New Trojan Malware Targeting Mac Computers
March 21, 2013

New Trojan Malware Targeting Mac Computers

Michael Harper for — Your Universe Online

Russian antivirus company Dr. Web has discovered a new Trojan in the wild which is actively targeting Macs. The most prominent example of this Trojan is called “Trojan.Yontoo.1” and has been found to install an adware plugin on infected machines.

Once installed, this adware embeds advertisements on Websites in hopes that infected users will earn them some money by clicking the ads. Yontoo has been found to mainly target the Chrome, Firefox and Safari browsers on Macs, but has been found on Windows machines as well.

The Dr. Web researchers say they began to notice an increase in adware on Macs since the beginning of the year. This is an indicator of a growing trend as criminals have begun to take an interest in the growing Mac user base.

According to the Dr. Web report, Yontoo can find its way onto a machine in one of several ways.

In one example, the attackers created a movie trailer page and asked visitors to install the plug-in before watching the videos. According to Dr. Web, the prompt uses a common dialogue box to install the browser plug-in, which would seem like a normal routine to the user.

After the user gives permission for the plug-in to be installed, they´re taken to another page where Yontoo is downloaded. Dr. Web says attackers have also hidden Yontoo in media players, video enhancement software and download accelerators.

Once Yontoo is installed and launched on the machine, the user is asked to download something called “Free Twit Tube.” Once the user agrees to download Free Twit Tube, the adware plug-in is downloaded from the Internet and installed in the browser. Dr. Web says Chrome, Firefox and Safari are targeted because they´re the most popular among Mac users.

Once installed, the adware plug-in watches the web pages and sends this information back to a remote server. This server then returns a file to the infected machine which the plug-in turns into ads. Dr. Web has posted a screenshot of what looks like on an infected machine.

Though the plug-in is adware and an extension of a trojan, the ads seem to match up well with the content on the page. Ads for what look like iPads show up just above the links to Apple commercials on The ads in the Dr. Web screenshot promise iPads at the $29.99 and $39.99 level, possibly luring in someone wondering if the deal is too good to be true.

Dr. Web does point out that while they tracked Yontoo on a Mac, they also found a similar Trojan running on Windows PCs.

Symantec has confirmed this information, and lists the risk impact of a PC-driven Yontoo virus as “Low.”

Yontoo may be targeting Macs, but it´s not difficult to protect yourself and your machine from these attacks. The basic rules of browsing the Internet still apply: never click on anything suspicious and stay away from shifty-looking sites. Many of these viruses try to trick users by asking them to click a link before seeing a picture or a video. Therefore, unless it´s something you´ve explicitly navigated to see, it´s best not to click it.

Furthermore, the only software or plug-in you´ll ever need to watch content online is probably installed on your computer already. Flash doesn´t come pre-loaded on Macs anymore, but it´s likely many users install it pretty quickly. Netflix users must install Microsoft Silverlight to watch movies on their Macs, but even this plugin comes from a trusted source.

Bottom line: if a popup window asks you to download something, it´s probably best that you not.