Must Read: Little Printer: Meet the palm-sized, werewolf-spotting, cheeky face of the internet of things

Topic: Security

Is the new Mac 'trojan' hitting OS X browsers really a trojan?

Summary: Security companies can't agree on whether one piece of adware is a trojan or not. But one thing they're certain of - it's going on their blacklists.

Liam Tung

By Liam Tung |

The debate over how susceptible Apple systems are to malware has been raging for years. With the rise of various forms of PUPs (potentially unwanted programs), the line between annoying adware and full-blown malware is becoming increasingly blurred. So blurred, in fact, that even the antivirus companies can't agree on whether one piece of malware is a trojan or not.

Antivirus firms are warning of a "potentially unwanted" adware programme which is using deceptive techniques to attach itself to Chrome, Firefox and Safari on Mac OS X.

The Yontoo browser plugin is published by Yontoo LLC, which describes itself as a US-based software company that "creates virtual layers that can be edited to create the appearance of having made changes to the underlying website".

The ambiguously addressed support page says that Yontoo works across IE, Chrome and Firefox on Windows and Safari, Chrome and Firefox on Mac OS X, stating that: "All your changes and edits will show up on any computer with Yontoo installed."

However, Russian antivirus company Dr Web classifies it as a trojan because of the deceptive methods its installation process uses.

Yontoo spoofs an Apple dialogue box used to seek permission to install a program. "After clicking on 'Install the plug-in, the user is redirected to another site from which Trojan.Yontoo.1 is downloaded," Dr Web says.

Fraudsters have rigged movie trailer pages that contain a prompt encouraging users to install a plugin needed to view the content. However, granting permission merely installs the Yontoo plugin.

"Yontoo has also been deceptively packaged as a media player, video enhancement software and a download accelerator, including an offer to install "Free Twit Tube", which again installs Yontoo. Once installed, it displays ads that would not otherwise appear," Dr Web says.

2013-03-21 11.23.27 am
Image: Dr Web.

Not all antivirus companies are classifying Yontoo as a trojan, however.

Symantec assessed the Windows version of Yontoo as "potentially unwanted software". On Windows, the plugin installs a browser extension displaying advertisements that appeared to come from Facebook, Symantec said. 

French OS X antivirus firm Intego also added a signature for the adware program because of the deceptive installation.

"If you also have a situation where these adware programs are being installed surreptitiously (without the user being aware or approving the installation), that's where it falls far enough into the darker side of grey to qualify for detection," said Intego's Lisa Myers.

Topics: Security, Apple, Malware

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several Australian publications, including the Sydney Morning Herald online. He's interested primarily in how information technology impacts the way business and people communicate, trade, and consume.

Contact

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

18 comments
Log in or register to join the discussion

  • Gatekeeper

    Will OS X Gatekeeper stop this from being installed. If so I think Apple will blacklist the developer ID and the situation will be resolved.
    Brendon Jarrett
    Reply Vote

    • No.

      As you've said, unless Apple sets up a blacklist, there's nothing to stop something like this from installing.

      Yontoo is a form of adware, which Macs are susceptible to.
      ForeverCookie
      Reply Vote

      • Correction:

        I think you mean, "…which some Mac *users* are susceptible to."
        deasys
        Reply 2 Votes

  • It's a really good thing this approach never works

    Thank goodness all os x users who switched from Windows are safe from applications that ask for permission to install and the user goes ahead and installs it because they really want to watch that movie trailer. This approach never worked once on Windows and certainly isn't the reason that anyone might have switched after having been hit by malware they installed themselves on Windows. /s

    Security is a process, not a product. People who follow bad security processes and switch products are going to run into the exact same issues on their new platform, even if the manufacturer runs a series of ads suggesting that it isn't true.
    toddbottom3
    Reply 10 Votes

    • Yep

      True dat.
      daves@...
      Reply 1 Vote

    • Agreed

      I fully agree
      Brendon Jarrett
      Reply 1 Vote

      • I guess

        This will be a battle that will gos on forever. There is no real way to stop it. We the user can keep educating ourselves, but next week there will be a different method that the adware developers will use.
        Brendon Jarrett
        Reply Vote

        • Hasn't really changed

          They are still trying to get you to install something. It's simple don't install crap from suspect websites. For example, if you are wanting to watch a video clip and it unexpectedly wants you to install a plug-in DON'T. Even if it's not malware it's going to impact the performance of your machine. The only video player plugin I have installed is flash player and would love to get rid of it as well (but at least I know it's legit even if it is crap). The same applies to just about any plug-in. So unless you really need it don't install it. In which case you should be expecting the install request and it wouldn't be a surprise.
          bvirga0218@...
          Reply Vote

    • Even when I made the switch

      To Linux back in 2008 I understood that I was not invincible to these types of attacks and made sure I understood the procedure when it came to installing programs and running scripts. I didn't become paranoid just aware. Same gos with my Mac.
      Brendon Jarrett
      Reply 4 Votes

    • Good post Todd.

      I like the little jabs but I will agree.
      Arm A. Geddon
      Reply 1 Vote

    • toddbottom3: "Security is a process, not a product"

      Security, while a noble goal, is an illusion. Just because developers are unable to break their own software, doesn't mean that someone else out there cannot. See 'Schneier's Law':

      "Schneier on Security
      https://www.schneier.com/blog/archives/2011/04/schneiers_law.html
      Rabid Howler Monkey
      Reply 1 Vote

    • new mac trojan

      The manufacturer you are presumably referring to merely said that their OS didn't have windows viruses. Which is totally true. And nor is a virus a trojan. Installing something you never asked for, are unsure about or flat out don't need, is down to users exercising common sense and awareness. It has nothing whatsoever to do with operating platforms or apparently misleading ads.
      Craig Coulson
      Reply Vote

  • Behavior....

    is the most important defense against Adware, Malware, Viruses, etc.

    Bottom line is no antivirus program is going to catch everything, no matter what platform you are one, behavior is the key.

    If you do things securely on your system, chances are you won't ever need the Antivirus software. The software should be considered a backup for when you fail to do things correctly, nothing more.
    cmwade1977
    Reply 1 Vote

  • P. U. P.

    Possibly Unheard of Software?
    trm1945
    Reply Vote

    • Re: P.U.P....

      "Possibly Unheard of Software?"

      Then that would be P.U.S., or maybe P.U.o.S. lol.

      TW
      T-Wrench
      Reply Vote

  • Another thing about yontoo...

    I don't know if it is the same way on OS X, but on Windows, it is not easy to figure out how to remove it.

    My son complained that his internet searches weren't working right. I found yontoo on my kids' computer. It wasn't listed on the plug-ins page of the browser, or in "add/remove programs".

    I didn't feel like wasting my time with it, so I rolled the PC back to a restore point made a few days earlier and educated him about the dangers of add-ons and plug-ins.
    WozNotWoz
    Reply 1 Vote

    • Who gives admin rights to their kids?!!

      Kids and most adults have no business being able to install stuff. This is my only gripe with android and the play store.
      LarsDennert
      Reply 1 Vote

  • copyright?

    why isn't the unauthorized use of the image of a mac dialog box a violation of copyright? Why can't this rendition of an 'official' mac dialog be copyrighted and further why can't all 'official' modes of interaction with the OS be copyrighted and in fact supported by say steganography and certificates? Could this be used to block an entire branch of social engineering scams? Why is tricking and misleading someone with 'official' looking interactions not a breach of copyright that Apple should be required to stamp out...
    walkerjian@...
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close