Since September 2014, Windows is plagued by an old adware called Pirrit, which has now made its way to Mac for the first time. Mac users are reporting that their web browsing sessions are polluted by all kinds of ads. Amit Serper, security researcher at Cybereason, analyzed OSX/Pirrit and said that the malware is made by a sloppy coder but is actually dangerous.
The original point of entry of the Pirrit adware on a Mac is still not known. However, the researcher did manage to procure a binary that helped to know how the adware worked. Pirrit’s Mac version is made using the Qt framework that enables the coder to use the same codebase to write apps for Linux, Windows, and Mac. Serper’s analysis says that the malware goes through several steps when a Pirrit-laced binary is launched by the user.
Pirrit’s first step is to generate random app name, username, and company name using some dictionary words. Then a random username string is used by the adware to create a hidden user on the Mac, and that user is hidden from the login screen as well as the Mac’s Users & Groups settings section. The adware does this by assigning a numeric ID 401 to the hidden user, and then using an ID below 500, it configures the Mac to hide all the users.
After doing that, the adware uses the Mac’s inbuilt packet filter utility for hijacking the port 80 Web traffic of the Mac and redirecting it to a local proxy that runs on port 9882. So all the web traffic from the Mac gets rerouted to this proxy, excluding the traffic that originates from the hidden user (for avoiding redirection loops). Pirrit then analyzes the data connections of the user and injects ads in web pages. Then it sends analytics data to the owner of the malware, and the home page of the local browsers is also changed to sites like search-quick.com or trovi.com.
Pirrit’s last step is to install a LaunchDaemon on the infected Mac, which will make sure that no root privileges are required to run all the adware’s tasks on the Mac. Mr. Serper said:
While this program only delivers ads to a browser, it does use social engineering to get privilege escalation and eventually take total control of your machine. And with control of your machine, attackers could have done more than bombard you with ads.
The attackers can use Pirrit to steal personal files, install keyloggers, banking trojans, and much more. Thankfully, Mr. Serper has released a Shell script for removing Pirrit from the infected Macs. Do note that you need to run this script as root.