Watch out for Tsunami: A Trojan malware infecting Mac devices
What is Tsunami?
Also known as Kaiten and “Kaiten wa goraku”, Tsunami is a form of malware known as a Trojan. What this means is it can take control of your operating system, which is something you definitely don't want. Unlike other threats out there, this is known as an IRC bot, which means it connects to Internet Relay Chat (IRC) network servers and channels.
However, similar to other trojan viruses, macOS users first need to download it manually, albeit often unwittingly. Tsunami can also come bundled in with other seemingly legitimate software packages and executables. Hiding in plain sight, or simply hiding, a trojan can only work when a Mac owner inputs the login password for the computer.
At that point, Tsunami can download files to an infected system and run shell commands (terminal commands) through your macOS. One malware detection group ESET has found more than one version of this trojan, with some claiming the ones that were detected originally weren't working, indicating they may have been early OS X test versions of the virus.
When Tsunami is downloaded, it takes control the following ways:
- Hiding itself within the /usr/sbin/ directory
It is cleverly disguised as a command-line tool known as “logind”. MacOS has several background programs known as daemons, several of which end with “d”, therefore disguising itself. MacOS does have a program that operates in the background known as “logind”, although in older versions of the operating system that lives in /System/Library/CoreServices/ directory instead of the /usr/sbin/ directory.
2. It replaces the “logind” program
In place of the real “logind” within /System/Library/CoreServices/, which is operated by a launch daemon called “com.apple.logind.plist”, the trojan malware replaces and overrides the contents, thereby taking control of core operating functions.
Security experts know that this trojan will make contact with the following IRC server: pingu.anonops.li, or x.lisp.su. It is also known for using port 6667, which is commonly used for contacting IRC servers.
What threat does Tsunami pose to Macs?
Once Tsunami is downloaded and executed, it is capable of causing a series of problems, including:
- Performing a series of distributed denial of service (DDoS) attack on targets selected by the command-and-control server;
- Run shell commands, including the theft of personal data;
- Run remote files and execute commands;
- Change the servers the Mac is pointed at;
- Spoof and fake IP addresses;
- Disable security and other programs;
- Display a fake a HELP menu, which can cause other malicious programs to be downloaded.
The worst threat Tsunami poses is using operating power to run DDoS attacks and various shell commands. Taking control of an infected machine and making a Mac vulnerable to other threats and viruses could cause more serious problems down the road. One way or another, this virus needs to be removed.
How to remove Tsunami manually
It is possible to remove Tsunami manually.
Search for it using Finder, typing usr/sbin in the text field. Next, search for logind - if this is present in that folder then removing it should solve part of the problem. However, you also need to replace the real “logind” within /System/Library/CoreServices/, which requires some technical skill. It may be necessary to download a program known as TextWrangler to authenticate and edit the file.
After that is done, search for any other related files and programs and remove them. And anything else that looks suspicious; and the risk of more viruses being on your Mac increases the longer a trojan is present.
Be careful when doing this. It can take time and removing anything accidentally that your Mac needs could cause operating system problems.
How to remove Tsunami easily with CleanMyMac X
CleanMyMac X is an invaluable tool for improving the overall performance of your Mac. In just a click, you can remove gigabytes of junk, neutralize malware, and speed up the system.
Its Malware Removal tool identifies and deletes thousands of threats, including Tsunami. To remove a trojan virus this way, all you need to do is:
- Download CleanMyMac X.
- Open the app.
- Choose the Malware Removal tab on the left.
- Click Scan to search for infections.
- Click Remove to approve the deletion.
That's it! Just a few clicks and your Mac is as safe as new!
Tsunami is not unique. Other malware viruses come unexpectedly through legitimate software and apps, often without the company realising. Unfortunately, this is one of those cases where software that some people find useful has been hijacked for illegal purposes. Removing it straight away is the only way to safeguard your Mac.