Security firm threatened with legal action for report highlighting adware

Cybereason and its lead researcher Amit Serper targeted with legal threats by group behind OSX.Pirrit adware

An internet security company claims that it has been threatened with legal action for writing research identifying, and warning of, what it describes as a strain of MacOS adware.

In a series of reports starting in April 2016, Cybereason examined the OSX.Pirrit adware, which named an Israeli company called TargetingEdge as responsible for the adware. A third report was published this week. The reports were authored by Cybereason lead researcher Amit Serper.

In the latest report, Serper describes OSX.Pirrit as "a very nasty piece of adware" targeting OSX "with components such as persistance and the ability to obtain root access [-] characteristics usually seen in malware. While OSX.Pirrit's main goal was to display ads, the way it did this contains many practices borrowed from traditional malware".

https://twitter.com/0xAmit/status/941057921613488128?ref\\_src=twsrc%5Etfw

Following the publication of the reports, a number of the company's servers and distribution websites were taken down.

However, the adware still persists, according to Serper. "Unlike old versions of OSX.Pirrit that used rogue browser plug-ins or even installed a proxy server on the victim's machine to hijack the browser, this incarnation uses… AppleScript, Apple's scripting/automation language.

"And, like its predecessors, this variant is nasty. In addition to bombarding people with ads, it spys on them and runs under root privileges," claimed Serper in his latest report.

But, he added, that his research hadn't gone unnoticed by the company behind the adware.

"For the past two weeks they've tried to prevent me from publishing this research. Cybereason has received a few cease and desist letters from a firm claiming to be TargetingEdge's legal counsel. The letters demand that we stop referring to TargetingEdge's software as malware and refrain from publishing this report."

In the letters, the company claims that it develops and operates "a legitimate and legal installer product for Mac users" and asserts that "our product is not malware, it does not include any features of malware and it does not harm or damage or [is] intended to cause any damages to the product user's device".

It adds that it doesn't ‘hack', ‘spy' or ‘takeover' the browser via any malicious or "non-transparant" means.

But Cybereason isn't the only company that identifies the adware as a threat to Mac users - 28 other anti-virus engines on Virus Total also identify OSX.Pirrit as malware. Curiously, though, TargetingEdge also denied any link with OSX.Pirrit, despite evidence to the contrary.

The researcher claims that he is not the only security specialist to have been threatened with legal action by the subjects of their research. Back in 2013, for example, another adware company called Genieo threatened legal action over the mere suggestion that its software might be "malicious" and that its uninstallation procedure didn't, in fact, work.

Indeed, the tactics deployed are reminiscent of a number of legal threats and action taken against security researchers since the advent of the internet age.

In the late 1990s and early 2000s, for example, anti-spam groups were routinely threatened with legal action by spammers, mostly based in the US, for publishing lists of IP addresses known to be associated with pushing out unsolicited commercial email, to give spam its formal name. These lists could be deployed by systems administrators to filter out spam.

Anti-spam groups responded by organising their groups over the internet anonymously and extending the range of blocked IP addresses, forcing legitimate businesses to complain to internet service providers (ISPs) that were too ‘spam friendly'. This was a favoured tactic of the Spam Prevention Early Warning System (SPEWS), which had some success in forcing ISPs to clean up their act.

More recently, anti-malware software vendor Malwarebytes was sued by a US security software vendor for categorising its relatively expensive and poorly performing product as a "potentially unwanted program". Enigma Software had claimed that the categorisation amounted to a "tortious interference" in its business - a claim rejected by the court.