Reply
Trusted Contributor
Rusli
Posts: 647
Registered: ‎06-06-2011

Trojan Adware for Mac OS X "Yontoo.1"

Hi

 

Please take note of this Adware Trojan Yontoo.1 for Mac OS X.

 

currently Drweb and Eset Nod Cybersecurity detects this adware.

 

http://news.drweb.com/show/?i=3389&lng=en&c=9

 

 

Other news on Mac OS X Security from F-Secure Weblog website.

 

http://www.f-secure.com/weblog/archives/00002526.html

 

http://www.f-secure.com/weblog/archives/00002525.html

 

For FinFisher trojan

 

please check here for details. (Affected SymbianOS, iOS iphone, Android, Windows, Macs etc)

 

http://www.f-secure.com/v-descs/trojan-spy_w32_finspy_a.shtml

 

http://www.f-secure.com/weblog/archives/00002523.html

 

http://www.theregister.co.uk/2013/03/19/finfisher_spyware_apac_countries/

Trusted Contributor
Rusli
Posts: 647
Registered: ‎06-06-2011

Re: Trojan Adware for Mac OS X "Yontoo.1" Removal.

Currently Dr Web, Eset Nod Cyber Security and Sophos detected this virus.

 

For instance Dr Web for Light for Mac Antivirus, Eset Nod Cyber Security Antivirus for Mac (Paid) and Sophos Antivirus for Mac Free.

 

Sophos ... check this link.

 

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OSX~Yontoo-B.aspx

 

Below is a detail instruction of removing the adware Yontoo trojan.

 

Ref:- http://reviews.cnet.com/8301-13727_7-57575543-263/how-to-remove-yontoo-adware-trojan-from-your-os-x-...

 

How to remove 'Yontoo' adware Trojan from your OS X system

A new Trojan lures users to install a Web plug-in that tracks browsing and presents ads. Here's how to remove it.

 

by Topher Kessler   March 21, 2013 10:02 AM PDT

 

Security company Dr. Web is reporting on a new adware Trojan attack that is targeting Mac users, where malicious Web sites will trick users into installing a plugin that will track your browsing and display ads to you.

The malware, called "Yontoo," will be first encountered as a media player, download manager, or other plug-in requirement for viewing contents on some maliciously crafted Web sites disguised as sources for file sharing and movie trailers. When the plug-in prompt is clicked, you're redirected to a site that downloads the Trojan installer and requires you to run it. The installer is for a fake program called "Twit Tube," that when installed will place a Web plug-in or extension called "Yontoo" that will run in popular browsers like Safari, Chrome, and Firefox.

When the malware is running, affected systems will be actively tracked for browsing behaviors, and legitimate Web sites will be hijacked with ad banners and other content that attempts to lure you into clicking it.

Safari plug-ins menu

This menu option in Safari will show you the installed plug-ins, which you can review for the presence of Yontoo or any other unwanted plug-ins.

(Credit: Screenshot by Topher Kessler/CNET)

The malware appears to be an ad-revenue attempt by the criminals behind it, but if you have recently installed a suspicious plug-in on your system and are seeing bizarre deal links appearing on frequented Web sites, then check your installed plug-ins for any trace of this malware. You can do this in Safari and Chrome by going to the "Extensions" preferences to see if one called Yontoo is present there, but you can also select the "Installed Plug-Ins" option in Safari's Help menu to view information on your plug-ins. For Chrome, copy and paste the URL "chrome://plugins/" into your browser's address field to get to its plug-in settings. In Firefox you can choose "Add-Ons" from the Tools menu to check for extensions and plug-ins.

If you find a trace of the Yontoo plug-in on your system, then although you can disable it in each Web browser, a more-thorough option is to go to the Macintosh HD > Library > Internet Plug-Ins folder and remove the plug-in manually. Additionally, you should check the plug-in folder for your home directory, which can be accessed by choosing Library from the Go menu in the Finder (hold the Option key to reveal the library in this menu if it is missing), and then locate the Internet Plug-Ins folder in here. When the plug-in is removed, quit and relaunch your browsers.

Since Web plug-ins are one method for malware developers to target a system, one thing you can do to help ward off attacks is to get an inventory of your Web plug-ins folders so you know exactly what is in them, and then be able to better investigate any new items placed there. Another similar approach is to set up a monitoring service in OS X that will inform you whenever new items are placed in the Internet Plugins folders on your system. I recently outlined a method for doing this to monitor Launch Agent folders on a Mac, and you can similarly apply this method to the following two directory paths in addition to the Launch Agent paths outlined in the article:

Macintosh HD > Library > Internet Plug-Ins Macintosh HD > Users > username > Library > Internet Plug-Ins

 

And another site...

 

http://www.maclife.com/article/news/yontoo_adware_trojan_infecting_macs_heres_how_stop_it

 

Yontoo Adware Trojan is Infecting Macs, Here's How to Stop It 

Trusted Contributor
Rusli
Posts: 647
Registered: ‎06-06-2011

Re: Trojan Adware for Mac OS X "Yontoo.1" Removal.

[ Edited ]

Hope that will help you guys solve the problems.

 

All thanks to Cnet and Maclife.

 

 

Download Dr Web for Light for Mac Antivirus here.(Free)

 

http://www.freedrweb.com/drweb+mac+light/

Trusted Contributor
Rusli
Posts: 647
Registered: ‎06-06-2011

Re: Trojan Adware for Mac OS X "Yontoo.1" Removal.

Macs do have malware and trojans!

 

There are many spywares which antivirus company cannot detect any.

 

For Mac Spyware

 

use macscan.securemac.com

Trusted Contributor
Rusli
Posts: 647
Registered: ‎06-06-2011

Re: Apple Xprotect Detections!

Apple include the Yontoo.1 Xprotect detection.

 

Please refer this link for details.

 

http://reviews.cnet.com/8301-13727_7-57575792-263/apple-fights-yontoo-trojan-with-xprotect-update/

 

Apple fights Yontoo Trojan with XProtect update

New XProtect definitions identify Yontoo as "OSX.AdPlugin.i" and block all but the latest versions of Java.

 March 22, 2013 10:37 AM PDT

Following news of the new adware Web plug-in Trojan found to be affecting OS X systems, Apple has released an XProtect malware definitions update to protect anyone who stumbles across it.

The Trojan, called Yontoo, is initially disguised as a media player or download manager plug-in and distributed on underground file-sharing and movie trailer Web sites. When installed it pretends to be a player called Twit Tube but installs the Yontoo plug-in. This plug-in will work in all Web browsers to track your browsing behaviors and then present ads on legitimate Web sites.

Unlike other malware that can hide itself in a number of areas in the system, this malware is ultimately a basic Web plug-in that can easily be removed manually from the system's plug-in directory. However, to help protect its users Apple has issued an update for its XProtect system so it will now identify the malware before it is installed.

XProtect is a rudimentary background scanner that will check for malware in newly downloaded files as well as limit the use of out-of-date and potentially insecure Web plug-ins like Java and Flash.

In the latest definitions, Apple identifies the Yontoo malware as "OSX.AdPlugin.i," so if anyone stumbles across it the system should issue a warning message that mentions this name.

In addition to the definitions for the Yontoo malware, Apple's latest update changes the minimum Java version allowed to reflect the latest versions of the plug-in (version 1.7.17.06 and 1.6.0_43-b01-447), so some Java users may experience a blocked plug-in message until they update.