Yontoo: adware or malware?
Published March 22nd, 2013 at 12:18 PM EDT , modified March 22nd, 2013 at 12:18 PM EDT
There has been a lot of talk in the last week about a new bit of adware for the Mac, called Yontoo. Adware is never popular, whether it is legit or not, and is a frequent source of disagreement in the security community. It is very rare that anti-virus companies manage to come to agreement on this topic. Even a program like FkCodec (aka Codec-M), which is without a doubt designed to trick users into installing it to earn ad revenue, is not detected by many anti-virus programs. (One of my FkCodec samples earned the lowest detection rate in my recent testing, being identified by only 7 of 20 anti-virus engines.) So why has Yontoo gotten so much attention?
First of all, what we need to look at what Yontoo actually is. Yontoo is software that includes a browser plug-in, and claims to allow users to “create virtual layers that can be edited to create the appearance of having made changes to the underlying website.” Sounds a bit dodgy, and prone to misuse at the very least. Interestingly, though, the Yontoo web site appears to provide no way to actually download this software, only PR material and contact information. In this respect, it doesn’t seem much like malware. Even the poorly-detected FkCodec didn’t have any known entity behind it. To have a web site like this is exceptionally unusual for malware, but is to be expected of adware of questionably utility but no actual malicious intent.
However, at least three major anti-virus companies that I know of (Sophos, Intego and Dr. Web) have all thrown their weight behind calling Yontoo malware. More interesting is the fact that Apple has updated its XProtect definitions to include recognition of Yontoo as malware. (Although there appear to be multiple versions, and not all are detected. The one I tested with was not caught by today’s XProtect definitions, though I did have to purposefully bypass Gatekeeper in order to get it to run.)
Apparently, this is because of some very deceptive techniques it has been spotted using to get itself installed. According to Dr. Web, it has been posing as a variety of different programs, including video plugins and download accelerators. This is definitely a malware technique, and not the hallmark of a misunderstood, ad-driven piece of software. Once installed, the plugin begins to display ads on web pages that do not normally contain those ads. The obvious intent is to generate revenue through click-throughs. (Web-based advertising works through the advertiser paying whoever is hosting the ad for every click… and these ads would show up as being hosted by Yontoo.)
I managed to obtain a copy of Yontoo from VirusTotal. Because of the source, I have no idea how it was originally presented to the user, but the installer was an extremely generic-looking app, having an Apple installer icon (despite being an application and not an installer package file) and blandly named “Custom Installer”.
When launched, the app presents the familiar interface of the Apple installer:
This installer, however, claims to install something called Torrent Handler. On proceeding, the installer will eventually contact a server in the yontoo.com domain and will finish. The result is that two extensions, named Torrenthandler and Yontoo, have been added to Safari:
In the end, it’s unclear exactly what’s going on here. Is Yontoo disguising itself as some torrent plugin? Is it being invisibly bundled with this Torrent Handler software? More information would be needed to know for sure.
Given the discoveries made by Dr. Web, it’s at a minimum certain that this Yontoo software is being misused by someone. Whether that someone is the maker of Yontoo or whether it’s a hacker who is simply using Yontoo for an unintended purpose is unclear. In any case, though, I’m inclined to call Yontoo malware. Worst case scenario, I’m wrong and have incorrectly labeled a bit of useless junk software as being malicious. I think I can live with that!
If you find yourself “infected” with this kind of adware, closely examining and disabling browser extensions is an important thing to try. There are other possibilities as well, of course. For more information about this kind of thing, see Eliminating browser redirects and advertisements.