Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Updates OS X Anti-Malware Definitions to Block 'Yontoo' Adware

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,555
30,882



Yesterday, word surfaced of new malware targeting major browsers on the Mac platform with adware capable of injecting advertising into users' browsing experiences. The malware, known as "Yontoo", masquerades as a video plug-in or download accelerator in order to trick users into installing the package.

yontoo_xprotect.jpg
As noted by security firm Intego, Apple has already updated its "Xprotect" anti-malware system to recognize Yontoo and warn users who attempt to install it on their machines.
Apple has decided the Yontoo Adware has fallen too far on the side of undesirable behavior, as they have released an update to the XProtect.plist definitions file to provide Mac OS X with basic detection for the Yontoo adware as OSX.AdPlugin.i. In testing, it appears this detection is very specific and potentially location-dependent. This extra specificity is likely there so as to catch only the surreptitious installations of this file.
Click to expand...
Apple routinely uses its Xprotect anti-malware tools introduced in OS X Snow Leopard to provide rudimentary protection against threats, and has expanded its efforts in OS X Mountain Lion with the introduction of Gatekeeper to allow users to restrict app installation to software from identified developers registered with Apple, or even to only apps installed through the Mac App Store.

Apple has also been using Xprotect to enforce minimum version requirements for plug-ins such as Java and Flash Player, forcing users to upgrade from earlier versions known to have significant security issues.

Article Link: Apple Updates OS X Anti-Malware Definitions to Block 'Yontoo' Adware
 
Article Link
https://www.macrumors.com/2013/03/22/apple-updates-os-x-anti-malware-definitions-to-block-yontoo-adware/
gotluck

gotluck

macrumors 603
Dec 8, 2011
5,712
1,204
East Central Florida
This is a very good thing, not trying to be critical.

But isn't this a slippery slope towards 'microsoft security essentials'? For now xprotect surely uses less system resources, but I'd wager that eventually the day will come for antivirus/antimalware on osx.
 
C

Crzyrio

macrumors 68000
Jul 6, 2010
1,587
1,110
This solution Apple has seems overly simple, or Im I missing something?

Not complaining, its awesome that they found such a simple way of doing this.

Anyone know exactly how this works?
 
H

HenryDJP

Suspended
Nov 25, 2012
5,084
843
United States
gotluck said:
This is a very good thing, not trying to be critical.

But isn't this a slippery slope towards 'microsoft security essentials'? For now xprotect surely uses less system resources, but I'd wager that eventually the day will come for antivirus/antimalware on osx.
Click to expand...

Shouldn't matter much to you since you're running Windows 7...
 
SandboxGeneral

SandboxGeneral

Moderator emeritus
Sep 8, 2010
26,482
10,051
Detroit
gotluck said:
This is a very good thing, not trying to be critical.

But isn't this a slippery slope towards 'microsoft security essentials'? For now xprotect surely uses less system resources, but I'd wager that eventually the day will come for antivirus/antimalware on osx.
Click to expand...

I'm not following you here. What is the slippery slope toward MS Security Essentials mean?
 
E

epmatsw

macrumors member
Jun 18, 2007
78
1
Crzyrio said:
This solution Apple has seems overly simple, or Im I missing something?

Not complaining, its awesome that they found such a simple way of doing this.

Anyone know exactly how this works?
Click to expand...

It is very simple, and that's cause it's all that's necessary. Malware for OSX doesn't exploit vulnerabilities or security flaws that would allow it to get around this. They literally ask the user for permission to install themselves (thus "trojans"). All this measure does is alert the user if they attempt to grant permission to something that Apple has blacklisted.
 
Sayer

Sayer

macrumors 6502a
Jan 4, 2002
981
0
Austin, TX
gotluck said:
This is a very good thing, not trying to be critical.

But isn't this a slippery slope towards 'microsoft security essentials'? For now xprotect surely uses less system resources, but I'd wager that eventually the day will come for antivirus/antimalware on osx.
Click to expand...

That is why Apple is taking a different track with the "GateKeeper" system that only lets code-signed apps from running, the application "sandbox" model that all App Store apps must use, and doing things in the Kernel to prevent attacks from ever succeeding.

Security should not be a feature that is bolted on after the fact. Security is inherent to the system itself and stuff like plain text passwords should never be saved out to disk via system libraries - they should be hashed and salted always as part of the initial design. And you should trust, but verify any user-provided data and do common-sense safe operations to manipulate user-provided data.
 
turtlez

turtlez

macrumors 6502a
Jun 17, 2012
977
0
one tiny string from Apple and boom, instantly stopped a "half virus". I'd love to see MS pull that off.

----------
Mr Fusion said:
You joke now...

... Just wait till OS XI debuts and you'll have to wait for the jailbreak to install third-party apps. ;)
Click to expand...

not if we don't upgrade ;)
 
gnasher729

gnasher729

Suspended
Nov 25, 2005
17,980
5,565
Crzyrio said:
This solution Apple has seems overly simple, or Im I missing something?

Not complaining, its awesome that they found such a simple way of doing this.

Anyone know exactly how this works?
Click to expand...

Some poor guy at Apple had to download the software, then Apple examined it, and found how to identify it. Any software that you download is checked against a growing list of software that Apple recommends _very_ urgently to not install, and this software is on the list.

These guys will probably modify their software so it won't be recognized, try to spread it again, Apple will block it again, and that will be repeated a few times. By that time this will become too costly and they give up. That's probably the intention behind a simple check that they can get around: To add cost to the malware creators. Since nowadays the purpose of creating malware is making money, making it costly deters them.
 
zed1291

zed1291

macrumors regular
Jun 4, 2010
200
238
NYC
anzio said:
Great news. Though I've said it before, all software must pass through my built-in antivirus called "common sense." It's updated frequently.

So I'm not too worried.
Click to expand...

I have plenty of common sense and have no clue when I installed it. I only saw ads in Google Chrome (which I rarely use), which is why I'm not sure when. I was actually able to browse the package contents of Chrome and delete it off my Mac before Apple recognized it as adware.
 
turtlez

turtlez

macrumors 6502a
Jun 17, 2012
977
0
I get the mac keeper pop up when visiting certain sites a couple of times a week recently but when it was bigger news I never ever got the popup haha. I would have thought Apple would implement a mackeeper blocker in Safari or os x by now.
 
S

Silvereel

macrumors 6502
Jan 19, 2010
349
1
turtlez said:
I get the mac keeper pop up when visiting certain sites a couple of times a week recently but when it was bigger news I never ever got the popup haha. I would have thought Apple would implement a mackeeper blocker in Safari or os x by now.
Click to expand...

Unfortunately, MacKeeper isn't malware per se. It's just a really bad app that can wreak havoc on some systems. Heck, Macworld gave it a 3.5 out of 5 review! :eek:
 
Amazing Iceman

Amazing Iceman

macrumors 603
Nov 8, 2008
5,315
4,066
Florida, U.S.A.
pooprscooper said:
I hope that's not true, otherwise this X.protect is useless as botnet owners would have already changed the name of the file by now.
Click to expand...

Well, I hope the same, but that .plist file shown above seems to only register the name of the file. I don't see any kind of CRC or any other identifier.

I really hope there are more identifiers! :eek:
 
Mike MA

Mike MA

macrumors 68020
Sep 21, 2012
2,089
1,811
Germany
gotluck said:
For now xprotect surely uses less system resources, but I'd wager that eventually the day will come for antivirus/antimalware on osx.
Click to expand...

Isn't it already there? I mean, why do we need to manage it ourselves - I like this approach. It just works (in the background) :D
 
gotluck

gotluck

macrumors 603
Dec 8, 2011
5,712
1,204
East Central Florida
SandboxGeneral said:
I'm not following you here. What is the slippery slope toward MS Security Essentials mean?
Click to expand...

MS Security Essentials is a free antivirus/malware maintained by Microsoft. If the user has it installed (and has Windows Update enabled), you really have to screw up to get your machine infected. It is always using system resources. I've always viewed the lack of a need to waste resources running AV as a great advantage of OSX. xProtect seems like a gateway drug to a full AV and a 'waste' of system resources. ...Well, maybe it's a personal problem that I hate to waste power on AV

----------
HenryDJP said:
Shouldn't matter much to you since you're running Windows 7...
Click to expand...

Well, I like OSX enough to buy a headless, upgradable Mac if Apple made one..
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom