Maker of Sneaky Mac Adware Sends Security Researcher Cease-and-Desist Letters

Zack Whittaker, writing for ZDNet: The maker of a sneaky adware that hijacks a user's browser to serve ads is back with a new, more advanced version -- one that can gain root privileges and spy on the user's activities. News of the updated adware dropped Tuesday in a lengthy write-up by Amit Serper, principal security researcher at Cybereason. The adware, dubbed OSX.Pirrit, is still highly active, infecting tens of thousands of Macs, according to Serper, who has tracked the malware and its different versions for over a year. Serper's detailed write-up is well worth the read. [...] TargetingEdge sent cease-and-desist letters to try to prevent Serper from publishing his research. "We've received several letters over the past two weeks," Serper told ZDNet. "We decided to publish anyway because we're sick of shady 'adware' companies and their threats."

Details?

[DontBeAMoran]

It would be nice to know how this crap gets on a system. Since we're talking about macOS, I'm going to guess this is a trojan and simply carry on...

Re:Details?

[tattood]

from TFA:

In this report, the term installer refers to TargetingEdge’s main product - an installer that installs software like a video player or a PDF reader that’s downloaded from a site. These installers will install the downloaded software and the additional malware.

Re:Details?

[DontBeAMoran]

Exactly what I thought. Thank you.

As usual, don't install random crap on your computer, whatever OS you might be using.
Basic computer security 101.

Re:Details?

https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Labs-Research-OSX.Pirrit-Minds-Behind-Malicious-Mac-Adware.pdf

Re:Details?

Shady pdf link, no thanks! Open it and post the relevant info or fuck off.

Re:Details?

[Travelsonic]

As usual, don't install random crap on your computer, whatever OS you might be using. Basic computer security 101.

Computer security 102, however, is "only people who click bad links, or download unknown attachments gets a virus" is a myth.

Re:Details?

Just because you don't like a link, doesn't mean you should be a complete ass..

Re:Details?

Not really. Most people who have malware on their system got it by downloading and running shit from untrustworthy sources.

Re: Details?

[aliquis]

The problem with that is of course that we may want the functionality of the software we've found. And atleast Windows haven't before offered a central repository. And for the same of competition we may not want one.

Re:Details?

It would be nice to know how this crap gets on a system.

The Apple App Store.

Re:Details?

or leaving your computer unattended and someone logging in as root

Re:Details?

[bloodhawk]

same way crap gets on 99% of systems be it windows, Linux or OS.X, poor user practises and education. malware rarely targets vulnerabilities nowadays as it is much easy to find away in through the Exploit sitting at the keyboard, this has been the case for quite a few years now.

Re:Details?

yep, it is more 99% of infections are those that click on bad links and unknown attachements. you are highly unlikely to get a virus if you practise good computer hygene, but not quite immune. luckily the 99% which make up easy targets shield you from most other avenues, malware and Virus writers look for the easiest avenues for infection.

Re:Details?

Just because you don't like a response, does mean you should FUCK OFF.

Re: Details?

Computer security 103: keep stuff up to date and you minimise that risk.

Re:Details?

"Practices and education"

Re: Details?

Is that the same vendor that SourceForge used to provide their extras a few years ago?

Re: Details?

Of course computer Security 104 "Running antivirus minimises that risk" is a myth...

Re:Details?

So you've never downloaded and installed other programs to actually do anything useful on your computer ?
I can't believe you're retouching photos with MS Paint and editing files with Notepad.

Even getting software from trusted/respectable companies won't help, how many times this year have we seen companies hosting infected software after their build servers got compromised.

Re: Details?

I thought AppleOS was unix that protected you.

Re:Details?

[HiThere]

Well, actually I use the Gimp, Inkscape, and Geany.

But you're right in the assumption that I don't compile them from source. I use the official repository.

Re: Details?

Every time you update something, you run the risk of shit breaking or getting infected. Fewer, better quality updates is preferable to lots of shit updates "programmed" by non-developers.

Re:Details?

[Paradise+Pete]

I'm guessing that's why he included the qualifier "only" in what he wrote.

Re: Details?

Yeah, because Adobe PDF Reader has never been compromised.

Extra irony points for posting a PDF link in a thread about not clicking random links that could infest your computer with malware.

Re:Details?

[barbariccow]

I'm guessing you missed the ending "is a myth."

Re:Details?

[barbariccow]

www.notavirus.com/really_this_is_safe.jpg.exe

Re:Details?

Sometimes malware is embedded inside legal products or are contaminated, like the JAVA bundle installer, the Adobe Flash player 10 installer, Handbrake.
I remmebder installing a Google Chrome with a mild case PUP embedded inside the web installer.

The problem I see in this case is this company making malware in a deliberate way and suing the researchers that found out... So, making and spreading malware is legal now :/.

Re: Details?

Don't forget Computer Security 200 "All your base belong to us".

Re:Details?

[DontBeAMoran]

There's no "MS Paint" or "Notepad" on Macs.

Re:Details?

[DontBeAMoran]

To be honest, I already see Java and Flash as being malware so I'll never install these anyway.

The Handbrake malware incident, however, was the closest I ever came to having a tiny chance of maybe installing infected software on a computer.

Re:Details?

[Travelsonic]

There are people who act like that is the only way it happens, though, which is a dangerously false assertion - malvertising, for instance, and other web based attacks can do this with little to no interaction on the part of the user who gets infected besides going to a website that should be trustworthy.

Re:Details?

[Dog-Cow]

I'm guessing you're an illiterate moron. No wait. I'm positive.

Re: Details?

I recall almost getting malware from sourceforge.

That wrecks a lot of the "trusted source" idea, from my standpoint.

Re:Details?

they get email on their mac that is spoofed to look like a mail from Apple, the mail contains an eecuteable that is labelled "system upgrade"?

I bet a lot of Mac users would click on something like that :-)

Re:Details?

[Paradise+Pete]

You should read the thread again.

Re:Details?

[pnutjam]

I couldn't get that picture to open on my mac, can you make a png instead of a jpg.

Turnabout

[hackertourist]

Maybe we should send the malware maker some cease-and-desist letters.

Re:Turnabout

[dwillden]

Or since they are producing malware, perhaps the authorities might be interested in talking to the Lawyer who sent the C&D letters regarding their criminal employers.

If they sent a CnD

You have their real identity. Find a nasty Procecutor willing to file charges for criminally accessing systems without permission.

Re: If they sent a CnD

idiot!!!!! they send it through an attorney!!!!!moron!!!!

Re: If they sent a CnD

Yeah. Take that to a court and get a sophena. The name of the client is not covered under atty client privilege. You have to know both parties names to even determine where it does apply in specific cases.

Re:If they sent a CnD

[91degrees]

They know the identity. It's a listed company based in Tel Aviv.

No idea why they can't use a legal solution, but it's not because they don't have a company to sue.

Unwise.

In America, doing the right thing gets you punished.

Re:Unwise.

No kidding, just ask Edward Snowden.

Re:Unwise.

[jfdavis668]

I think he is just fictional. http://www.dailymail.co.uk/new...

Re:Unwise.

I didn't know selling secrets to the highest bidder was the "right thing" these days.

Re:Unwise.

Shut up, NSA schill.

Here I thought

they don't get malware or viruses.

Re:Here I thought

[ctilsie242]

Mac security improved greatly when OS X took the field. Before that, especially with system 6/7, you could actually have a code segment sitting on a SCSI drive that would load and execute with all permissions. This was used for security software (FileGuard, A. M. E., Empower) to have a driver for on the fly encryption, and thankfully it was never used for ill (AFAIK), but the early Mac operating systems had a lot of infection vectors (WDEF... insert a floppy, bam infected, for example.)

OS X (i.e. NeXTStep with a Mac UI) was pretty good in the security department, and got a lot better, especially with the MAC/DAC stuff added in. However, nothing is 100% secure, and no desktop OS can protect against a Dancing Bunnies attack.

What does help would be more macOS developers using Apple's store instead of offering downloads on their websites. This way, users are trained that if they are asked to go outside the established mechanism, they should be extremely wary... or just say "no". The exception are programs that Apple doesn't allow, such as low level utilities (Little Snitch, VMWare Fusion, etc.)

In any case, Apple should be proactive and revoke the signing key of any proven adware maker.

Re:Here I thought

[Wrath0fb0b]

I don't know why you think that VM host software cannot be hosted on the App Store.

If VMWare doesn't distribute it that way, it's probably because most of their revenue/license is corporate rather than individual and app stores tend to be a poor fir for those arrangements.

Re:Here I thought

[ctilsie242]

That is a good thing, and I am glad I am wrong here. Previously, I remember Apple disallowing programs that affected kernel level functionality. If Parallels can put their virtualization setup on the App Store, then I don't see why all Mac developers should not use the store. I would assert that stores or repositories are very beneficial in combatting Trojans, assuming they are well curated and bad software is removed quickly with the developer getting tossed.

In the Linux world, I've found it very rare that I download a program outside a repository. The only exception are some very specific utilities that address a narrow market, and Borg Backup, which the latest version doesn't seem to wind up in EPEL or the latest Ubuntu updates.

As for Windows, Microsoft needs to consider a push to have their store be similar. The days of downloading some program from Cnet or a BBS are long gone when it comes to security, for the most part.

Of course, there is a downside... I fear that doing this might get OS makers to block sideloading of programs. Ideally, sideloading should be allowed, but in very rare circumstances.

Cease-and-Desist what, exactly?

[nitehawk214]

Cease-and-Desist talking about the malware? Yeah, I am sure filing a lawsuit will to a great job of that, Barbara.

Also, why isn't what the malware maker doing illegal?

Re:Cease-and-Desist what, exactly?

[bloodhawk]

Also, why isn't what the malware maker doing illegal?

Not sure on this particular case as can't be bothered reading the whole story. BUT most malware/adware is perfectly legal as it relies on user ignorance and stupidity, simply put in some terms and conditions that you accept the adware in the install of product X, 99% of people don't read the terms so you have an easy install path that is perfectly legal.

Re:Cease-and-Desist what, exactly?

Totally. Even if it trashes your data. Or damages your hardware. Or spies on your kids.

Like when you sign a piece of paper that says I get to punch you. You don't have any recourse after that. Nope. I'm just allowed to punch you whenever I want for the rest of your life.

Re:Cease-and-Desist what, exactly?

[HiThere]

No, there are limits. They can't enforce an agreement that's against the policy of the enforcing agency. They can't demand that you do something illegal. But the limits are quite broad. Broad enough that I stopped using both MS and Apple over EULAs. (Read it sometime, and try to understand it.)

Re:Cease-and-Desist what, exactly?

[VeryFluffyBunny]

Like when you sign a piece of paper that says I get to punch you. You don't have any recourse after that. Nope. I'm just allowed to punch you whenever I want for the rest of your life.

So you think a contract can nullify criminal law? Regardless of what anybody writes in an agreement, punching someone is criminal assault, with very few exceptions and they have very specific conditions, e.g. boxing and martial arts.

If an advertiser or software developer breaks the law, they can be prosecuted like everyone else.

Re: Cease-and-Desist what, exactly?

[bestweasel]

Wise words. Never sign one of those bits of paper which say someone gets to punch you Ow! whenever they like. Ow!

Re:Cease-and-Desist what, exactly?

you can't sign contracts that allow them to break the law or take away your rights. But you certainly have no recourse when they take your data after they asked, can we take your data and you click FUCK YES!.

Re: Cease-and-Desist what, exactly?

"In many jurisdictions assault is defined as the threat of bodily harm that reasonably causes fear of harm in the victim while battery is the actual physical impact on another person. If the victim has not actually been touched, but only threatened (or someone attempted to touch them), then the crime is assault."

Re:Cease-and-Desist what, exactly?

BUT most malware/adware is perfectly legal as it relies on user ignorance and stupidity, simply put in some terms and conditions that you accept the adware in the install of product X, 99% of people don't read the terms so you have an easy install path that is perfectly legal.

Not in the USA. For any law (including contract law) or precedent to the created to that effect would imply that law is superior to the highest law in the land - and hence for any legal professional to enforce the law or even treat it as valid on behalf of a client, is unethical practice of law.

The US Bill of Rights is open ended. Any reasonable individual rights people want to assert automatically come into play under the authority of the 9th Amendment - including the right to not be subject to unethical practice of law, or unethical business practice. Malware is always invalid - and adware is generally going to be a violation of fundamental rights.

These people who do this stuff are hoping nobody with the resources needed to get a case through the legal system pushes the issue. They're scum.

Re:first

Nope you are a failure. And the fact that you even tried shows that you care about what you just failed at and still failed.

Looser.

No.

Not only did you fail to get first post, you aren't even the first poster who tried and failed, as there are other failures above you.

You have also failed to pick meaningful goals for yourself. Your life is just brimming with failure.

Re:first

HAH! Someone has some self esteem issues. A guy says 'first', and this guy starts saying 'looser'.

You probably had a rough time growing up. If it makes you feel better, I guess.

Macs dont get virus's so your safe.

Happy browsing dude.

free to be an idiot

>Not sure on this particular case as can't be bothered reading the whole story.

but for sure your opinion means something to someone, right?

WRONG, loser

Re:free to be an idiot

and yet his response was 100% correct and 1000 times more useful than your fucking retarded response.

Apple Execs should send in a goon squad

[FudRucker]

find this scumbag making this malware advertising and smash his computers and break his knees and and elbows with baseball bats

Re: Apple Execs should send in a goon squad

Tim Cook would look mighty fine in an expensive wheelchair.

Re:Apple Execs should send in a goon squad

[VeryFluffyBunny]

You mean Apple Inc., the corporation that spend over $1 billion a year on advertising?

Security researcher sends...

[mapkinase]

... Maker of Sneaky Adware to his maker.

Ignore the C & D

(Posting AC to preserve moderation)

This is a fake C & D from someone who distributes fake software. Like they are actually going to reach out from Russia or Nigeria to file suit in the US court system...

Re:Ignore the C & D

[HiThere]

An earlier poster said the company was headquartered in Israel. So they *could* file suit in the US court system. I consider it unlikely, and I consider it unlikely that a jury would find in their favor. But a judge might...or might not.

Re:Ignore the C & D

Their legal counsel seems fairly half-assed... Claiming that they never sent a C&D when the journalist was *obviously* tipped off by the receiver.

Re:Ignore the C & D

this is not a fake company or fake software, it is a legitimate advertising company based in Israel with a legitimate fleet of lawyers, they just happen to use very scumbag like activities that exist in a grey area of law as what they do isn't actually illegal.

Re:Ignore the C & D

[gravewax]

why is that half assed? yes they are clearly scumbags, but you are under no obligation to tell journalists anything and they can happily lie their asses off to them.

Re:Ignore the C & D

having had to deal with press myself previously we would make it a point for everyone to give them different responses in many cases. keeps them confused and makes them work hard for their money and they think the people they are dealing with obviously aren't coordinated, can be amusing to watch as they then chase up whichever answer they think will give them the best story, the press can be as big a pack of arseholes as the people that write malware.

First Step - Get Permission to do anything

"All the installers that are downloading and executing these scripts are running as root since the first thing that do after execution is to ask for the user’s password. This is a key point since it explains how everything in the process described in this report is running with root permission."

Re:first

Did you just reply to your own post?

Because you sound exactly like the poster you are responding to.

No news is ... ummm.

... prevent Serper from publishing his research ...

TargetingEdge should be pleased someone is talking about the quality of their products. They're not pleased, why is that? Enough said.

Re:first

"Looser" than what? Your mother? Dipshit.

Wahahahahaha

said in Kevin Hart's voice "NOOOOOOOOO it isn't us spouting out all that malware to Mac computers"...

Servers to block in hosts to help cripple it

0.0.0.0 t.46sdzf3zdg1dxg2.us
0.0.0.0 46sdzf3zdg1dxg2.us
0.0.0.0 3fzf1fseg1xzgd1e5.us
0.0.0.0 tika-search.com
0.0.0.0 delta-search.com

* Per source article research https://www.cybereason.com/blog/targetingedge-mac-os-x-pirrit-malware-adware-still-active/

APK

P.S.=> For protection vs. FAR MORE threats online other than this one too & more speed, reliabilty + anonymity too? Accept NO SUBSTITUTE for APK Hosts File Engine 10++ 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ as it does far more for far less vs. any other "so-called 'solution'" bar-none, natively vs. illogically "Bolting on 'MoAr'" that full of security issues or inefficient (browser addons, dns, antivirus etc.)... apk

Re: first

[Brockmire]

Fuck face, it's "loser". "Looser" is when I'm done with your mom. Why can't people get this right when insulting people?

Send Report to the FBI

[herbierobinson]

They should send the report and the lawyer's address straight to the FBI. If it's accurate, the software is violating the Compture Fraud and Abuse Act. And Israel will honor the extradition...