Follow Slashdot stories on Twitter


Forgot your password?
Botnet OS X Security Apple

New OS X Trojan Adware Injects Ads Into Chrome, Firefox, Safari 129

An anonymous reader writes "A new trojan specifically for Macs has been discovered that installs an adware plugin. The malware attempts to monetize its attack by injecting ads into Chrome, Firefox, and Safari (the most popular browsers on Apple's desktop platform) in the hopes that users will generate money for its creators by viewing (and maybe even clicking) them. The threat, detected as "Trojan.Yontoo.1" by Russian security firm Doctor Web, is part of a wider scheme of adware for OS X that has "been increasing in number since the beginning of 2013," according to the company."
This discussion has been archived. No new comments can be posted.

New OS X Trojan Adware Injects Ads Into Chrome, Firefox, Safari

Comments Filter:
  • Clarification (Score:4, Insightful)

    by schneidafunk ( 795759 ) on Thursday March 21, 2013 @02:10PM (#43237043)
    Can someone explain to me why advertisers would want to pay for bogus clicks? How does this money get laundered to hide the trojan creator and also defraud the advertiser?
    • Better Question (Score:5, Interesting)

      by Deathlizard ( 115856 ) on Thursday March 21, 2013 @02:33PM (#43237335) Homepage Journal

      Can Someone explain to me why Yontoo is detected on the Mac Platform but on Windows it's totally ok.

      While we're at it, why are any of these still not detected by any malware scanner. Even as a Potentially Unwanted Program? I'm sure just about anything listed here does a lot more malicious stuff than anything spyware like Gator ever did.

      Anything from Conduitt
      Anything from Mindspark Interactive
      coupon wonderland
      big fish games
      we care ASCPA Reminder (my personal favorite. When you uninstall it, it basically accuses you of wanting to kill puppies.)
      shop to win
      inbox toolbar
      anything from Crawler
      24x7 help

      Most of the above either popup ads, install, or trick users into installing more junk like registry scanners, fake flash players and the like. Yet almost no scanner I've found short of JRT or ADWcleaner gets rid of these things.

      It's about time these AV companies wake the heck up and realize that Spyware is back disguising itself as adware and is more prevalent than ever,

      • Hello,

        Not sure which anti-malware software you are using, but a quick check of my employer's gave me half-a-dozen hits:

        Not sure about the others, but would not be surprised if they are detected, just with a different name than you wrote. Maybe you just need to ch

        • My guess is that you work for ESET.

          I recently had a job change a few months ago, and at my current job we have been using ESET NOD32 Antivirus Business Edition 4 (I'd like to move to the latest version, but Labtech is keeping us on 4)

          From my Experience, ESET does do a pretty good job detecting PUPS, but in our console, when we look at the threat log, it constantly says "unable to clean" I'm sure it's just a setting wrong in the policy but i'm still learning the console since my previous employer used Sophos

          • Hello,

            A lucky guess.

            I'm not as familiar with the remote management side of things as I used to be, but I suspect that with potentially unwanted applications (PUA), the option to use would be "delete" instead of "disinfect." The latter is really only applicable to parasitic infecting viruses which actually modify host code. In the case of a PUA, there is no clean host program inside the PUA, it's a PUA all the way down.

            I would suggest checking with the LabTech or ESET support folks to verify the settings,

      • by chrish ( 4714 )

        Did I miss a memo about Big Fish Games, or are they evil on Windows? I thought the were a legit game vendor... at least, their Mac client doesn't seem to do anything too stupid/nefarious.

  • by Anonymous Coward

    >hopes that users will generate money for its creators by viewing (and maybe even clicking) them

    Nothing makes me want to support a company more than when in injects advertising onto my computer.

  • by Kenja ( 541830 ) on Thursday March 21, 2013 @02:17PM (#43237137)
    Basically, this requires you to download and execute an installer, then click through it (including entering the administrator password). At that point, you could have installed something far worse then adware.
    • Re: (Score:2, Funny)

      by RedHackTea ( 2779623 )
      Hmmm, so the only useful thing from this /. post: I like the adorable, red robot with the shiny key!
    • by h4rr4r ( 612664 ) on Thursday March 21, 2013 @02:22PM (#43237201)


      The user is a flaw every OS has.

      • Only now, it's "Blame the user" instead of the way it used to be - "Blame that Buggy OS" ..

        • by h4rr4r ( 612664 ) on Thursday March 21, 2013 @02:33PM (#43237329)

          Not at all.

          Blame the buggy OS is when you get a nice drive by install or virus. Adware that requires a user to install is always the users fault.

          • by AmiMoJo ( 196126 ) *

            Maybe they are complaining that MacOS runs any software you like, unlike iOS where everything is curated by Apple. This "criticism" (I view it as a complement) is often levelled at Android, for example.

      • Well not quite. This is where the curated app store of iOS comes in. The user can only install apps from a store that requires the apps to be prevetted. And the store will remove any malware that manages to sneak past the vetting process, as soon as it becomes known.

        This is removing user stupidity as a vector for trojans.

        • by h4rr4r ( 612664 )

          This is removing the ability to use your own devices as you see fit.

          They don't only remove malware, they also remove useful tools. This is why iOS has no good wifi scanning tools for example.

          • Well that's the other side of the trade off. And one that lots of people are happy to make. Being safe from malware being more important to them than wardriving tools, and the other things that aren't on the store.

            But for sure iOS, and the games consoles, and every other platform that don't allow the user to download from random sites are exceptions that prove "The user is a flaw every OS has" to be wrong.

            • by h4rr4r ( 612664 )

              What you call war driving tools I call site survey tools I use for my job.

              Append on a computer the user is allowed to own and the statement is true again.

      • by hawk ( 1151 )


        This isn't "malware;" it's "stupidware."


    • by j00r0m4nc3r ( 959816 ) on Thursday March 21, 2013 @02:24PM (#43237227)
      At that point, you could have installed something far worse then adware

      Like RealPlayer
      • by Anonymous Coward

        At that point, you could have installed something far worse then adware

        Like RealPlayer

        Or QuickTime. Wait.... OH GOD IT'S A MAC IT ALREADY HAS QUICKTIME.

        • QuickTime on Mac is pretty useful. It's shit on WIndows. On the Mac, QuickTime can be used for screen recording and is generally pretty fast. Never knew how useful a screen recorder was until my friend needed to record a training session. Windows version is like me trying to run a marathon in a business suit, isn't very functional and pretty slow.

      • Jeez, you just reminded me of one of the things that pushed me to switch to OSX. The Realplayer menace - shudder.

    • Exactly. It doesn't really target OS X, it targets complete morons.
    • Re: (Score:3, Funny)

      by Anonymous Coward

      You and the summary left out the best part: the installer's name is "Free Twit Tube." Almost as bad as a girl on a dating site agreeing to go out with someone with the username "DonkeyPunchLover."

    • Exactly. And given past trends, it's entirely likely that there will be a malware definition update pushed out to all Macs running the last few iterations of OS X within the next 24-48 hours, rendering this threat moot.

      Moreover, even in the case of idiotic users, the default behavior on all new Macs is to not allow installs from unregistered developers. I.e. This malware will only work against folks who ignore all warnings and are using something other than the latest release, which had an extremely fast ad

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        And then, after downloading, and authenticating the install, OS-X also reminds you that it is from the Internet and you might want to pause and consider before actually launching the program.

        It really does target people who *want* to run it.

    • by smash ( 1351 )
      You also forgot - bypass gatekeeper or click through the "are you sure, this is unsigned code?" warning.
  • Yontoo has been around already, and not just @ Macs. I recently removed it from a Windows 7 PC. The uninstaller does not uninstall (shock!) ... one needs to remove registry keys to prevent this thing from sticking itself into Chrome, IE, etc. Spybot will find it well before Norton and others.
    • Luckily for Mac users though, that if it installs from a standard PKG or MPKG (which another comment above basically states) you can go to /var/db/receipts and get the entire bill of materials for that package with the lsbom command.

      Pipe that into a delete routine, and you're all set.

      (this works as a fairly effective uninstall for most PKG installs)

      • Interesting. Is that how apps like AppZapper know what to delete when uninstalling some random app?

        I'm not sure how useful it would be for malware though, because when it's run for the first time, it can of course create new copies of files with different names and/or locations.

        • I haven't looked at AppZapper, but I did write a perl script that would uninstall just about any PKG by reversing the order of the lsbom output, and then deleting files, and deleting the directory if it was empty.

          Worked like a champ for getting rid of an application that liked to scribble all over the disk, rather than be a good Mac app and self-contain...

          As for the malware thing, it's got to run from somewhere. As they can't even be bothered to find themselves a proper exploit to get installed, I doubt th

  • In this corner, wearing the green trunks, the Apple FanBoys. In the opposing corner, wearing the blue trunks, the Windows FanBoys. Standing outside the ring, holding the steel folding chair and molotov cocktail, the Linux FanBoys. LET THE GAMES BEGIN!

  • uh oh (Score:5, Interesting)

    by slashmydots ( 2189826 ) on Thursday March 21, 2013 @02:24PM (#43237225)
    Yontoo Layers is a "legitimate" advertising program that just barely complies with US laws. I find it on at least 1 in 3 customer computers at my shop. It has a legit uninstaller and asks for permission to install by piggybacking on freeware and installer framers like's new atrocity. So to call it a trojan is just asking for another Symantec style lawsuit for defamation, etc. You have to call it "possibly unpopular software" now. And if this is coincidentally another Yontoo unrelated to the actual company, that's a whole new depth of deep shit they're in for naming it that. That'd be right up there with naming it Pepsi.
  • by Anonymous Coward

    Lies.. All Lies.. Mac's can't be infected.

  • ibid.

"Hey Ivan, check your six." -- Sidewinder missile jacket patch, showing a Sidewinder driving up the tail of a Russian Su-27