No virus

robably some software companies that produce anti-virus or Anti-malware attempt to re-launch the news of a dangerous virus found, finally, also for Mac.
When a research center, that some newspaper claims to have contacted, declares has found a virus just for those operating systems, Mac OSX or Linux, which by their nature are immune to these virulent sophisticated software that exploit the inherent insecurity of Characteristics in the design of some operating systems.
We know that Steve Jobs had asked all of its engineers to project an operating system (OSX) based on Unix / Linux which has a deep management permits model  for read / write and execute each component of the software available on the memory .

In these days in newspapers around the world, as the web pages of several antivirus vendors, the news is published on the discovery of a malicious Virus named OSX.Tsunami designed to infect Linux systems would be the Apple world.

I am writing this article especially in respect of the Apple engineers who have worked very hard just to provide an operating system that is not unlike other infected systems spread across the many Pc.

In fact, the so-called OSX.Tsunami cannot  be considered a virus, but is classified as a Trojan Risk Level: Very Low 1 (low risk)

See below this article how eliminate it without spending a penny, with a simple step as this “Trojan Horse” takes advantage of the now known dangerousness of IRC channels and a no many Mac users who use them.

Although the network is turning to read self-styled journalists and experts who advise to “stay tuned” and suggest to buy this or quell’antivirus, I think an antivirus install on a Mac is almost useless, except for the sole fact of insstalling being able to check if some viruses that would have no effect on  Apple system but may infect any PC connected at the same network.

So let’s see how Symantec, the most famous antivirus company, Tsunami ranking this threat:
OSX.Tsunami
Risk Level 1: Very Low

Discovered: October 26, 2011
Updated: October 27, 2011 4:20:38 AM
Type: Trojan
Infection Length: 42.348 bytes

OSX.Tsunami  Is A Trojan horse , opens a backdoor on the compromised computer.
Note: This threat is based on Linux.Backdoor.Kaiten.
Threat Assessment

 Wild Level: Low
Number of Infections: 0 – 49
Number of Sites: 0 – 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy

Damage

Damage Level: Medium
Payload: Opens a back door.

From the above card is easy to see that this Trojan or Malware is not ‘a virus, like many would have you understand.
But for the respect for the Apple engineers I mentioned a few lines up more public i3Factory the simple steps to follow to
Remove yourself OSX.Tsunami

Technical Details
Threat level: 3 – Average
Distribution: Low
Damage: Low
Dispersibility: Low

Full name of the virus: Trojan.MAC / Tsunami @ Other
Code Type: Trojan Horse Trojan: a program that appears to be beneficial or useful, but turns out to be harmful at some point. Does not spread by itself.
The affected platforms: Macintosh, Mac, and can affect systems running Mac OS X family
Capacity of permanent residence: If run automatically each time the system restarts
alias:
OSX / Tsunami-A (Sophos)
Backdoor: OSX / Tsunami.A (F-Secure)
Capacity for self-propagation: No

It lacks its own spreading routine.
Can ‘infect your system in the following ways: It must be installed manually by the user

Infection / Effects

Tsunami When executed, it performs the following:

Edit the file
“/ System / Library / LaunchDaemons / com.apple.logind.plist”
Create the following file as a copy of itself
“/ Usr / sbin / logind”

Its main function is to cause the Distributed Denial of Service (DDoS). It also allows downloading files on the infected computer and execute commands.

Communicates with the server command and control through the IRC protocol. On the next screen you can see a collection of commands that can be received by the Trojan:

 

Some IRC server to which you connect the Trojan are as follows:
pingu.anonops.li: 6667  | Channel #tarapia.
x.lisp.su: 6667 | Channel #harbou
The source code of this Trojan is an adaptation of an existing Mac OS X, since 2002, on the Linux platform.

Note: If your Mac is installed with a program such as network controller as Little Snitch or Hands Off ,  the risk may not be able to block malicious connections is very limited.

 

Disinfection and removal of OSX.Tsunami

If you believe you are infected, because you have found connections to port 6667 server through a firewall or a program like Little Snice Hand or Off, you can perform the following steps to uninstall the malware:

Open the file:

/ Macintosh HD / System / Library / LaunchDaemons / com.apple.logind.plist

if the system is Italian:

/ Macintosh HD / System / Library / LaunchDaemons /

Open the file:

“com.apple.logind.plist”

and if this file is actually infected by this trojan, you will have the following content:


Note: Since this file is located in a system directory, you may need a tool like “TextWrangler” ,  “TextEdit” or “Dashcode”, to be able to successfully authenticate and modify the file.

If the file “com.apple.logind.plist”  is  modified by the Trojans will need to edit the file with the following:

Delete the file / usr / sbin / logind
Then see if the job rogue logind was installed on your system. In the Finder, choose “Go to Folder” to go from the menu and then type  /usr/sbin  in the text field. Finder should open the hidden system directory (if enabled dale system preferences “displays files and folders hidden and system”), in which you can find and remove the file called “logind” if it is present. When removed, the system will ask for an administrator password, then provide and then delete the file.

The “Game is done” , and without spending a cent on expensive anti-virus procedures reported without a real depth about it.

Personal considerations:
I am thrilled every time I read articles and interviews in national newspapers that say phrases such as:
Even Mac users targeted“, which aim, often involuntary, alarms of a community of users is in no in danger.
This threat to Mac users, like all users of any system, it is only their unscrupulous behavior on the Internet.

Although Mac OSX user is much more protected than other users of consumer systems owners, since they have a system based on architecture similar to that of Unix and for which no real risk of the virus.

But all of us, the more expert at the very least, we must pay attention to the behavior, not to enable or suspicious files follow the rules in the Anti-Phishing  through a computer connected to the internet you may inadvertently enter sensitive information such as passwords, at web sites that are official but in reality  evil clones are artfully prepared by criminals.

In fact, the Trojans tsunami.osx we mentioned it to the user as a pdf document which contains perhaps an article in Chinese. As soon as the unsuspecting user opens the file, it will attempt to start the installation process, this installation will be ‘a real hidden opening pdf document that will distract the user. At this point the trojan / malware, and shall complete the installation will place the “Trojan horse” on your system.

So a Trojan is not ‘a virus but a procedure that we install, because we fooled ..

Take care!