Is the new Mac 'trojan' hitting OS X browsers really a trojan?

Is the new Mac 'trojan' hitting OS X browsers really a trojan?

Summary: Security companies can't agree on whether one piece of adware is a trojan or not. But one thing they're certain of - it's going on their blacklists.

TOPICS: Security, Apple, Malware

The debate over how susceptible Apple systems are to malware has been raging for years. With the rise of various forms of PUPs (potentially unwanted programs), the line between annoying adware and full-blown malware is becoming increasingly blurred. So blurred, in fact, that even the antivirus companies can't agree on whether one piece of malware is a trojan or not.

Antivirus firms are warning of a "potentially unwanted" adware programme which is using deceptive techniques to attach itself to Chrome, Firefox and Safari on Mac OS X.

The Yontoo browser plugin is published by Yontoo LLC, which describes itself as a US-based software company that "creates virtual layers that can be edited to create the appearance of having made changes to the underlying website".

The ambiguously addressed support page says that Yontoo works across IE, Chrome and Firefox on Windows and Safari, Chrome and Firefox on Mac OS X, stating that: "All your changes and edits will show up on any computer with Yontoo installed."

However, Russian antivirus company Dr Web classifies it as a trojan because of the deceptive methods its installation process uses.

Yontoo spoofs an Apple dialogue box used to seek permission to install a program. "After clicking on 'Install the plug-in, the user is redirected to another site from which Trojan.Yontoo.1 is downloaded," Dr Web says.

Fraudsters have rigged movie trailer pages that contain a prompt encouraging users to install a plugin needed to view the content. However, granting permission merely installs the Yontoo plugin.

"Yontoo has also been deceptively packaged as a media player, video enhancement software and a download accelerator, including an offer to install "Free Twit Tube", which again installs Yontoo. Once installed, it displays ads that would not otherwise appear," Dr Web says.

2013-03-21 11.23.27 am
Image: Dr Web.

Not all antivirus companies are classifying Yontoo as a trojan, however.

Symantec assessed the Windows version of Yontoo as "potentially unwanted software". On Windows, the plugin installs a browser extension displaying advertisements that appeared to come from Facebook, Symantec said. 

French OS X antivirus firm Intego also added a signature for the adware program because of the deceptive installation.

"If you also have a situation where these adware programs are being installed surreptitiously (without the user being aware or approving the installation), that's where it falls far enough into the darker side of grey to qualify for detection," said Intego's Lisa Myers.

Topics: Security, Apple, Malware

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Gatekeeper

    Will OS X Gatekeeper stop this from being installed. If so I think Apple will blacklist the developer ID and the situation will be resolved.
    Brendon Jarrett
    • No.

      As you've said, unless Apple sets up a blacklist, there's nothing to stop something like this from installing.

      Yontoo is a form of adware, which Macs are susceptible to.
      • Correction:

        I think you mean, "…which some Mac *users* are susceptible to."
  • It's a really good thing this approach never works

    Thank goodness all os x users who switched from Windows are safe from applications that ask for permission to install and the user goes ahead and installs it because they really want to watch that movie trailer. This approach never worked once on Windows and certainly isn't the reason that anyone might have switched after having been hit by malware they installed themselves on Windows. /s

    Security is a process, not a product. People who follow bad security processes and switch products are going to run into the exact same issues on their new platform, even if the manufacturer runs a series of ads suggesting that it isn't true.
    • Yep

      True dat.
    • Agreed

      I fully agree
      Brendon Jarrett
      • I guess

        This will be a battle that will gos on forever. There is no real way to stop it. We the user can keep educating ourselves, but next week there will be a different method that the adware developers will use.
        Brendon Jarrett
        • Hasn't really changed

          They are still trying to get you to install something. It's simple don't install crap from suspect websites. For example, if you are wanting to watch a video clip and it unexpectedly wants you to install a plug-in DON'T. Even if it's not malware it's going to impact the performance of your machine. The only video player plugin I have installed is flash player and would love to get rid of it as well (but at least I know it's legit even if it is crap). The same applies to just about any plug-in. So unless you really need it don't install it. In which case you should be expecting the install request and it wouldn't be a surprise.
    • Even when I made the switch

      To Linux back in 2008 I understood that I was not invincible to these types of attacks and made sure I understood the procedure when it came to installing programs and running scripts. I didn't become paranoid just aware. Same gos with my Mac.
      Brendon Jarrett
    • Good post Todd.

      I like the little jabs but I will agree.
      Arm A. Geddon
    • toddbottom3: "Security is a process, not a product"

      Security, while a noble goal, is an illusion. Just because developers are unable to break their own software, doesn't mean that someone else out there cannot. See 'Schneier's Law':

      "Schneier on Security
      Rabid Howler Monkey
    • new mac trojan

      The manufacturer you are presumably referring to merely said that their OS didn't have windows viruses. Which is totally true. And nor is a virus a trojan. Installing something you never asked for, are unsure about or flat out don't need, is down to users exercising common sense and awareness. It has nothing whatsoever to do with operating platforms or apparently misleading ads.
      Craig Coulson
  • Behavior....

    is the most important defense against Adware, Malware, Viruses, etc.

    Bottom line is no antivirus program is going to catch everything, no matter what platform you are one, behavior is the key.

    If you do things securely on your system, chances are you won't ever need the Antivirus software. The software should be considered a backup for when you fail to do things correctly, nothing more.
    • Gimme a break

      It's still misleading, and purposely so.

      Do you actually think the average joe who buys a Mac computer will go "Oh, good I won't get windows viruses, but I sure gotta watch out for OS X, ones!"? Really? of course not, people are misled that they are actually free from viruses.

      And on your semantics BS. Again, avereage joe doesn't give a piss if you call it virus, trojan, malware, adware, or bieberware. For them it's just "stuff I don't want on my computer cuz it's bad", and it's actually that: Stuff that it shouldn't get in there.

      On your comment about needing antivirus software, I agree. Unfortunately people are naive and/or lazy and are bound to just click "yes" because, like someone else said, they really want to see that video.
  • P. U. P.

    Possibly Unheard of Software?
    • Re: P.U.P....

      "Possibly Unheard of Software?"

      Then that would be P.U.S., or maybe P.U.o.S. lol.

  • Another thing about yontoo...

    I don't know if it is the same way on OS X, but on Windows, it is not easy to figure out how to remove it.

    My son complained that his internet searches weren't working right. I found yontoo on my kids' computer. It wasn't listed on the plug-ins page of the browser, or in "add/remove programs".

    I didn't feel like wasting my time with it, so I rolled the PC back to a restore point made a few days earlier and educated him about the dangers of add-ons and plug-ins.
    • Who gives admin rights to their kids?!!

      Kids and most adults have no business being able to install stuff. This is my only gripe with android and the play store.
  • copyright?

    why isn't the unauthorized use of the image of a mac dialog box a violation of copyright? Why can't this rendition of an 'official' mac dialog be copyrighted and further why can't all 'official' modes of interaction with the OS be copyrighted and in fact supported by say steganography and certificates? Could this be used to block an entire branch of social engineering scams? Why is tricking and misleading someone with 'official' looking interactions not a breach of copyright that Apple should be required to stamp out...