Mac’s Don’t get Viruses? Lies!

Mac OS X users suddenly seeing ads popping up on various Websites may be infected by an ad-injecting Trojan.

“Trojan.Yontoo,” a malware variant targeting Mac OS X first identified by Russian antivirus outfit Dr. Web, tricks users into downloading it, thinking it is some other plugin or application. Once on the computer, the malware injects ads into Safari, Chrome, and Firefox. As reported earlier, users are prompted to install Yontoo as a browser plugin on sites claiming to host movie trailers. Yontoo can also present itself as a media player, download accelerator, or even a a “video quality enhancement program.”

When the user agrees to install the application, called “Free Twit Tube,” the Trojan installs a plugin for existing browsers on the system, including Safari, Firefox, and Chrome. Yontoo then monitors the user’s Web browsing activity and transmits that information back to a remote server. The malware then receives instructions on which pages to inject ads. This way, the group behind the malware collects ad impressions on nearly any Website they want.

“Some users may be infected without even knowing, as pop up messages and ads are so widely spread that they won’t raise suspicions to the untrained eye,” Bogdan Botezatu, senior e-threat analyst at BitDefender, told SecurityWatch.

Actual infection numbers are currently not available. Since the percentage of Mac OS X users running an antivirus solution is a relatively small fraction, it is hard to know how many people were infected in the first place, Botezatu said.

For Now, Just an Affiliate Ad Program
The ads themselves aren’t malicious in the sense that they aren’t downloading malware or exploiting any software holes. Yontoo also doesn’t appear to take advantage of any security holes in OS X but relies on social engineering to get itself installed on the target system.

Yontoo’s primary goal is taking advantage of affiliate advertising on a wide range of Websites, Botezatu said. The Trojan infects affiliate banners in the Web pages the user is browsing, even if that page doesn’t have any ads. Banners may show up on e-comerce sites and catch the user’s attention. The user may click on the banner thinking it was a legitimate ad, and be redirected to a different site, and the group behind the malware gets paid as part of the affiliate program.

Dr. Web found an instance of Apple-related ads being injected on Apple’s Website. Botezatu wasn’t sure whether that was just a coincidence, but it appears that attackers are actually targeting ads using the site’s context and user’s geographic location.

It’s not a particularly sophisticated malware, but the fact that there is a piece of code sitting in the browser and monitoring every single piece of information is scary and dangerous, Botezatu said. Criminals can change their approach at any time, and while they may be injecting ads today, tomorrow, they could switch to injecting exploit code or directing users to phishing sites and drive-by-download attack sites. The malware’s structure can also be modified to display malvertisements or steal browser cookies, Botezatu said.

It’s also not limited to just Mac OS X, as Symantec has previously identified a Windows version of Yontoo. Adware for Mac OS X has been increasing for some time, and Mac users need to be vigilant about what applications they download and install so that they don’t inadvertently infect themselves.