This article was published on March 22, 2013

In under 24 hours, Apple updates malware definitions to detect Yontoo adware for Chrome, Firefox, and Safari


In under 24 hours, Apple updates malware definitions to detect Yontoo adware for Chrome, Firefox, and Safari

On Wednesday night we broke the news that a new trojan for OS X had been discovered, which downloaded and installed adware that in turn injected ads into pages browsed by Chrome, Firefox, and Safari (the most popular browsers on Apple’s desktop platform). As always, Apple has moved quickly to add definitions for the malware to its “Xprotect.plist” blacklist, as first spotted by security firm Intego.

A day is a very quick turnaround and Apple should be applauded for taking initiative to mitigate the issue. The definitions are part of the company’s basic anti-malware tools launched with OS X Snow Leopard in August 2009.

It’s worth noting that the Russian security firm Doctor Web, which found the threat, first posted about it on Monday night. Apple did not become aware of the threat until the story got picked up by multiple publications during the day on Thursday, however, so we’re still impressed to see the speedy update, which according to our own checks went out on Friday at 2:42AM PST.

The threat, detected as “Trojan.Yontoo.1” by Russian security firm Doctor Web, is part of a wider scheme of adware for OS X that has “been increasing in number since the beginning of 2013,” according to the company. The malware attempts to monetize its attack by injecting ads in the hopes that users will generate money for its creators by viewing (and maybe even clicking) them.

To spread Yontoo onto Macs, Doctor Web says criminals have used movie trailer pages that prompt users to install a browser plugin, a media player, a video quality enhancement program, or a download accelerator. When users surf the web on infected machines, the threat transmits information about the loaded pages to a remote server, and returns with a file that enables the trojan to embed third-party code into pages visited by the user.

Hopefully Apple’s fix will be able to stop Yontoo in its tracks, although variants are bound to show up.

See also – First OS X fake installer malware spotted, as SMS scams are ported from Windows and Android to Mac and Sophos declares 2012 the year of Android and Mac malware, as cybercriminals look beyond Windows

Top Image credit: David Tipton

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with