Slashdot Mirror

← Back to Stories (view on slashdot.org)

New OS X Trojan Adware Injects Ads Into Chrome, Firefox, Safari

Posted by timothy on from the long-sloping-path-down dept.

An anonymous reader writes "A new trojan specifically for Macs has been discovered that installs an adware plugin. The malware attempts to monetize its attack by injecting ads into Chrome, Firefox, and Safari (the most popular browsers on Apple's desktop platform) in the hopes that users will generate money for its creators by viewing (and maybe even clicking) them. The threat, detected as "Trojan.Yontoo.1" by Russian security firm Doctor Web, is part of a wider scheme of adware for OS X that has "been increasing in number since the beginning of 2013," according to the company."

24 of 129 comments (clear)

  1. Clarification by schneidafunk · · Score: 3, Insightful

    Can someone explain to me why advertisers would want to pay for bogus clicks? How does this money get laundered to hide the trojan creator and also defraud the advertiser?

    --
    Some people die at 25 and aren't buried until 75. -Benjamin Franklin
    1. Re:Clarification by Darinbob · · Score: 2

      It's their own fault. They do automatic signup and usage of advertising, without ever meeting their customers or getting a contract. Imagine an ad agency doing this with radio and television stations; you could just mail in a letter saying you are manager of WAFK 101.1 FM, and their spot played 27 times, so please pay up.

  2. Re:Makes sense by Anonymous Coward · · Score: 2, Funny

    Meanwhile the communists using Linux are not a target since they all have ad blockers and get their content via torrents anyway.

  3. I'll worry when it can spread without an installer by Kenja · · Score: 5, Insightful

    Basically, this requires you to download and execute an installer, then click through it (including entering the administrator password). At that point, you could have installed something far worse then adware.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
  4. Yontoo by BradleyAndersen · · Score: 2

    Yontoo has been around already, and not just @ Macs. I recently removed it from a Windows 7 PC. The uninstaller does not uninstall (shock!) ... one needs to remove registry keys to prevent this thing from sticking itself into Chrome, IE, etc. Spybot will find it well before Norton and others.

    1. Re:Yontoo by MachineShedFred · · Score: 2

      Luckily for Mac users though, that if it installs from a standard PKG or MPKG (which another comment above basically states) you can go to /var/db/receipts and get the entire bill of materials for that package with the lsbom command.

      Pipe that into a delete routine, and you're all set.

      (this works as a fairly effective uninstall for most PKG installs)

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  5. Re:I'll worry when it can spread without an instal by h4rr4r · · Score: 4, Insightful

    THIS!

    The user is a flaw every OS has.

  6. uh oh by slashmydots · · Score: 4, Interesting

    Yontoo Layers is a "legitimate" advertising program that just barely complies with US laws. I find it on at least 1 in 3 customer computers at my shop. It has a legit uninstaller and asks for permission to install by piggybacking on freeware and installer framers like download.com's new atrocity. So to call it a trojan is just asking for another Symantec style lawsuit for defamation, etc. You have to call it "possibly unpopular software" now. And if this is coincidentally another Yontoo unrelated to the actual company, that's a whole new depth of deep shit they're in for naming it that. That'd be right up there with naming it Pepsi.

  7. Re:I'll worry when it can spread without an instal by j00r0m4nc3r · · Score: 4, Funny

    At that point, you could have installed something far worse then adware

    Like RealPlayer

  8. Re:I'll worry when it can spread without an instal by Anonymous Coward · · Score: 3, Funny

    You and the summary left out the best part: the installer's name is "Free Twit Tube." Almost as bad as a girl on a dating site agreeing to go out with someone with the username "DonkeyPunchLover."

  9. Re:I'll worry when it can spread without an instal by h4rr4r · · Score: 4, Insightful

    Not at all.

    Blame the buggy OS is when you get a nice drive by install or virus. Adware that requires a user to install is always the users fault.

  10. Better Question by Deathlizard · · Score: 4, Interesting

    Can Someone explain to me why Yontoo is detected on the Mac Platform but on Windows it's totally ok.

    While we're at it, why are any of these still not detected by any malware scanner. Even as a Potentially Unwanted Program? I'm sure just about anything listed here does a lot more malicious stuff than anything spyware like Gator ever did.

    Anything from Conduitt
    Anything from Mindspark Interactive
    myfuncards
    arcadecandy
    arcadeweb
    funweb
    freeze.com
    pricegong
    getsavin
    coupon wonderland
    fantistigames
    big fish games
    quiklinkx
    defaulttab
    mywebsearch
    we care ASCPA Reminder (my personal favorite. When you uninstall it, it basically accuses you of wanting to kill puppies.)
    shop to win
    inbox toolbar
    anything from Crawler
    24x7 help
    blekko
    dealply
    ETC

    Most of the above either popup ads, install, or trick users into installing more junk like registry scanners, fake flash players and the like. Yet almost no scanner I've found short of JRT or ADWcleaner gets rid of these things.

    It's about time these AV companies wake the heck up and realize that Spyware is back disguising itself as adware and is more prevalent than ever,

    --
    In Soviet Russia, Trojan exploits YOU!
  11. Re:I'll worry when it can spread without an instal by Anubis+IV · · Score: 2

    Exactly. And given past trends, it's entirely likely that there will be a malware definition update pushed out to all Macs running the last few iterations of OS X within the next 24-48 hours, rendering this threat moot.

    Moreover, even in the case of idiotic users, the default behavior on all new Macs is to not allow installs from unregistered developers. I.e. This malware will only work against folks who ignore all warnings and are using something other than the latest release, which had an extremely fast adoption rate, or for users who have explicitly chosen to override the default behavior, in which case they'll still need to ignore all of the warnings.

  12. Inb4 apple h8rz by noh8rz10 · · Score: 2

    Inb4 cries of "but apple always said they were virus free!" NB this is a Trojan which the user installs himself. These have always been an issue with macs, although not very prevalent. Now OSx has built in blacklisting which is pushed out to all computers every update. I'm sure this will be blocked in the near future if not blocked already. Not too shabby, eh?

    1. Re:Inb4 apple h8rz by Wookact · · Score: 2

      You do realize that in the minds of 99.9% of the population that trojans are a type of virus. Therefore if you say you are immune to viruses, and you KNOW that people think trojans are viruses, and you DO NOT clarify. Then you have INTENTIONALLY misled people.

    2. Re:Inb4 apple h8rz by noh8rz10 · · Score: 2

      what do you want me to say? regardless of people's perceptions, words have definitions, and those definitions are what defines them. truth and accuracy are the twin torches by which I light my path in life.

    3. Re:Inb4 apple h8rz by Wookact · · Score: 2, Interesting

      Actually in the world of communications, misunderstandings are the speakers fault, and not the listeners fault.

      Apple intentionally mislead people. It does not matter if they are technically correct, they left out key information that would have assisted the listener in understanding the issue better. That makes it AOK in my book at least to gripe about the fact that Apple mislead the pleebs.

      Food for thought::
      Bill Clinton said he did not have sex with Monica, and he didn't, and people still got pissed at him for "lying". Why is that?

    4. Re: Inb4 apple h8rz by mjwx · · Score: 2

      Very shabby. Blacklists suck as a defence. Look at how many different versions of Windows Trojans like Zeus and Conficker there are. Blacklisting one only means that a malware author has to make minor revisions to get around it. A malware author with half a brain would have prepared several in advance. Blacklist all you like. It wont help against an unpatched vulnerability or an 0day. The problem with Apple security is that Apple have trained their users to believe they are automagically protected.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    5. Re: Inb4 apple h8rz by smash · · Score: 2

      Which is where gatekeeper comes in. If gatekeeper is enabled this will either warn that this is unsigned code, or outright prevent it from running unless the user bypasses it manually. I.e., if you run a current OS (even back to 10.7.4) - you are, by default, protected from this.

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
  13. Re:The only defence is a good HOST file by black3d · · Score: 2

    He's trying to do a parody of Time Cube. www.timecube.com It's a relatively good impression in places, but it'd be better in a more appropriate article.

    --
    "The true measure of a person is how they act when they know they won't get caught." - DSRilk
  14. Re:I'll worry when it can spread without an instal by Anonymous Coward · · Score: 2, Insightful

    And then, after downloading, and authenticating the install, OS-X also reminds you that it is from the Internet and you might want to pause and consider before actually launching the program.

    It really does target people who *want* to run it.

  15. Re:I'll worry when it can spread without an instal by BLToday · · Score: 2

    QuickTime on Mac is pretty useful. It's shit on WIndows. On the Mac, QuickTime can be used for screen recording and is generally pretty fast. Never knew how useful a screen recorder was until my friend needed to record a training session. Windows version is like me trying to run a marathon in a business suit, isn't very functional and pretty slow.

  16. Re:I'll worry when it can spread without an instal by amicusNYCL · · Score: 3, Insightful

    Unlike in Windows, where you simply have to view an advert in Internet Explorer and your system is infected...

    IE itself is exploited no more than 10% of the time to infect a Windows computer. Windows gets drive-by infections these days from exploits in Java, Acrobat, and Flash, which are not unique to Windows. There's no reason for attackers to focus on a single browser any more when they can instead target a plugin like Java that works across all browsers.

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  17. Re:I'll worry when it can spread without an instal by smash · · Score: 2

    Most of the network engineers, storage engineers I know run Mac Laptops. Linus himself owns apple machines. Try again.

    --
    I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.