According to Intego (, a new backdoor and hacker tool, Tsunami, has been discovered. This hacker tool seems to be a port of a Linux malware, which has been around for some time, and provides remote access to hackers by listening in on an IRC (Internet relay chat) channel for instructions.

Tools like this are often used for distributed denial of service (DDoS) attacks (more on that below). These attacks flood computers with standard network requests, with a goal of overloading them. If a server receives more requests than it can handle, it can slow down, or even crash.

The Tsunami backdoor accepts a number of commands, and can change servers, download files, such as updates, and send packets to a specified IP address.Source code for this backdoor has been publicly available since at least September 2009, and it is trivial to compile this code, using Apple’s XCode, and create a Mac executable.

This tool requires installation, and may actually be installed manually by people who choose to participate in DDoS attacks, such as those in the Anonymous group.
Individual users generally have little to fear from these tools. However, servers connected to the Internet can be vulnerable to remote installation.

Hackers can take advantage of weaknesses in server tools, or especially PHP vulnerabilities, to gain access to a server and install a tool like this. In addition, once such a tool has been installed, the remote hacker can install other software onto the infected Mac.

A denial of service attack, or a distributed denial of service attack (DDoS), occurs when one or many computers “gang up” on a web site or server by sending a flood of traffic to that server. Intego has updated the threat filters for VirusBarrier X6 to protect against this backdoor; threat filters dated Oct. 25 or later, will spot and block this malware as OSX/Tsunami.A.