Trojan.Yontoo.1 leads among new adware Trojans for Mac
March 19, 2013
According to Doctor Web's analysts, the trend towards a growing number of adware for various platforms has persisted from early 2013. Criminals profit from affiliate ad network programs, and their interest in users of Apple-compatible computers grows day by day. Recently discovered, Trojan.Yontoo.1 can serve as a striking example of such software.
There are several ways for the Trojan to get onto a computer. To spread the Trojan, criminals crafted movie trailer pages that prompt users to install a browser plugin. In fact, the prompt only imitates a common dialogue displayed when a plugin needs to be installed or additional configuration is necessary. After clicking on ‘Install the plug-in’, the user is redirected to another site from which Trojan.Yontoo.1 is downloaded.
Criminals have also provided for a number of alternative ways to spread this threat. The Trojan can also be downloaded as a media player, a video quality enhancement program or a download accelerator.
When launched, Trojan.Yontoo.1 displays a dialogue window that asks the user if they want to install Free Twit Tube.
However, after the user presses ‘Continue’, instead of the promised program, the Trojan downloads (from the Internet) and installs the plugin Yontoo for Safari, Chrome and Firefox. These browsers are most popular among Mac OS X users. While a user surfs the web, the plugin transmits information about the loaded pages to a remote server.
In return, it gets a file that enables the Trojan to embed third-party code into pages visited by the user. This is how an apple.com page is displayed on an infected machine.
Such browser extensions are detected by Dr.Web as Adware.Plugin. It should be noted that a similar scheme for spreading the Trojan is used to target Windows PCs.