New OS X Trojan Adware Injects Ads Into Chrome, Firefox, Safari

An anonymous reader writes "A new trojan specifically for Macs has been discovered that installs an adware plugin. The malware attempts to monetize its attack by injecting ads into Chrome, Firefox, and Safari (the most popular browsers on Apple's desktop platform) in the hopes that users will generate money for its creators by viewing (and maybe even clicking) them. The threat, detected as "Trojan.Yontoo.1" by Russian security firm Doctor Web, is part of a wider scheme of adware for OS X that has "been increasing in number since the beginning of 2013," according to the company."

Clarification

[schneidafunk]

Can someone explain to me why advertisers would want to pay for bogus clicks? How does this money get laundered to hide the trojan creator and also defraud the advertiser?

Re:

[schneidafunk]

That's not 100% true. I've done adword campaigns through Google (and other sites) and was able to track the return on investment from different ads & clicks.

Re:

[Darinbob]

It's their own fault. They do automatic signup and usage of advertising, without ever meeting their customers or getting a contract. Imagine an ad agency doing this with radio and television stations; you could just mail in a letter saying you are manager of WAFK 101.1 FM, and their spot played 27 times, so please pay up.

Better Question

[Deathlizard]

Can Someone explain to me why Yontoo is detected on the Mac Platform but on Windows it's totally ok.

While we're at it, why are any of these still not detected by any malware scanner. Even as a Potentially Unwanted Program? I'm sure just about anything listed here does a lot more malicious stuff than anything spyware like Gator ever did.

Anything from Conduitt
Anything from Mindspark Interactive
myfuncards
arcadecandy
arcadeweb
funweb
freeze.com
pricegong
getsavin
coupon wonderland
fantistigames
big fish games
quiklinkx
defaulttab
mywebsearch
we care ASCPA Reminder (my personal favorite. When you uninstall it, it basically accuses you of wanting to kill puppies.)
shop to win
inbox toolbar
anything from Crawler
24x7 help
blekko
dealply
ETC

Most of the above either popup ads, install, or trick users into installing more junk like registry scanners, fake flash players and the like. Yet almost no scanner I've found short of JRT or ADWcleaner gets rid of these things.

It's about time these AV companies wake the heck up and realize that Spyware is back disguising itself as adware and is more prevalent than ever,

Re:

[Aryeh Goretsky]

Hello,

Not sure which anti-malware software you are using, but a quick check of my employer's gave me half-a-dozen hits:

• Win32/Adware.Yontoo [virusradar.com] - added Apr 15 2011
• Win32/Adware.Coupons [virusradar.com] added - Apr 05 2005
• Win32/Adware.Toolbar.MyWebSearch [virusradar.com] - added Apr 29 2005
• Win32/TrojanDropper.FunWeb [virusradar.com] - added Jun 08 2004
• Win32/Freeze [virusradar.com] - added Feb 02 2006
• Win32/Candy [virusradar.com] -added Nov 10 2006

Not sure about the others, but would not be surprised if they are detected, just with a different name than you wrote. Maybe you just need to ch

Re:

[Deathlizard]

My guess is that you work for ESET.

I recently had a job change a few months ago, and at my current job we have been using ESET NOD32 Antivirus Business Edition 4 (I'd like to move to the latest version, but Labtech is keeping us on 4)

From my Experience, ESET does do a pretty good job detecting PUPS, but in our console, when we look at the threat log, it constantly says "unable to clean" I'm sure it's just a setting wrong in the policy but i'm still learning the console since my previous employer used Sophos

Re:

[Aryeh Goretsky]

Hello,

A lucky guess.

I'm not as familiar with the remote management side of things as I used to be, but I suspect that with potentially unwanted applications (PUA), the option to use would be "delete" instead of "disinfect." The latter is really only applicable to parasitic infecting viruses which actually modify host code. In the case of a PUA, there is no clean host program inside the PUA, it's a PUA all the way down.

I would suggest checking with the LabTech or ESET support folks to verify the settings,

Re:

[chrish]

Did I miss a memo about Big Fish Games, or are they evil on Windows? I thought the were a legit game vendor... at least, their Mac client doesn't seem to do anything too stupid/nefarious.

Re:

[Anonymous Coward]

Meanwhile the communists using Linux are not a target since they all have ad blockers and get their content via torrents anyway.

Great Strategy

[Anonymous Coward]

>hopes that users will generate money for its creators by viewing (and maybe even clicking) them

Nothing makes me want to support a company more than when in injects advertising onto my computer.

Re:

[progician]

Wait, are you saying that there's no such an urban myth among the prime Apple consumers that Apple products can't be infected by malicious software? Or you're saying that it is indeed the case that there are no worms, viruses or ad-ware on on OS-X devices.

If any of these two, I would call you ignorant fool my self.

I'll worry when it can spread without an installer

[Kenja]

Basically, this requires you to download and execute an installer, then click through it (including entering the administrator password). At that point, you could have installed something far worse then adware.

Re:

[RedHackTea]

Hmmm, so the only useful thing from this /. post: I like the adorable, red robot with the shiny key!

Re:I'll worry when it can spread without an instal

[h4rr4r]

THIS!

The user is a flaw every OS has.

Re:

[the_Bionic_lemming]

Only now, it's "Blame the user" instead of the way it used to be - "Blame that Buggy OS" ..

Re:I'll worry when it can spread without an instal

[h4rr4r]

Not at all.

Blame the buggy OS is when you get a nice drive by install or virus. Adware that requires a user to install is always the users fault.

Re:

[AmiMoJo]

Maybe they are complaining that MacOS runs any software you like, unlike iOS where everything is curated by Apple. This "criticism" (I view it as a complement) is often levelled at Android, for example.

Re:

[h4rr4r]

Then you tell the user to do a jailbreak. Sure it might not always work, but conning users is conning users.

I would rather take the risk, than have my ability to own my computers stolen from me.

Re:

[BasilBrush]

Then you tell the user to do a jailbreak.

Get real.

Re:

[h4rr4r]

Things like this have happened and users have done it.

They get an email telling them about free applications if they visit this website with their iphone. This was back when a webpage could do a jailbreak.

Re:

[BasilBrush]

This was back when a webpage could do a jailbreak.

Oh, sure. Back then it was possible. It's certainly possible to trick a proportion of people to click on a link, and if that does a jailbreak then it's done.

Mind you, to actually be worth the criminal's effort, they'd then have to get the user to also install the app. And it's going to be hard when the last link you gave them took them through a worrisome jailbreak procedure.

However, even that faint possibility is in the past. Drive-by jailbreaking has been dead since July 2011.

Re:

[h4rr4r]

Until another such flaw is found.

Nothing is perfect, this sort of DRM being the least likely to be perfect. You are trying to secure a device against its owner.

Re:

[BasilBrush]

Until another such flaw is found.

Maybe, but that would be a flaw in the OS. Again, the system removes the user as being the flaw that allows trojans to be installed.

You are trying to secure a device against its owner.

No, we are talking about security against malware here. Contrary to your claim, the user is not a flaw in this regard with iOS and the games consoles.

Re:

[h4rr4r]

You might want to think so, but it is a flaw with both of those devices.

If the user wants to install malware that is no different than any other application. The user having control is more important that protecting the system from him.

Re:

[BasilBrush]

The user having control is more important that protecting the system from him.

(Using your definition of control)

It might be to you. For plenty of people, having no worries about software that's downloaded, and having a one stop shop to get apps are both advantages. For them there aren't any downsides.

Re:

[h4rr4r]

There will be when they find out something they wanted is not in the app store. Let someone else pick what you can do and you will soon find they don't like the same things you do.

Re:

[BasilBrush]

There will be when they find out something they wanted is not in the app store.

If.

As I pointed out before, this isn't something unique to Apple, console manufacturers have had the same power of selection for decades. And funnily enough, people don't have a problem, because they don't come across types of games that they want, but aren't allowed. But they do get the advantage that selection keeps most of the shit out.

Pretty much the only people that are complaining about Apple's curated store are Android users who don't even have an iOS device. And they face the uncomfortable truth tha

Re:

[h4rr4r]

When not if. A recent case was some games were removed, before that is was tethering applications, and before that other bullshit.

In consoles what happens is a person buys all the consoles to get the games that are exclusive to each.

I will not respond to you last statement since it is a lie. Those stores are just as curated.

Re:

[BasilBrush]

I will not respond to you last statement since it is a lie. Those stores are just as curated.

If they're just as curated, how come there's so much Android malware?

Re:

[h4rr4r]

Find me some in the google play store. I will wait.

Actual Malware is generally found in pirated apps.
Also there is not much of it, I have never seen it live.

Stop trolling, and educate yourself. Either way user control is more important than safety.

Re:

[BasilBrush]

Find me some in the google play store.

It doesn't seem hard to find.

http://arstechnica.com/security/2012/07/more-malware-found-hosted-in-google-android-market/ [arstechnica.com]

http://wmpoweruser.com/trend-micro-one-in-ten-google-play-store-apps-is-malware/ [wmpoweruser.com]

http://thenextweb.com/insider/2013/02/03/android-malware-emerges-on-google-play-which-installs-a-trojan-on-your-pc-uses-your-microphone-to-record-you/ [thenextweb.com]

Oh, and of course not all app types are available from Google Play Store are they? Where are the ad-blockers for example?

Stop trolling, and educate yourself.

It's you that headed down this path. I m

Re:

[h4rr4r]

Removing the user flaw, has costs that are not acceptable.

No, this is a truth. I say that because one day you will find it out yourself. Once you trade freedom for security you will have and get neither.

Re:

[BasilBrush]

Sorry, but I won't be drinking the OSS Koolaid. It looks every bit as stupid as the Moonies or the Scientologists to me.

Choosing to buy a product of any description is not trading freedom for anything. It's exercising freedom. That's where your religion goes wrong.

Re:

[h4rr4r]

Practicality is not a religion.
Nor do I have any interest in OSS. Free software, yes.

This is not about that though, this is about having a useful device.

Re:

[dgatwood]

No it's not always the user's fault. Try doing this on an un-jailbroken iOS device.

Only the approach is different. There's nothing preventing you from convincing users to install a web browser that provides some customization features and displays extra ads in exchange. And if you can convince them to install it and use it, you now have adware that isn't really substantially different from adware that installs itself as a Safari browser extension on the desktop.

So yes, adware that requires a user to expli

Re:

[BasilBrush]

There's nothing preventing you from convincing users to install a web browser that provides some customization features and displays extra ads in exchange.

Unless the app is up front about this in it's description, then the app will be rejected. If it *is* upfront, and the user chooses to install it anyway, then it's not a problem. The user decided the tradeoff was worth it for the features they are getting.

Re:

[smash]

Try doing this with gatekeeper enabled. If it works at all, it will be for a limited time only until apple revoke the cert, and go after the developer who the cert was issued to.

Re:

[BasilBrush]

Well not quite. This is where the curated app store of iOS comes in. The user can only install apps from a store that requires the apps to be prevetted. And the store will remove any malware that manages to sneak past the vetting process, as soon as it becomes known.

This is removing user stupidity as a vector for trojans.

Re:

[h4rr4r]

This is removing the ability to use your own devices as you see fit.

They don't only remove malware, they also remove useful tools. This is why iOS has no good wifi scanning tools for example.

Re:

[BasilBrush]

Well that's the other side of the trade off. And one that lots of people are happy to make. Being safe from malware being more important to them than wardriving tools, and the other things that aren't on the store.

But for sure iOS, and the games consoles, and every other platform that don't allow the user to download from random sites are exceptions that prove "The user is a flaw every OS has" to be wrong.

Re:

[h4rr4r]

What you call war driving tools I call site survey tools I use for my job.

Append on a computer the user is allowed to own and the statement is true again.

Re:

[hawk]

Yes.

This isn't "malware;" it's "stupidware."

hawk

Re:I'll worry when it can spread without an instal

[j00r0m4nc3r]

At that point, you could have installed something far worse then adware

Like RealPlayer

Re:

[Anonymous Coward]

At that point, you could have installed something far worse then adware

Like RealPlayer

Or QuickTime. Wait.... OH GOD IT'S A MAC IT ALREADY HAS QUICKTIME.

Re:

[BLToday]

QuickTime on Mac is pretty useful. It's shit on WIndows. On the Mac, QuickTime can be used for screen recording and is generally pretty fast. Never knew how useful a screen recorder was until my friend needed to record a training session. Windows version is like me trying to run a marathon in a business suit, isn't very functional and pretty slow.

Re:

[BasilBrush]

Jeez, you just reminded me of one of the things that pushed me to switch to OSX. The Realplayer menace - shudder.

Re:

[thetoadwarrior]

Exactly. It doesn't really target OS X, it targets complete morons.

Re:

[smash]

Most of the network engineers, storage engineers I know run Mac Laptops. Linus himself owns apple machines. Try again.

Re:

[marsu_k]

Linus himself owns apple machines.

...and he runs Linux on them, your point is?

Re:

[Anonymous Coward]

You and the summary left out the best part: the installer's name is "Free Twit Tube." Almost as bad as a girl on a dating site agreeing to go out with someone with the username "DonkeyPunchLover."

Re:

[Anubis IV]

Exactly. And given past trends, it's entirely likely that there will be a malware definition update pushed out to all Macs running the last few iterations of OS X within the next 24-48 hours, rendering this threat moot.

Moreover, even in the case of idiotic users, the default behavior on all new Macs is to not allow installs from unregistered developers. I.e. This malware will only work against folks who ignore all warnings and are using something other than the latest release, which had an extremely fast ad

Re:

[Anonymous Coward]

And then, after downloading, and authenticating the install, OS-X also reminds you that it is from the Internet and you might want to pause and consider before actually launching the program.

It really does target people who *want* to run it.

Re:

[smash]

You also forgot - bypass gatekeeper or click through the "are you sure, this is unsigned code?" warning.

Re:I'll worry when it can spread without an instal

[amicusNYCL]

Unlike in Windows, where you simply have to view an advert in Internet Explorer and your system is infected...

IE itself is exploited no more than 10% of the time to infect a Windows computer. Windows gets drive-by infections these days from exploits in Java, Acrobat, and Flash, which are not unique to Windows. There's no reason for attackers to focus on a single browser any more when they can instead target a plugin like Java that works across all browsers.

Re:

[McFly777]

There's no reason for attackers to focus on a single browser any more when they can instead target a plugin like Java that works across all browsers.

Java... Write once, Infect everywhere!

Re:

[smash]

You mean like the huge number of users still running Firefox 3.5, despite there being many security updates it doesn't have?

Yontoo

[BradleyAndersen]

Yontoo has been around already, and not just @ Macs. I recently removed it from a Windows 7 PC. The uninstaller does not uninstall (shock!) ... one needs to remove registry keys to prevent this thing from sticking itself into Chrome, IE, etc. Spybot will find it well before Norton and others.

Re:

[MachineShedFred]

Luckily for Mac users though, that if it installs from a standard PKG or MPKG (which another comment above basically states) you can go to /var/db/receipts and get the entire bill of materials for that package with the lsbom command.

Pipe that into a delete routine, and you're all set.

(this works as a fairly effective uninstall for most PKG installs)

Re:

[BasilBrush]

Interesting. Is that how apps like AppZapper know what to delete when uninstalling some random app?

I'm not sure how useful it would be for malware though, because when it's run for the first time, it can of course create new copies of files with different names and/or locations.

Re:

[MachineShedFred]

I haven't looked at AppZapper, but I did write a perl script that would uninstall just about any PKG by reversing the order of the lsbom output, and then deleting files, and deleting the directory if it was empty.

Worked like a champ for getting rid of an application that liked to scribble all over the disk, rather than be a good Mac app and self-contain...

As for the malware thing, it's got to run from somewhere. As they can't even be bothered to find themselves a proper exploit to get installed, I doubt th

Here it comes

[Sparticus789]

In this corner, wearing the green trunks, the Apple FanBoys. In the opposing corner, wearing the blue trunks, the Windows FanBoys. Standing outside the ring, holding the steel folding chair and molotov cocktail, the Linux FanBoys. LET THE GAMES BEGIN!

Re:

[fermion]

No, just the Camino FanBois.

uh oh

[slashmydots]

Yontoo Layers is a "legitimate" advertising program that just barely complies with US laws. I find it on at least 1 in 3 customer computers at my shop. It has a legit uninstaller and asks for permission to install by piggybacking on freeware and installer framers like download.com's new atrocity. So to call it a trojan is just asking for another Symantec style lawsuit for defamation, etc. You have to call it "possibly unpopular software" now. And if this is coincidentally another Yontoo unrelated to the actual company, that's a whole new depth of deep shit they're in for naming it that. That'd be right up there with naming it Pepsi.

Re:

[slashmydots]

Don't virus writers rarely name their viruses? It's usually "security researchers" they name them. They should stop giving them such cool-sounding names half the time! Seriously@ Yontoo is crap but I've heard stuff like overlord and mega-justaboutanything and things sounding like a japanese robot. Seriously. Call it jackass1, asshole2, and my favorite, srslywtfwhatajackass32

Lies.....

[Anonymous Coward]

Lies.. All Lies.. Mac's can't be infected.

Best thing about adware on OS X?

[boudie2]

It just works!

So, use Opera...

[ivi]

ibid.

Scrolling Trolling

[istartedi]

Scrolling Trolling is about as much fun as Strolling Bowling [youtube.com]. I can't believe the Slashdot devs can't fix this.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[black3d]

He's trying to do a parody of Time Cube. www.timecube.com It's a relatively good impression in places, but it'd be better in a more appropriate article.

Is that you, Ron Paul?

[raymorris]

Anyone else think that sounds like Ron Paul?

Inb4 apple h8rz

[noh8rz10]

Inb4 cries of "but apple always said they were virus free!" NB this is a Trojan which the user installs himself. These have always been an issue with macs, although not very prevalent. Now OSx has built in blacklisting which is pushed out to all computers every update. I'm sure this will be blocked in the near future if not blocked already. Not too shabby, eh?

Re:

[Wookact]

You do realize that in the minds of 99.9% of the population that trojans are a type of virus. Therefore if you say you are immune to viruses, and you KNOW that people think trojans are viruses, and you DO NOT clarify. Then you have INTENTIONALLY misled people.

Re:

[noh8rz10]

what do you want me to say? regardless of people's perceptions, words have definitions, and those definitions are what defines them. truth and accuracy are the twin torches by which I light my path in life.

Re:

[Wookact]

Actually in the world of communications, misunderstandings are the speakers fault, and not the listeners fault.

Apple intentionally mislead people. It does not matter if they are technically correct, they left out key information that would have assisted the listener in understanding the issue better. That makes it AOK in my book at least to gripe about the fact that Apple mislead the pleebs.

Food for thought::
Bill Clinton said he did not have sex with Monica, and he didn't, and people still got piss

Re:

[noh8rz10]

I dont think you know much about communications. Perhaps you misunderstood what I said earlier?

Re:

[Wookact]

I have obviously failed to explain my position adequately.

I understood you correctly if you were saying that apple never made the overt claim that they are safe from trojans. Therefore people should not make any disparaging comments concerning their previous statments.

My supposition is because they made an overt claim that it was safe from viruses, that they implied that they were protected from malware. Due to the implication that Apple was safe and others were not, that they mislead consumers.

T

Re:

[noh8rz10]

to be fair, if you go back to the marketing material, you'll see that apple claimed to be immune to PC viruses. A very true statement!

Re:

[Wookact]

Yet you STILL miss the point. Its not about them being technically correct, it is about them being misleading. The fact that you cannot see this, means you do not WANT to see if at this point.

Re:

[noh8rz10]

I think my mods on this thread and your mods show that the majority of slashdotters are in agreement, correctness matters. virus != all teh evilz! Virus = virus, trojan = trojan. Don't want a trojan? don't install one! btw apple has already blocked this in their malware file, so it's no longer a problem (mountain lion, and lion too I think).

Re:

[Wookact]

Check them mods again. You received +1 insightful and +1 Underrated. I received +2 Insightful +1 Interesting and -1 Overrated. But since this has turned into a pissing contest ( You cannot even defend your own point, so you resort to mods?!?) The conversation is now done as far as I am concerned.

Re:

[noh8rz10]

i take it that you're one of those people who took a very specific statement and used it as a license to do whatever you wanted? Now you have trojans? Sux, but at least it was a lesson learned.

Re:

[kermidge]

Given the percentage of people who watch television and the number of some of the advertisements I've seen, I'd venture that most people consider Trojans to be a brand of raincoat to be worn by Mr. Willie "Pud" Johnson for, among other things, preventing the spread of viruses and such.

Re:

[Lisias]

One should not be responsible for the ignorance of others.

If I'm going to drive in U.K., it's my responsibility to keep the car on the "wrong side" of the way. No british should be liable if he says to me "keep you car on the right side of the street", and I take it literally.

The same should happen with computers. There's a clear, well known, accepted definition for Virii and Trojans. For decades now. They invented this "malware" concept for a good reason.

Re: Inb4 apple h8rz

[mjwx]

Very shabby. Blacklists suck as a defence. Look at how many different versions of Windows Trojans like Zeus and Conficker there are. Blacklisting one only means that a malware author has to make minor revisions to get around it. A malware author with half a brain would have prepared several in advance. Blacklist all you like. It wont help against an unpatched vulnerability or an 0day. The problem with Apple security is that Apple have trained their users to believe they are automagically protected.

Re:

[smash]

Which is where gatekeeper comes in. If gatekeeper is enabled this will either warn that this is unsigned code, or outright prevent it from running unless the user bypasses it manually. I.e., if you run a current OS (even back to 10.7.4) - you are, by default, protected from this.

Re:

[smash]

Furthermore, even if you don't use the blacklisting, both Lion (Pretty sure, since 10.7.4) and Mountain Lion both have gatekeeper. Which if enabled or left enabled will warn that this software is not signed.

Sure, if you have this option turned off then you can run and install it like any other software. But if you've turned that option off, it is expected that you know what you are doing.

Re:

[Nerdfest]

But Windows is protected. I smell a conspiracy.

Re:

[CanHasDIY]

shred -fuz /*

Re:

[AliasMarlowe]

shred -fuz /*

If you're not logged in as root (and many linuxes strongly discourage it), you'd need a sudo in front of that. Anyway,
sudo srm -rz /*
would work better, as it will wipe many jounaled file systems. Both would leave fragments around on NFS volumes, however.

While you're at it, don't forget to leave the shred or srm command until last, after you've cleaned "empty" space and the swap file. To clean empty space, first fill it with:
sudo scrub -X -s 1G /
Some versions of scrub will also remove the file

Re:

[CanHasDIY]

... aaaaand this is why I continue to visit Slashdot! Great post, man. Just spiffy. /nosarc

Re:

[0111 1110]

How can you use sudo without the account password? Also, what if sudo is not installed?

Re:

[progician]

Obvious answer is a good configure script :)

Re:

[flyingfsck]

Yeah well, rm -rf is so 01d 5k001. You can do much better on bleeding edge Linux distros with: cat /dev/zero /tmp/crashme

Re:

[Anonymous Coward]

Everyone here knows that when a user installs something malicious on Windows it is Microsoft's fault, but when a user installs something malicious on OS X it is the user's fault. Come on that is Slashdot 101.