OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Yontoo: adware or malware?

Published March 22nd, 2013 at 12:18 PM EDT , modified March 22nd, 2013 at 12:18 PM EDT

There has been a lot of talk in the last week about a new bit of adware for the Mac, called Yontoo. Adware is never popular, whether it is legit or not, and is a frequent source of disagreement in the security community. It is very rare that anti-virus companies manage to come to agreement on this topic. Even a program like FkCodec (aka Codec-M), which is without a doubt designed to trick users into installing it to earn ad revenue, is not detected by many anti-virus programs. (One of my FkCodec samples earned the lowest detection rate in my recent testing, being identified by only 7 of 20 anti-virus engines.) So why has Yontoo gotten so much attention?

First of all, what we need to look at what Yontoo actually is. Yontoo is software that includes a browser plug-in, and claims to allow users to “create virtual layers that can be edited to create the appearance of having made changes to the underlying website.” Sounds a bit dodgy, and prone to misuse at the very least. Interestingly, though, the Yontoo web site appears to provide no way to actually download this software, only PR material and contact information. In this respect, it doesn’t seem much like malware. Even the poorly-detected FkCodec didn’t have any known entity behind it. To have a web site like this is exceptionally unusual for malware, but is to be expected of adware of questionably utility but no actual malicious intent.

However, at least three major anti-virus companies that I know of (Sophos, Intego and Dr. Web) have all thrown their weight behind calling Yontoo malware. More interesting is the fact that Apple has updated its XProtect definitions to include recognition of Yontoo as malware. (Although there appear to be multiple versions, and not all are detected. The one I tested with was not caught by today’s XProtect definitions, though I did have to purposefully bypass Gatekeeper in order to get it to run.)

Apparently, this is because of some very deceptive techniques it has been spotted using to get itself installed. According to Dr. Web, it has been posing as a variety of different programs, including video plugins and download accelerators. This is definitely a malware technique, and not the hallmark of a misunderstood, ad-driven piece of software. Once installed, the plugin begins to display ads on web pages that do not normally contain those ads. The obvious intent is to generate revenue through click-throughs. (Web-based advertising works through the advertiser paying whoever is hosting the ad for every click… and these ads would show up as being hosted by Yontoo.)

Yontoo installerI managed to obtain a copy of Yontoo from VirusTotal. Because of the source, I have no idea how it was originally presented to the user, but the installer was an extremely generic-looking app, having an Apple installer icon (despite being an application and not an installer package file) and blandly named “Custom Installer”.

When launched, the app presents the familiar interface of the Apple installer:

Yontoo installer 2

 

This installer, however, claims to install something called Torrent Handler. On proceeding, the installer will eventually contact a server in the yontoo.com domain and will finish. The result is that two extensions, named Torrenthandler and Yontoo, have been added to Safari:

Yontoo extensions

 

In the end, it’s unclear exactly what’s going on here. Is Yontoo disguising itself as some torrent plugin? Is it being invisibly bundled with this Torrent Handler software? More information would be needed to know for sure.

Given the discoveries made by Dr. Web, it’s at a minimum certain that this Yontoo software is being misused by someone. Whether that someone is the maker of Yontoo or whether it’s a hacker who is simply using Yontoo for an unintended purpose is unclear. In any case, though, I’m inclined to call Yontoo malware. Worst case scenario, I’m wrong and have incorrectly labeled a bit of useless junk software as being malicious. I think I can live with that!

If you find yourself “infected” with this kind of adware, closely examining and disabling browser extensions is an important thing to try. There are other possibilities as well, of course. For more information about this kind of thing, see Eliminating browser redirects and advertisements.

Tags: , , , ,

6 Comments

  • Darren Kehrer says:

    With the recent Security Update 2013-001 for SL, for one, Safari 5.1.8 was bundled with this update (mentioned on other websites). But, I just noticed that in the System Preferences, Security, General..there has been a replacement: There use to be a toggle for the Xprotect system, now it states:
    “Automatically Install important security updates.”‘

    I wonder how this differs from Software Update and if this new thing still has the ability to toggle and force an Xprotect update.

    • Al Varnell says:

      Very little is know about this and since it’s security related, Apple probably won’t be saying much more. “About file quarantine in OS X” has been updated and if you go all the way to the bottom and click on “Advanced users only” you will find where the XProtect toggle went for Lion/ML users. It seems to be among the missing for Snow Leopard users.

      As far a the “Automatically install important security updates” toggling that causes a new daemon process called crsud to check with an Apple site, presumably for “important security updates” that it needs to download, authenticate and install automatically.

    • Al Varnell says:

      Sorry, I forgot that corner brackets cause entries to disappear here.

      “About file quarantine in OS X” is at http://support.apple.com/kb/ht3662.

  • aalien says:

    “Sounds a bit dodgy” —-> YES!

    “Once installed, the plugin begins to display ads on web pages that do not normally contain those ads.”

    The fu**ing ads!!!!!! (sorry the language)

    It’s always about the ads. I really hate ads, really hate them in all senses and perspectives. Ads should be a crime!

    • Brittany D says:

      aalien I fully agree with you about ads needing to be criminal. BUT how else are sites going to generate revenue? They have to rely on some income to keep their servers and domain registrations up and running. I do hate ads and I use Adblock Plus in FF but unless tons of people around the world are going to start donating to all the sites they visit, I don’t see a way around it. I can see, though, that sites might start opting for monthly memberships which raise money for the site maintenance. But for those who don’t have credit cards AND the ability to pay a monthly fee (budget doesn’t allow for it) they would be left out of using that site which would drive down the hits for that site. I don’t know, I don’t know what we can do other than use an ad blocker in our browsers.

      Onto the Yontoo issue, I haven’t read enough about it to know whether or not it’s really malware but it sure seems that way by this article’s description of it. Anything that pushes ads onto the browser through a downloaded and installed application seems like malware to me. I think browser maintainers should find a way to block that sort of issue from occuring. But I’m not sure it’s possible. I don’t know enough about how web browsers work nor do I know enough about how an app could do such a thing. I do know that I prefer to have an antivirus/antimalware app running but it causes my system to be unstable so I forgo it for the time being. I just freshly reinstalled OS X 10.8 and have a good stable system now. I don’t want to screw with it.

      Thanks Mr. Reed for trying to help us figure this yontoo issue out and for alerting us.

      • Someone says:

        I think that “criminal” is a bit extreme. However, what really annoys me is stuff like trackers, those little things on websites that help advertisers. Ghostery and Adblock together are pretty helpful for stuff like this.

This post is more than 90 days old and has been locked. No further comments are allowed.