Security Experts:

Israeli Ad Company Behind "Pirrit" OS X Adware: Report

Mac users can be exposed to malware and applications that engage in other types of nefarious behavior just as Windows users are, the latest development in the OSX.Pirrit adware reveals.

Spotted for the first time in April, the malicious program was created to reroute a Mac’s entire Internet traffic to a local proxy, to create a hidden user on the machine, to hide its installation and to prevent users from blocking the ads it could inject into their web traffic. The malware, an OS X port of a Windows adware, has since seen an update that removed the Windows binary in the original version.

Amit Serper, Lead Linux and Mac OS X Security Researcher, Cybereason, revealed (PDF) back in April that the threat was spreading via drive-by downloads masquerading as fake updates. Once executed, it would prompt the user to enter their password, thus gaining root privileges. Unlike its Windows counterpart, however, OSX.Pirrit was drawing closer to leaving the adware category and becoming malware.

On a compromised machine, the adware changes the browser search engine, creates a hidden user on the machine, and installs an ad injecting proxy and a clickjacker. By redirecting all of user’s web traffic through an HTTP proxy, the adware could inject ads into webpages. The adware would appear in the list of running processes and the large number of ads would signal to the user that there’s something wrong with the machine, the researcher said.

Serper also released a remediation script to help users infected with the adware, but the recent update the malicious app received renders the script useless, the researcher says. In a new report (PDF) on this threat, he also explains that the adware was created by an Israeli-based ad company and that, although OSX.Pirrit is only used to serve ads for the time being, it can easily turn malicious and completely take over the victim’s machine.

In his report, the Cybereason researcher reveals that the latest version of OSX.Pirrit was created by an executive of TargetingEdge, which claims to be an “online marketing” company. A look at the company’s LinkedIn page revealed that it offers a “mac-approved installer,” and that it can provide “the unique opportunity to monetize extensive remnant mac traffic and gain additional revenue from an already existing user pool.”

Evidence of OSX.Pirrit being created by this company is overwhelming, the researcher says: the malware’s ad-injection proxy was dropped as a tar.gz archive that saves all of the file attributes inside it, including owners and permissions. Basically, the archive revealed the owner of the computer that it was created on, which allowed the researcher to link it to TargetingEdge.

Serper also discovered that the new variant includes additional code that allows it to check for competing programs on the compromised machine and remove them. Moreover, the new version has 14 new hidden users. Other than that, the program appears to work the same as before, and even to employ the same distribution scheme: it comes packed within legitimate software, such as MPlayerX, NicePlayer and VLC.

The main issue here, the researcher says, is that the user is never informed on the fact that it installs adware alongside the legitimate app, although this is the case with most adware on Windows. He also notes that, not only aren’t users made aware of what they install, but they aren’t provided with the possibility to opt out either. Not to mention that OSX.Pirrit's uninstall instructions aren’t easy to access at all.

“OSX.Pirrit allows attackers to take full control of a computer. Instead of flooding a person’s browser with ads, attackers could have installed a keylogger to capture log-in information to your bank account or made off with your company’s intellectual property. Companies need to know what’s happening on their machines, including Macs, because the instant an enterprise doesn’t, they’re compromised,” the researcher concludes.

In December, Symantec said that the number of OS X malware infections in the first nine months of 2015 was seven times higher than in all of 2014, although the number of newly detected threats dropped. Some of the most recent threats to OS X users include the OceanLotus Trojan and the KeRanger ransomware.

Related: New Tool Aims to Generically Detect Mac OS X Ransomware

view counter