Friday, March 22, 2013

Modular Mac OS X malware serves up ads for hacker revenue

New OS X malware -- written specifically for Macs -- was discovered and reported on Wednesday. It seems that the trojan, dubbed “Trojan.Yontoo.1” by Russian security firm Dr. Web, is seeking revenue, but in a possibly less damaging way than most. It installs an adware plugin that injects ads into Chrome, Firefox, and Safari.

While less damaging than trying to steal passwords or another financial information, Dr. Web warned that Yontoo appears to be part of a wider scheme of adware for OS X that has “been increasing in number since the beginning of 2013.”
Yontoo, in particular, was spotlighted because it downloads and install an adware browser plugin, meaning that attackers could -- if they wanted -- swap out the adware module for a different, perhaps more harmful one.

Dr. Web is the same company that was first to discover the infamous Flashback OS X malware in 2012.

The miscreants leveraged the weakest part of security: human beings. The malware infects Mac owners by putting up a faux "missing plugin" dialog that prompts users to install a media player or browser enhancement to play a video.

One example given was one in which the user is asked if they want to install Free Twit Tube. Hilariously, the EULA even mentions the name of the malware, Yontoo.

If a user falls for the gambit, the Yontoo plugin is installed for Safari, Chrome and Firefox. Information about pages being loaded into the browsers is processed by a server which then sends back a file which embeds third-party code into the webpages being visited by the user.

As Dr. Web points out, a similar method is being used to insert adware on Windows PCs, but this new malware should emphasize, once again, that Mac OS X is now a valid target for malware.

No comments: