
OSX.Pirrit Mac Adware Part III: The DaVinci Code - EliadEliad
https://www.cybereason.com/blog/targetingedge-mac-os-x-pirrit-malware-adware-still-active
======
tgragnato
This "legitimate adware" is abusing an installation process to gain
persistence.

I have a feeling BlockBlock (Objective-See) would be able to intercept and
block the installation of the plist.

> [https://www.objective-
> see.com/products/blockblock.html](https://www.objective-
> see.com/products/blockblock.html)

If a third party app is installing a com.apple.<whatever>.plist, be aware of
it.

~~~
dmix
That's a very useful security program. Thanks for the heads up!

Reminds me of the security monitoring software that Google released for MacOS.

------
sitharus
The most disappointing thing I saw is the resumé. It makes me very sad for the
software development profession that actively subverting the privacy of users
and controls of their operating system is something seen as a positive.

~~~
userbinator
I suppose you could say the same about those who worked on Intel ME,
Computrace[1], and maybe other DRM technologies too?

Personally, I can refuse an offer from Google or Microsoft because I do not
agree at all with their vision, regardless of how much they want to compensate
me, but it really is a difficult situation to be in --- people get asked to do
things which are against their personal beliefs all the time, and there may
well be other reasons why someone would work for such companies, so I don't
find it unusual that he would try to make the best of it.

[1]
[https://news.ycombinator.com/item?id=2500472](https://news.ycombinator.com/item?id=2500472)

------
dmix
TIL you can use AppleScript to inject Javascript into every browser page you
visit, regardless of browser, as an alternative to using a browser plugin to
(for example) monitor every website you visit.

~~~
yjftsjthsd-h
As with many power tools, that's actually really cool and there are some neat
ways to use such a thing. It's just that in this case it's getting horribly
abused to subvert the user's control of their own system.

(Examples: You could use such a thing to block ads, or archive sites as you
browse them)

------
saagarjha
The images were broken for me, so I found the PDF a lot better of a read:
[https://www.cybereason.com/hubfs/Content%20PDFs/OSX.Pirrit%2...](https://www.cybereason.com/hubfs/Content%20PDFs/OSX.Pirrit%20Part%20III%20The%20DaVinci%20Code.pdf)

------
adware_ta_1122
I worked for other adware maker in IL (left after couple of months, when I
realized how the company actually makes money), it's pretty big industry here
since we have a lot of adtech and endless appetite for easy money. AMA.

------
herodotus
OK, so how do I see if I am infected?

~~~
woadwarrior01
Look for com.<dictionary_word>.plist in ~/Library/LaunchAgents/ where
<dictionary_word> is a random word from /usr/share/dict/words (the unix word
file).

~~~
danieldk
KnockKnock [1] is also a very nice tool that scans your system for stray
launch agents, kexts, and browser extensions. It also passes what it finds
through VirusTotal.

[1] [https://objective-see.com/products/knockknock.html](https://objective-
see.com/products/knockknock.html)

------
chisleu
Gross. If you want your adware/pup to act like malware, expect to be treated
like malware.

------
therein
Wait, osascript can inject HTML and Javascript into the DOM? How is that okay?

~~~
Sidnicious
I agree with my sibling comments that in current OSs, desktop apps —
especially ones with root — are generally as privileged as the user, and
that's (supposed to be!) a good thing.

However, Chrome's AppleScript support was used almost exclusively by malware,
so it's disabled by default now:
[https://crbug.com/661810](https://crbug.com/661810).

~~~
sitharus
If Apple had invested as much in AppleScript as other parts of the OS I’m sure
we’d see a ‘Can automate other applications’ setting in the Privacy controls.
Not sure that’d help much here as the app is a Trojan but it’d be helpful to
limit the activity while removing it.

~~~
CGamesPlay
We have one, to an extent. AppleScript is supposed to be IPC, so the published
interfaces for AppleScript are governed by the applications responding to the
requests. However, the generic "simulate human input" response is restricted
using the "Allow these apps to control your computer" setting in System
Preferences -> Security & Privacy -> Privacy -> Accessibility.

------
nallerooth
This was a nice write up which I enjoyed a lot. Thank you!

