X

New adware Trojan circulating that targets Mac OS X systems

Trojan.Yontoo.1 is the most prominent of adware Trojans making the rounds that install a plug-in that renders fraudulent ads on Web pages.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read
A movie trailer installation ruse. Dr. Web

A new Mac OS X Trojan is making the rounds, installing an adware plug-in that renders ads on Web pages to generate revenue for its author.

Dubbed Trojan.Yontoo.1, it is the most prominent of an increasing number of adware Trojans making the rounds, according to Russian antivirus company Dr. Web, the same company that discovered the Flashback virus last year.

"Criminals profit from affiliate ad network programs, and their interest in users of Apple-compatible computers grows day by day," Dr. Web said yesterday in a statement. "Recently discovered, Trojan.Yontoo.1 can serve as a striking example of such software."

The Trojan has a number of avenues for installation, perhaps the most interesting of which is a series of specially crafted movie trailers that include a dialog box that imitates a common prompt for plug-in installation. Once the "install plug-in" button is clicked, victims are redirected to a site where the Trojan is downloaded.

Trojan.Yontoo.1 can also be downloaded as a media player, a video quality enhancement program, or a download accelerator, Dr. Web said.

Once launched, the Trojan generates a dialog box that offers to install Free Twit Tube. After users presses "continue," the Trojan downloads the Yontoo adware plug-in for Safari, Chrome, and Firefox.

The plug-in transmits information about the pages users visit and embeds third-party code into those pages.

The example below shows how an infected system renders Apple.com with a DropDownDeals ad:

Apple.com on an infected system includes DropDownDeals (click to enlarge). Dr. Web

While this Trojan targets Mac OS X users, Dr. Web notes that a similar Trojan is also spreading that targets Windows systems.

Clarification at 6:10 a.m. PT March 21: The attribution in the caption has been removed. The image of the plug-in ruse is an example provided by anti-virus company Dr. Web.