The Mac Security Blog
A new backdoor and hacker tool, Tsunami, has been discovered. This hacker tool seems to be a port of a Linux malware, which has been around for some time, and provides remote access to hackers by listening in on an IRC (Internet relay chat) channel for instructions.
Tools like this are often used for distributed denial of service (DDoS) attacks (more on that below). These attacks flood computers with standard network requests, with a goal of overloading them. If a server receives more requests than it can handle, it can slow down, or even crash.
The Tsunami backdoor accepts a number of commands, and can change servers, download files, such as updates, and send packets to a specified IP address.
* TSUNAMI <target> <secs> = A PUSH+ACK flooder * * PAN <target> <port> <secs> = A SYN flooder * * UDP <target> <port> <secs> = An UDP flooder * * UNKNOWN <target> <secs> = Another non-spoof udp flooder * * NICK <nick> = Changes the nick of the client * * SERVER <server> = Changes servers * * GETSPOOFS = Gets the current spoofing * * SPOOFS <subnet> = Changes spoofing to a subnet * * DISABLE = Disables all packeting from this bot * * ENABLE = Enables all packeting from this bot * * KILL = Kills the knight * * GET <http address> <save as> = Downloads a file off the web * * VERSION = Requests version of knight * * KILLALL = Kills all current packeting * * HELP = Displays this * * IRC <command> = Sends this command to the server * * SH <command> = Executes a command *
Source code for this backdoor has been publicly available since at least September 2009, and it is trivial to compile this code, using Apple’s XCode, and create a Mac executable.
This tool requires installation, and may actually be installed manually by people who choose to participate in DDoS attacks, such as those in the Anonymous group.
Individual users generally have little to fear from these tools. However, servers connected to the Internet can be vulnerable to remote installation. Hackers can take advantage of weaknesses in server tools, or especially PHP vulnerabilities, to gain access to a server and install a tool like this. In addition, once such a tool has been installed, the remote hacker can install other software onto the infected Mac.
What is a denial of service attack?
A denial of service attack, or a distributed denial of service attack (DDoS), occurs when one or many computers “gang up” on a web site or server by sending a flood of traffic to that server. Most web servers can handle standard traffic of a certain number of connection attempts per second. Large web sites, such as the biggest online retailers, can handle thousands of connections a second or more. But when thousands of computers get together and send requests all at the same time, sending “floods” of requests, servers have trouble remaining operable. When this type of attack happens, most firewalls will act and block the sending address, but in sophisticated attacks, these addresses are forged, and may change with each new packet.
Denial of service attacks are illegal; they are done for malicious purposes, such as to prevent a web site from functioning, or to block network traffic to and from a specific server. In some cases, such as Operation Payback, denial of service attacks were launched by a company paid by some Bollywood movie studios to attack websites that would not take down copyrighted material. After this, a retaliatory attack was made against a number of copyright organizations, law firms and others. Another attack was made on financial organizations that refused to process donations to Wikileaks.
Some users may install the Tsunami backdoor intentionally, to be part of such attacks. It is also possible that this tool is installed remotely on servers to increase the number of computers participating in such attacks, and, therefore, their effectiveness.
Hacker tools and their usage
Tsunami is one of the many dozens of hacker tools that Intego VirusBarrier X6 protects against. These are tools that are used to attack a machine other than the one on which it is installed, and include tools for executing DDoS attacks, scanning ports, sniffing network traffic, searching for known vulnerabilities and much more.
Most hacker tools are in limited circulation, and are not used for direct attacks; they need to be manually installed on computers, after which they are operated remotely. As such, their threat level is generally very low. Nevertheless, VirusBarrier X6 protects against all such tools, notably to protect servers where they may be installed via exploits that take advantage of vulnerabilities in third-party code, such as PHP.
In any case, Intego has updated the threat filters for VirusBarrier X6 to protect against this backdoor; threat filters dated October 25, 2011 or later, will spot and block this malware as OSX/Tsunami.A.
We’ve seen several variants of the Flashback Trojan horse, since Intego first discovered this malware on September 26. The latest version, Flashback.D, has gotten a bit sneakier.
First, it checks to see if the user is running Mac OS X in VMware Fusion. If so, it does not execute. It does this because many malware researchers test malware in virtual machines, rather than infect full installations, as it is easier to delete them and start over with clean copies. This means that security researchers analyzing and looking for this malware need to be running regular Macs.
Next, the installer for the malware downloads the payload when running the postinstall script.
Finally, it no longer installs the easy-to-spot ~/Library/Preferences/Preferences.dylib. Instead, it installs the backdoor inside Safari, and does so in two ways. It adds information to Safari’s info.plist file, with the location of the backdoor, and it adds the actual backdoor module at /Applications/Safari.app/Contents/Resources/UnHackMeBuild.
Even if a user removes the above file (UnHackMeBuild), they need to edit Safari’s info.plist file; if not, Safari will look for the backdoor on launch, and, if it is not found, Safari will quit.
These changes show that the malware authors are sophisticated, and that they’re altering their code to ensure that the malware is not detected. Naturally, Intego’s security researchers have spotted all these changes, and Intego VirusBarrier X6 continues to protect users from the Flashback Trojan horse.
Microsoft’s Malware Protection Center has posted an article about a new Mac backdoor called Olyx that they have “discovered” in a package also containing Windows malware. Intego spotted this backdoor some time ago, and added it to VirusBarrier’s malware definitions on June 30, as OSX Backdoor OSX/Olyx.A. There is little threat to this malware, as it is not found in the wild in any form that can be installed on Macs.
Intego regularly finds malware of this type, which is neither well designed, nor able to be easily installed on Macs. Intego’s Virus Monitoring Center adds this malware to its malware definitions, ensuring that Mac users are protected in case such malware does get added to effective payload, such as the MacDefender fake antivirus or other Trojan horses. We don’t publicize such malware by issuing security alerts, because the threat is not serious enough.
iThreats published information about a new remote administration tool recently, and other sites are presenting this as a serious new threat to the Mac. Actually, this is hardly a threat at all. This tool, BlackHole, is something that needs to be installed on a Mac, generally via a Trojan horse, and, while it offers simple functionalities to control a Mac, merely having shell (Terminal) access is more than enough. A RAT, or remote administration tool (and not a “remote access Trojan,” as one site claims), such as this is designed to simplify the tasks of a malicious user who wants to control an infected computer, but in most cases, the people who are infecting Macs will be able to do all of this with a simple ssh connection using Terminal.
Backdoors are relatively easy to install once you get a user to install a Trojan horse. A remote administration tool is not in itself a threat; it requires that a backdoor be installed, and this in turn requires effective payload from a Trojan horse or other means of installation. While Intego will be detecting and blocking BlackHole in its threat filters, we consider this to not be a serious risk.
A disturbing report has been made public regarding the possibility of backdoors in the IPsec stack of OpenBSD having been inserted by people working for the FBI. For now, there is one allegation of this, in an e-mail from Gregory Perry, who has worked as an FBI consultant, to Theo de Raadt, the founder of OpenBSD. He says:
My NDA with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI.
Another claim, made via Twitter, suggests that attempts were made to implement these backdoors but that they were not successful. An audit of the code is underway, and those working on the audit point out that the “Backdoor is NOT confirmed.”
Perry’s e-mail mentions Scott Lowe as being a booster for OpenBSD and “advocating the use of OpenBSD for VPN and firewalling implementations in virtualized environments.” However, Mr. Lowe, who works for EMC, denies any involvement in this affair, and points out that there is another Scott Lowe who writes about virtualization, and who may be the person that Perry meant.
IPsec, or Internet Protocol Security, is a protocol suite used for securing VPNs. IPsec stacks used in Mac OS X (Darwin, based on FreeBSD) were partly taken from this code, and there is a possibility that, if such backdoors are present, Mac OS X may be affected. In addition, parts of this code may be found in other security suites and frameworks on a variety of operating systems.
There is, as yet, no confirmation of this allegation. Nevertheless, it is being taken very seriously by the security community, and many people have launched audits and investigations of the code in question. It may take some time to confirm or refute this allegation.
We will be following up on this, and, naturally, if Mac OS X is affected, we will apprise our readers of this problem as soon as possible. There is no reason to not use a VPN on Mac OS X in the meantime; if such backdoors exist, they are likely only accessible by the FBI (or other US security agencies), and, unless you are worried about such agencies getting information that you are sending over a VPN, you are probably safe.
United States law enforcement and security officials are planning to ask Congress to mandate that all devices that use the Internet to provide two-way communication – whether they be phones, websites or applications – have backdoors allowing for wiretap access if so requested. According to the New York Times, the Obama administration will submit a bill to Congress next year asking for this requirement. This will mean that all your Internet-enabled devices – your iMacs, MacBook Pros, your iPhones, your iPads, and even your iPod touches – and the software they use to communicate will be liable to be sniffed by the US government.
It’s not clear how this will be implemented, how any encryption used for communications will be dealt with, or how much work this would involve for software and hardware providers. Will those outside the US have to comply with such regulations, if their software is sold in the US, even over the Internet? What about small developers – will they have the same level of compliance requirements as large developers? There is also the risk that hackers can take advantage of any such backdoors that are available.
For now, this bill is in its early stages, but it could have major implications for the computer industry in general. We’ll be watching as this plays out.