Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to the news list

Trojan.Yontoo.1 leads among new adware Trojans for Mac

March 19, 2013

Russian anti-virus company Doctor Web reports that adware for Mac OS X has been increasing in number since the beginning of 2013. Trojan.Yontoo.1 is the most prominent of them: It can download and install an adware browser plugin in an infected system.

According to Doctor Web's analysts, the trend towards a growing number of adware for various platforms has persisted from early 2013. Criminals profit from affiliate ad network programs, and their interest in users of Apple-compatible computers grows day by day. Recently discovered, Trojan.Yontoo.1 can serve as a striking example of such software.

There are several ways for the Trojan to get onto a computer. To spread the Trojan, criminals crafted movie trailer pages that prompt users to install a browser plugin. In fact, the prompt only imitates a common dialogue displayed when a plugin needs to be installed or additional configuration is necessary. After clicking on ‘Install the plug-in’, the user is redirected to another site from which Trojan.Yontoo.1 is downloaded.

screen

Criminals have also provided for a number of alternative ways to spread this threat. The Trojan can also be downloaded as a media player, a video quality enhancement program or a download accelerator.

When launched, Trojan.Yontoo.1 displays a dialogue window that asks the user if they want to install Free Twit Tube.

screen

However, after the user presses ‘Continue’, instead of the promised program, the Trojan downloads (from the Internet) and installs the plugin Yontoo for Safari, Chrome and Firefox. These browsers are most popular among Mac OS X users. While a user surfs the web, the plugin transmits information about the loaded pages to a remote server.

screen

In return, it gets a file that enables the Trojan to embed third-party code into pages visited by the user. This is how an apple.com page is displayed on an infected machine.

screen

Such browser extensions are detected by Dr.Web as Adware.Plugin. It should be noted that a similar scheme for spreading the Trojan is used to target Windows PCs.

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments