Cybereason Blog | Cybersecurity News and Analysis

OSX Pirrit: What adware that 'just' displays ads means for Mac OS X security

Written by Amit Serper | Apr 6, 2016 6:13:59 PM

While the lack of malware targeting Mac OS X means there isn’t much Mac malware research available, this doesn’t mean Apple computers are somehow immune to threats.

In fact, I spent a few days last week dissecting an OS X port of the Pirrit adware that shows attackers are going after Mac machines. This adware has been targeting Windows machines for awhile but it is new to Macs: antivirus software just started to pick up this threat a few days ago and I didn’t find any Mac removal instructions, prompting me to write a remediation script and post it to GitHub.

To be clear, I’m not going to drop details on an incredibly malicious zero-day exploit in this post. OSX.Pirrit was extremely benign as far as malware goes. If it wasn’t for the tons of pop-up ads being injected to Web pages, most users wouldn’t even know the adware was installed. OSX.Pirrit has no configuration screen or entry in the /Applications directory. The only way to see that it’s running (other than wondering where all the ads are coming from) is to look at the running process list and examine it closely.

And that leads to the greater point I want to convey: OS X requires proper security measures like any other platform. While OSX.Pirrit isn’t a groundbreaking threat, it gives attackers persistence over your machine and is extremely hard for the average user to remove. Instead of spamming you with ads, they could have just as easily stolen personal data or taken your company’s secret sauce. Or they could have installed a keylogger to capture the log-in credentials for your bank account.

Here are some interesting components that I discovered in OSX.Pirrit:

-- The Mac variant is much more malicious than its Windows counterpart. OSX.Pirrit takes total control of your machine while the Windows version just serves ads. Also, OSX.Pirrit is much more difficult to remove. The Windows variant can be removed relatively easily. The removal instructions for OSX.Pirrit, on the other hand, are buried inside the installation directory, which is hidden to the user, rendering them pretty much unreachable.

-- With OSX.Pirrit, attackers didn’t exploit a vulnerability. They used basic social engineering and a simple (but very long) script to carry out this attack.

-- The script was probably written by someone with a Linux background who has little knowledge about OS X development. The shell script is 330 lines long.

-- OSX.Pirrit didn’t use any exploits to compromise a Mac. It infiltrated machines by using a simple social engineering trick to deceive people into providing their log-in credentials for a fake update, possibly for Flash.

Conclusion: Know your IT environment

Administrators should configure the Macs in their organizations to only run files that are code signed. While code signing won’t stop every malicious program from executing (attackers can purchase a digital certificate to make malware appear legitimate), it would have in the case of OSX.Pirrit since those files were unsigned.

Perhaps most importantly, security and IT staff need to know what’s happening on their machines, even Macs. The moment you don’t pay attention, you end up getting compromised. Threats can get by antivirus software and the security features built-in into OS X. Only behavioral analysis and context can help detect threats that are designed to evade traditional security measures.

To learn more about OSX.Pirrit, read Cybereason Lab's latest analysis.

Amit Serper is the lead Mac OS X and Linux security researcher at Cybereason.