The Yontoo Trojan: New Mac OS X Malware Infects Google Chrome, Firefox And Safari Browsers Via Adware

By Dave Smith | March 21 2013 12:18 PM

There’s a new piece of Mac malware on the block, which affects OS X systems by installing itself directly into the user’s browser as a plug-in and embedding third-party code onto any webpages viewed by the user.

Courtesy / Wikimedia

In the wake of last year's Flashback Trojan, a new Trojan virus called "Yontoo" is affecting Apple's OS X systems by installing itself directly into the Mac's popular browsers, including Chrome, Safari and Firefox.

Sponsorship Link

The new adware called “Trojan.Yontoo.1” was first detected earlier this week by Russian security firm Doctor Web, which explained how the Yontoo virus infects Mac computers by prompting common dialogue users might experience with installing plug-ins to view specific kinds of content -- in particular, the cybercriminals behind Yontoo had carefully crafted movie trailer pages that couldn't be viewed without installing an “HD Video Player” plug-in.

“Criminals have also provided for a number of alternative ways to spread this threat,” Doctor Web said in its report. “The Trojan can also be downloaded as a media player, a video quality enhancement program or a download accelerator.”

Once Yontoo is downloaded to the Mac, a binary Trojan called “Custom Installer” displays a dialogue window asking the user to continue, which involves installing an application called “Free Twit Tube.” Once the user presses Continue, the Trojan automatically installs itself to the Mac’s most popular browsers, including Mozilla's Firefox, Google Chrome, and Apple’s Safari.

Malware is almost always exploited for financial gain, and the Yontoo Trojan is no different. As the virus leeches onto the Mac user’s Web browsers, it transmits information about the webpages viewed by the user onto a remote server, which then returns files that are automatically and seamlessly embedded into those same pages. Doctor Web released a photo of the Yontoo trojan implanted in Apple’s own website.

Yontoo Malware Photo: Courtesy / DrWeb.com This screenshot taken by Russian antivirus company Doctor Web shows how the Yontoo Trojan seamlessly embeds third-party advertisements into webpages viewed by the user -- even Apple's website.

The Yontoo Trojan has been associated with nearly 20 different ad partner programs, including:

- www.bottombarbrain2.com

- vpntease.com

- trafficvance.com

- amit.com

- lgit.com

- www.superfish.com

- www.dropdowndeals.com

- www.ireview.com

- noproblemppc.com

- www.toprelatedtopics.com

- chango.com

- lotame.com

- easyinline.com

- msfsob.com

- mythingsmedia.net

- www.yontoo.com

- getsuperweb.com

Even though Microsoft's Windows is a much more popular platform for malware, Mac OS X malware and adware attacks are on the rise, particularly in the past 12 months. Last April, more than 600,000 Mac computers were affected by the Flashback Trojan virus, which exploited several vulnerabilities in Java to similarly install itself onto user’s browsers, but without any intervention or action on the user’s part.

In an effort to enlighten more users on how and why computers and sites are hacked, Google introduced a new initiative last Wednesday to help webmasters identify and reverse the damaging effects of malware.