Apple fights Yontoo Trojan with XProtect update
New XProtect definitions identify Yontoo as "OSX.AdPlugin.i" and block all but the latest versions of Java.
Following news of the new adware Web plug-in Trojan found to be affecting OS X systems, Apple has released an XProtect malware definitions update to protect anyone who stumbles across it.
The Trojan,, is initially disguised as a media player or download manager plug-in and distributed on underground file-sharing and movie trailer Web sites. When installed it pretends to be a player called Twit Tube but installs the Yontoo plug-in. This plug-in will work in all Web browsers to track your browsing behaviors and then present ads on legitimate Web sites.
Unlike other malware that can hide itself in a number of areas in the system, this malware is ultimately a basic Web plug-in that canfrom the system's plug-in directory. However, to help protect its users Apple has issued an update for its XProtect system so it will now identify the malware before it is installed.
XProtect is athat will check for malware in newly downloaded files as well as limit the use of out-of-date and potentially insecure Web plug-ins like Java and Flash.
In the latest definitions, Apple identifies the Yontoo malware as "OSX.AdPlugin.i," so if anyone stumbles across it the system should issue a warning message that mentions this name.
In addition to the definitions for the Yontoo malware, Apple's latest update changes the minimum Java version allowed to reflect the latest versions of the plug-in (version 1.7.17.06 and 1.6.0_43-b01-447), so some Java users may experience a blocked plug-in message until they update.