In a blog posting on Wednesday, a Webroot threat research analyst revealed how the use of ad-blocking software by Mac users could not only be leaving them with a false sense of security but actually putting them at risk. Devin Byrd explained how Mac users are often told that their chosen platform is safe from threats and malware, and a 'vast majority' still believe this despite plenty of proof to the contrary. "The magic myth of Mac immunity has long been disproven and really exploited in the past years with such concepts as Thunderstrike and root privilege exploits" Byrd says, adding "most of the malware that we come across for Mac has been adware."
Although I wouldn't necessarily label adware as malware myself, I appreciate that it does try to get you to spend money, can point you towards malicious software downloads and is almost always unwanted by the person whose machine has it installed. It is therefore understandable that for many the answer to adware is a large dose of ad-blocking software, and Adblock Plus is amongst the most popular. I will put my hands up and admit I have been a happy user for many years myself, although on a Microsoft rather than Mac platform.
Byrd, however, warns that adware companies know only too well that software is being used to block their wares, and have figured out a way of getting around the roadblocks. They have, he says, "added code to their program to allow their ads even with your blocker running." While researching the Genieo adware variant, Byrd says he found that it included code to search for ad blocking software and then download an exception text file that is inserted into the ad blocker configuration files. Here is the sample Byrd gave for Adblock Plus 2.0:
@@||search.yahoo.com^$document @@||bing.com^$document @@||genieo.com^$document @@||strtpoint.com^$document
The threat here, that has the potential to move outside of the adware industry, is that it works by creating its own rules for your plugin. In this case Adblock Plus, but what's to stop someone doing the same for exfiltrating personal data for example?
"This is just the beginning of what could be a crucial change in the malware found on Macs" Byrd insists, adding "putting your security in the hands of a software that only protects you from one type of malware simply isn't enough anymore."
Ben Williams, head of operations at Adblock Plus, speaking exclusively to SCMagazineUK.com says: "This is adware that seeks to disrupt ad-blocking software, not ad-blocking software that is infected with adware. Users who want to download Adblock Plus have nothing to worry about. This could be an app posing as something legitimate or it could be a toolbar app. Whatever it is, it's just like all other malware: it tries to sneak onto your machine by posing as something else, then it gets high-level priorities to in turn do all sorts of things you don't want it to do, like install search engines, install toolbars, download files, or infect legitimate software (like in this case). The best thing to do is surf with ABP so you avoid ‘malvertising', know the vendors you're downloading from, and if you think you've been compromised by a third party, run a malware sweep with a reputable anti-malware company."
Gavin Reid, VP of threat intelligence at Lancope, sees it as a welcome for OSX into the well-worn supply chain that is exploits via browser plugin vulnerabilities. “It should be fixed by Adblock Plus" Reid told us "as it defeats the purpose of their software." Meanwhile Catalin Cosoi, chief security strategist at Bitdefender, warns that "the exception file simply creates a rule that overrides the normal behaviour of Ad blockers and allows adware to be delivered. From a security perspective, this is a behaviour that puts users at risk: they know that they should be protected but in fact have the shields down."
Cosoi, speaking to SCMagazineUK.com, says that users can completely block these ads by modifying the Hosts file of the Mac and blacklisting the domains they don't want to interact with. "It is an extremely straightforward approach that is limited to adding just one line in the ‘/private/etc/hosts' file" he comments, concluding "but it requires the use of the Terminal application, which some users find difficult."