Adware is just Malware with a Legal Department

Presented at LayerOne 2018, May 26, 2018, 1 p.m. (60 minutes)

Adware isn't a new or an exciting threat. It is often ignored by security professionals because "they just display ads." Security companies often classify adware as "PuPs" of "Potentially unwanted programs," downplaying their actual risks and dangers. In this talk I demonstrate just how serious adware can be and how the only difference between adware and malware is the fact that adware companies have legal departments. This is the talk that adware makers don't want you to attend. Back in 2016 I discovered a new OSX strain of the Pirrit adware/malware which, at the time, only targeted Windows machines. I completely reverse engineered the malware; it runs with root privileges, hijacks all HTTP traffic on the infected machine, and employs several other nefarious tricks. Due to some stunning opsec mistakes I found the malware's authors full names and the company that they work for. Fast forward to the present, OSX/Pirrit was back with a vengeance, employing new techniques and learning their lessons from everything I wrote about in my previous reports and talks. Nevertheless, after lots of binary reverse engineering, going through thousands of lines of JavaScript, bash, and AppleScript code - I managed to reveal just how sinister the new version of OSX/pirrit is which is virtually impossible to remove without deep OSX knowledge. Due to more opsec mistakes by the authors I managed to tie this new wave of infections back to On top of that, TargetingEdge, the company who makes this adware/malware, bombarded us with cease and desist letters, threatening my employer and myself personally to prevent us from publishing our report. This talk will highlight all of the methods used by the malware authors to abuse systems, I will guide the attendees through the process of reverse engineering such malware and share with everyone the amazing and hilarious story behind this whole incident. There will be IDA screenshots, there will be stunning opsec mistakes by the authors and there will lolz galore.

Presenters:

• Amit Serper
  Amit leads the security research at Cybereason's Boston HQ. He specializes in low-level, vulnerability and kernel research, malware analysis and reverse engineering. He also has extensive experience researching attacks on large scale networks and investigating undocumented OS resources and APIs. Prior to joining Cybereason, Amit spent nine years leading security research projects and teams for an Israeli intelligence agency, specifically in embedded system security. He's presented at RSA, BSides, CircleCityCon, Derbycon, LayerOne and other conferences.

Links:

• https://www.layerone.org/speakers/#amitserper
• https://infocon.org/cons/LayerOne/LayerOne 2018/Adware is Just Malware (Amit Serpe.mp4
• https://infocon.org/cons/LayerOne/LayerOne 2018/Adware is Just Malware (Amit Serpe.eng.srt (subtitles)
• https://www.youtube.com/watch?v=GVs_h5RZ7z0

Similar Presentations:

• DerbyCon 8.0 Evolution (2018) / OSX/Pirrit - Reverse engineering mac OSX malware and the legal department of the company who makes it
• VB2018 / Adware is just malware with a legal department - how we reverse engineered OSX/Pirrit, received legal threats, and survived
• THOTCON 0x9 (2018) / OSX.pirrit part III, or: I picked a fight with an adware company, they threatened to sue and we gave them the finger