The Mac Security Blog

Malware

OSX/Tsunami Variant Found Dropped by Java 0-Day

Posted on by

A variant of OSX/Tsunami has been found that is rumored to be dropped as a drive-by-download by the new Java 0-day exploit, CVE-2012-4681. This method of infection has not yet been confirmed, but as this OSX malware connects out to the same IP address as the Windows backdoors known to be dropped by CVE-2012-4681, it seems they are at least related incidents. At the time of writing, the JAR file that was purported to be dropping this Trojan has been replaced with a bit of threatening text. It seems like maybe someone knows they’ve been discovered?

Either way, this means we have two issues:

  1. A malware variant has been discovered, and
  2. It may be spreading via an unpatched Java exploit.

About the Malware

The Tsunami family was originally a Linux hacker tool (calling itself Kaiten) created in 2002. The creators of Kaiten released its source code on the Internet in 2009, and a version was created for OSX in late 2011. Yes, it’s yet another multi-platform malware!

This variant is an IRC bot like its predecessor. In fact, very little about this malware has changed since it was first created. The majority of the bot’s  functionality is to allow an attacker perform different types of Denial of Service (DoS) attacks. It also allows the attacker to upload files to an affected system and perform commands. This creates a backdoor onto the system that the botmaster could use to install other malware onto the system or perform actions on a machine under his or her control.

The Unpatched Java Exploit

It’s important to note that this Java 0-day exploit is only a danger to OS X users if you have installed Java 7. This is not installed by default on OS X 10.7 or 10.8. If you have manually installed Java on your Mac and it’s up-to-date, you may be at risk.

Here are the circumstances where you are not at risk from this exploit:

  • If you have not installed Java
  • If you have installed Java and it’s still on version 6
  • If you installed Java and then subsequently disabled it
  • If you are running 10.6 or older OS, as Java 7 requires 10.7 or higher

That means most OS X users will not be at risk. And Intego VirusBarrier users are protected from the IRC bot as OSX/Tsunami. So there’s very little to worry about right now if you’ve been following our previous recommendations to disable Java, and you have your VirusBarrier definitions up to date. This blog post has instructions for how to disable Java in Safari. Note that this is not the same as JavaScript, which you should not disable.

Oracle has yet to publicly make any comment about the vulnerabilities that have been discovered in Java 7, and it appears that this problem was separately reported to them in April of this year. Reports are that this is due to be covered in the October patch release. As this has become a very large problem for Windows users and could be a problem for some OS X and Linux users as well, we hope they will issue an out-of-band patch before the scheduled October date.