New 'Yontoo' Adware Trojan Targets Major Browsers on OS X

Russian security firm Doctor Web this week highlighted a new trojan (via The Next Web) affecting OS X systems and which installs an adware plug-in capable of injecting ads into users' browsing experience.

As with other trojans, this new Yontoo malware relies on tricking users into installing the package, which in this case masquerades as a movie trailer video plug-in, download accelerator, or other software a user might believe they want or need on their system.

When launched, Trojan.Yontoo.1 displays a dialogue window that asks the user if they want to install Free Twit Tube.

However, after the user presses ‘Continue’, instead of the promised program, the Trojan downloads (from the Internet) and installs the plugin Yontoo for Safari, Chrome and Firefox. These browsers are most popular among Mac OS X users. While a user surfs the web, the plugin transmits information about the loaded pages to a remote server.

In return, it gets a file that enables the Trojan to embed third-party code into pages visited by the user.

As an example of Yontoo's capabilities, Doctor Web shows how ads can be injected into apple.com once the plug-in has been unwittingly installed by the user.

Compared to Windows, OS X has long been a relatively unpopular target for malware authors, but attacks targeting Apple customers have been on the rise. Many of the most highly publicized attacks come via trojans that rely on tricking users into granting installation privileges, while third-party platforms such as Java have also frequently been used to inject code into Mac systems.

Apple has been increasing its efforts to fight malware, introducing a rudimentary anti-malware functionality in OS X Snow Leopard and an enhanced Gatekeeper system in OS X Mountain Lion. Apple has also increasingly been blocking vulnerable versions of Java until Oracle is able to release patched versions of its plug-ins.