Author of potentially malicious OS X Pirrit adware discovered
An unnamed web developer working for Israeli marketing and advertising company TargetingEdge is the creator of the Pirrit adware targeting Mac machines, Cybereason security researcher Amit Serper has discovered.
Pirrit is not a typical piece of adware. Its main goal is to deliver specific ads, but it also shows some capabilities typical of malware: it creates hidden user accounts, and can obtain root access to the infected machine. It could be used to steal valuable information, even though it currently does nothing besides flooding users’ browser with ads.
First analyzed by Serper in April, the adware didn’t offer much information that could reveal its author – just a first name. But, a newer version that he analyzed did.
One of the files it dropped was in the tar.gz archive format, which saves file attributes that can reveal information about the computer on which the file was created.
This is how the researcher discovered the creator of the latest version, and used LinkedIn to tie him to TargetingEdge. The firm’s own LinkedIn account revealed that the likelihood of the discovered information being true is extremely high:
Once the firm was identified, the first name found in the initial version of the adware pointed to the web developer that he believes to be the original author, but whose identity Serper didn’t reveal publicly.
“Unlike the older version of OSX.Pirrit, the new variant includes a component that checks for competing programs on a computer, removes any competitors that are discovered and rewrites autoruns when removed. The new version also has new 14 hidden users and no longer includes the Windows binary found in the original version,” noted Serper. “I assume they read my earlier research on OSX.Pirrit and made the changes.”
Pirrit is distributed by being added to an installer bundled with a number of legitimate media players (VLC, MPlayerX, etc.). As users download the players and run the installers, the adware is installed without the user being none the wiser, and starts injecting ads into the victims’ web traffic.
Pirrit is difficult to uninstall. Serper created a removal script, but it only works for earlier versions of the adware. Users who suspect that they have been hit with the latest one, will have to search for uninstall instructions, which are “buried in either the temp directories or in the hidden user’s home directory.”