Tsunami backdoor for Mac OS X discovered

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

TsunamiOSX/Tsunami-A, a new backdoor Trojan horse for Mac OS X, has been discovered.

What makes Tsunami particularly interesting is that it appears to be a port of Troj/Kaiten, a Linux backdoor Trojan horse that once it has embedded itself on a computer system listens to an IRC channel for further instructions.

Typically code like this is used to rally compromised computers into a DDoS (distributed denial-of-service) attack, flooding a website with traffic.

If you were wondering where the name “Tsunami” comes from, that should probably help explain things.

Sign up to our free newsletter.
Security news, advice, and tips.

It’s not just a DDoS tool though. As you can see by the portion of OSX/Tsunami’s source code that I have reproduced below, the bash script can be given a variety of different instructions and can be used to remotely access an affected computer.

Tsunami source code

Sophos’s Mac anti-virus products (including our free anti-virus for Mac home users) have been updated to detect OSX/Tsunami-A.

The big question, of course, is how would this code find itself on your Mac in the first place? It could be that a malicious hacker plants it there, to access your computer remotely and launch DDoS attacks, or it may even be that you have volunteered your Mac to participate in an organised attack on a website.

But remember this – not only is participating in a DDoS attack illegal, it also means that you have effectively put control of your Mac into someone else’s hands. If that doesn’t instantly raise the hairs on the back of your neck, it certainly should.

Tsunami snapshot

Mac users are reminded that even though there is far less malware in existence for Mac OS X than for Windows, that doesn’t mean the problem is non-existent. You only need to read our short history of Mac malware to realise that.

We fully expect to see cybercriminals continuing to target poorly protected Mac computers in the future. If the bad guys think they can make money out of infecting and compromising Macs, they will keep trying.

My advice to Mac users is simple: don’t be a soft target, protect yourself.

For further information read this blog entry from our friends at ESET.

Update: Some new variants of OSX/Tsunami have now been discovered. Read about them here.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.