OSX-Pirrit Adware: Notes from the Underground

April 20, 2016  |  Patrick Bedwell

Background

“Adware” is a portmanteau (one of my favorite words) of ‘advertising’ and ‘software’. It is advertising-supported software that can be both annoying and malicious. Some adware is legitimate, such as when it’s used by developers to generate revenue for free or open source applications or tools. Adware has been around since time began (or so it seems) and many users accept it as a necessary evil to get access to free apps, games, and utilities.

However, it can also be malicious. Malicious activity in adware can range from applications that monitor your users’ behavior and and collect marketing-related information unbeknownst to you (also known as spyware), to applications that install malicious apps and harvest confidential or regulated data.

OSX-Pirrit is an invasive application that targets Macs, one of the few but growing number of Mac threats. It is more malicious than the Windows version of Pirrit because it hijacks your web traffic by routing all web traffic through its proxy, thereby exposing your sensitive or regulated information to exfiltration (as well as giving the attacker the ability to install other software on your system). It appears to get on the system simply by users installing it, believing they are downloading an update to popular apps like Flash.

Impact on You

Once installed, OSX-Pirrit does two things:

  • It intercepts web traffic via a proxy and injects ads into that traffic
  • It launches a daemon (which allows it to control apps and services) which enables it to maintain persistence

How AlienVault Helps

Adware like OSX-Pirrit is difficult to prevent and remove. Preventive technologies like antimalware or sandboxing can help block the downloading and installation of the malware, but preventative tools never detect all versions of malware. And, since at least one version of the malware includes a signed Apple certificate, it appears benign to the Mac OSX once installed.

AlienVault USM gives you the ability to detect the presence of new variants of malware like OSX-Pirrit that has evaded those preventive technologies and resides on your systems. The AlienVault Labs threat research team saves you a tremendous amount of time and effort--it continues to research and update the ability of the USM platform to detect new types of malware like OSX.Pirrit, as well as new variations on existing malware.

The Labs team recently updated the USM platform’s ability to detect this new threat on your network by adding an IDS signature to detect the malicious traffic and a correlation directive to link events from across your network that indicate that Pirrit has compromised one or more Macs.

These updates are included in the latest AlienVault Threat Intelligence update available now:

  • New Detection Technique - OSX/Pirrit

OSX/Pirrit is an invasive piece of OSX adware that is derived from the Windows version of the adware. The adware intercepts all HTTP traffic and injects ads into the proxied traffic and maintains persistence by installing a Launch Daemon.

Related content in Open Threat Exchange: https://otx.alienvault.com/pulse/5707d68267db8c4b471bdacf/

We've added IDS signatures and created the following correlation rule to detect OSX/Pirrit activity:

  • System Compromise, Adware infection, OSX/Pirrit

The Notes from the Underground are a blog series that provides some background and context on just one aspect of the Threat Intelligence Subscription updates delivered by the AlienVault Labs team. The regular Threat Intelligence updates keep the USM platform’s threat detection, detection, and response capabilities current against the latest threats. Click here to see the list of weekly updates https://success.alienvault.com/s/topic/0TO0Z000000oRS2WAM/att-alien-labs. We’ll be posting the Notes here in the Forums as well, in case you have not been reading the blog.

Share this with others

Get price Free trial