Is the new Mac 'trojan' hitting OS X browsers really a trojan?

Summary:Security companies can't agree on whether one piece of adware is a trojan or not. But one thing they're certain of - it's going on their blacklists.

The debate over how susceptible Apple systems are to malware has been raging for years. With the rise of various forms of PUPs (potentially unwanted programs), the line between annoying adware and full-blown malware is becoming increasingly blurred. So blurred, in fact, that even the antivirus companies can't agree on whether one piece of malware is a trojan or not.

Antivirus firms are warning of a "potentially unwanted" adware programme which is using deceptive techniques to attach itself to Chrome, Firefox and Safari on Mac OS X.

The Yontoo browser plugin is published by Yontoo LLC, which describes itself as a US-based software company that "creates virtual layers that can be edited to create the appearance of having made changes to the underlying website".

The ambiguously addressed support page says that Yontoo works across IE, Chrome and Firefox on Windows and Safari, Chrome and Firefox on Mac OS X, stating that: "All your changes and edits will show up on any computer with Yontoo installed."

However, Russian antivirus company Dr Web classifies it as a trojan because of the deceptive methods its installation process uses.

Yontoo spoofs an Apple dialogue box used to seek permission to install a program. "After clicking on 'Install the plug-in, the user is redirected to another site from which Trojan.Yontoo.1 is downloaded," Dr Web says.

Fraudsters have rigged movie trailer pages that contain a prompt encouraging users to install a plugin needed to view the content. However, granting permission merely installs the Yontoo plugin.

"Yontoo has also been deceptively packaged as a media player, video enhancement software and a download accelerator, including an offer to install "Free Twit Tube", which again installs Yontoo. Once installed, it displays ads that would not otherwise appear," Dr Web says.

2013-03-21 11.23.27 am
Image: Dr Web.

Not all antivirus companies are classifying Yontoo as a trojan, however.

Symantec assessed the Windows version of Yontoo as "potentially unwanted software". On Windows, the plugin installs a browser extension displaying advertisements that appeared to come from Facebook, Symantec said. 

French OS X antivirus firm Intego also added a signature for the adware program because of the deceptive installation.

"If you also have a situation where these adware programs are being installed surreptitiously (without the user being aware or approving the installation), that's where it falls far enough into the darker side of grey to qualify for detection," said Intego's Lisa Myers.

Topics: Security, Apple, Malware

About

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.