develop into something major. Pretending otherwise is fairly foolish.

    Just out of curiosity, if you saw a Linux 3.0 port of something like knark or adore, would that warrant a blog post? I just think this article was written primarily for hype.

    • David Harley

      It would be naive to say that any blog article doesn’t have potential PR value. Otherwise, security vendors would be less inclined to pay people to do it. Incidentally, the blog you’re complaining about was written by a labrat (sorry, Robo!) not a PR guy. I don’t know what you mean by the “intended” name, and I don’t see anything strange in the phrasing.

      I don’t know what you know, but you certainly have no idea what I know. I agree that it would be foolish to state that this will definitely develop into something major, and as far as I know, no-one has. To state that it definitely won’t seems to me equally foolish and not a little arrogant.

      The fact that there is so little OS X malware makes this interesting and in some sense significant. In principle, the same applies to Linux malware. In practice, whether an issue gets as far as being blogged is different to whether it “warrants” a blog. There are no full-time bloggers on this team AFAIK, and we simply can’t cover everything. I don’t blog on a fraction of the issues I’d _like_ to talk about, and I publish more blogs than most people.

      I find it curious that on one hand you virtually accuse me of defending blatant hype, and yet you assume I’m going to approve and respond to your rather over-the-top criticism. Don’t you think that if this was a purely-PR-targeting blog, I’d simply trash it?

Follow us

Copyright © 2018 ESET, All Rights Reserved.