Softpedia >News >Security >Virus alerts
Softpedia Homepage   

Windows' Pirrit Adware Ported to OS X via Qt Framework

Pirrit for OS X can do more harm if it wanted to

Apr 6, 2016 12:30 GMT  ·  By
Pirrit adware now discovered on Macs
   Pirrit adware now discovered on Macs

An old adware variant that has been plaguing Windows computers since September 2014 was seen for the first time infecting Mac users and polluting their Web traffic with all sorts of ads, even if it had the technical capabilities to do more damage if it wished.

Cybereason's security researcher Amit Serper analyzed OSX/Pirrit, and while he wasn't impressed in the beginning, and considered the malware as the work of a sloppy coder, he later uncovered that Pirrit was more dangerous than previously thought.

While the original point of entry on a Mac user's computer is currently unknown, the researcher managed to get his hands on a binary to analyze how the threat worked.

Pirrit was coded in Qt by a "Linux guy"

The Mac version of Pirrit has been written using the Qt Framework, which allows a coder to write applications that work on Mac, Linux, and Windows from the same codebase.

According to Serper's analysis, as soon as the user launches a Pirrit-laced binary, the malware will go through a series of steps. The first one is to generate a random app name, company name, and username based on a list of dictionary words.

Pirrit then uses this random username string to set up a hidden user on the infected Mac, which it hides using a clever trick, both from the login screen and the Mac's Users & Groups settings section. This is done by giving the hidden user the numeric ID 401, and then configuring the user's Mac to hide all the users with an ID below 500.

Pirrit uses Mac's packet filter to redirect traffic to a local proxy

Once this has been done, Pirrit uses Mac's built-in "pf" (packet filter) utility to hijack the user's port 80 Web traffic and redirect it to a local proxy running on port 9882.

All the Mac's Web traffic is rerouted to this proxy, except for the traffic originating from the hidden user, in order to avoid redirection loops.

The adware will then analyze the user's data connections, injecting ads inside Web pages, sending analytics data to the malware's owner, and even changing the homepage of some of the local browsers to sites like trovi.com or search-quick.com.

Here is also where those random app names and company names come into effect, since the proxy is installed under the random app name, in a folder that uses the random company name, to make it look like a more legitimate app.

Pirrit runs with root privileges every time you start your Mac

Once the hidden user setup, the proxy installed and the traffic redirected, the last step is for the malware to add a LaunchDaemon to the infected Mac, to make sure all these services run on the device, with root privileges.

"While this program only delivers ads to a browser, it does use social engineering to get privilege escalation and eventually take total control of your machine," Mr. Serper explains. "And with control of your machine, attackers could have done more than bombard you with ads."

This includes installing keyloggers, banking trojans, stealing personal files, and about everything else they wanted. The good news is that the researcher created a Shell script that can remove Pirrit from infected Macs. The scripts need to run as root.