Apple Updates OS X Anti-Malware Definitions to Block 'Yontoo' Adware

[MacRumors]

Yesterday, word surfaced of new malware targeting major browsers on the Mac platform with adware capable of injecting advertising into users' browsing experiences. The malware, known as "Yontoo", masquerades as a video plug-in or download accelerator in order to trick users into installing the package.

As noted by security firm Intego, Apple has already updated its "Xprotect" anti-malware system to recognize Yontoo and warn users who attempt to install it on their machines.

Apple has decided the Yontoo Adware has fallen too far on the side of undesirable behavior, as they have released an update to the XProtect.plist definitions file to provide Mac OS X with basic detection for the Yontoo adware as OSX.AdPlugin.i. In testing, it appears this detection is very specific and potentially location-dependent. This extra specificity is likely there so as to catch only the surreptitious installations of this file.

Apple routinely uses its Xprotect anti-malware tools introduced in OS X Snow Leopard to provide rudimentary protection against threats, and has expanded its efforts in OS X Mountain Lion with the introduction of Gatekeeper to allow users to restrict app installation to software from identified developers registered with Apple, or even to only apps installed through the Mac App Store.

Apple has also been using Xprotect to enforce minimum version requirements for plug-ins such as Java and Flash Player, forcing users to upgrade from earlier versions known to have significant security issues.

Article Link: Apple Updates OS X Anti-Malware Definitions to Block 'Yontoo' Adware

 

[camnchar]

But what about my freedom to install adware!

 

[gotluck]

This is a very good thing, not trying to be critical.

But isn't this a slippery slope towards 'microsoft security essentials'? For now xprotect surely uses less system resources, but I'd wager that eventually the day will come for antivirus/antimalware on osx.

 

[anzio]

Great news. Though I've said it before, all software must pass through my built-in antivirus called "common sense." It's updated frequently.

So I'm not too worried.

 

[Maddix]

I use openSUSE when I bank online for security reasons.

 

[tevion5]

But what about my freedom to install adware!

Such freedoms should come with free laxative overdoses.

 

[Crzyrio]

This solution Apple has seems overly simple, or Im I missing something?

Not complaining, its awesome that they found such a simple way of doing this.

Anyone know exactly how this works?

 

[madsci954]

But what about my freedom to install adware!

Said no one ever.

 

[HenryDJP]

This is a very good thing, not trying to be critical.

But isn't this a slippery slope towards 'microsoft security essentials'? For now xprotect surely uses less system resources, but I'd wager that eventually the day will come for antivirus/antimalware on osx.

Shouldn't matter much to you since you're running Windows 7...

 

[S.B.G]

This is a very good thing, not trying to be critical.

But isn't this a slippery slope towards 'microsoft security essentials'? For now xprotect surely uses less system resources, but I'd wager that eventually the day will come for antivirus/antimalware on osx.

I'm not following you here. What is the slippery slope toward MS Security Essentials mean?

 

[epmatsw]

This solution Apple has seems overly simple, or Im I missing something?

Not complaining, its awesome that they found such a simple way of doing this.

Anyone know exactly how this works?

It is very simple, and that's cause it's all that's necessary. Malware for OSX doesn't exploit vulnerabilities or security flaws that would allow it to get around this. They literally ask the user for permission to install themselves (thus "trojans"). All this measure does is alert the user if they attempt to grant permission to something that Apple has blacklisted.

 

[Sayer]

This is a very good thing, not trying to be critical.

But isn't this a slippery slope towards 'microsoft security essentials'? For now xprotect surely uses less system resources, but I'd wager that eventually the day will come for antivirus/antimalware on osx.

That is why Apple is taking a different track with the "GateKeeper" system that only lets code-signed apps from running, the application "sandbox" model that all App Store apps must use, and doing things in the Kernel to prevent attacks from ever succeeding.

Security should not be a feature that is bolted on after the fact. Security is inherent to the system itself and stuff like plain text passwords should never be saved out to disk via system libraries - they should be hashed and salted always as part of the initial design. And you should trust, but verify any user-provided data and do common-sense safe operations to manipulate user-provided data.

 

[Mr Fusion]

But what about my freedom to install adware!

You joke now...

... Just wait till OS XI debuts and you'll have to wait for the jailbreak to install third-party apps.

 

[Amazing Iceman]

But what about my freedom to install adware!

I think if you rename the file, it will install. A little extra work, but this way you can get your freedom back.

 

[Ochyandkaren]

But what about my freedom to install adware!

Indeed!
The Tea Party way!

 

[turtlez]

one tiny string from Apple and boom, instantly stopped a "half virus". I'd love to see MS pull that off.

----------

You joke now...

... Just wait till OS XI debuts and you'll have to wait for the jailbreak to install third-party apps.

not if we don't upgrade

 

[cgc]

one tiny string from Apple and boom, instantly stopped a "half virus". I'd love to see MS pull that off.

----------



not if we don't upgrade

They'll force you..."all your OS updates are belong to us!"

 

[gnasher729]

This solution Apple has seems overly simple, or Im I missing something?

Not complaining, its awesome that they found such a simple way of doing this.

Anyone know exactly how this works?

Some poor guy at Apple had to download the software, then Apple examined it, and found how to identify it. Any software that you download is checked against a growing list of software that Apple recommends _very_ urgently to not install, and this software is on the list.

These guys will probably modify their software so it won't be recognized, try to spread it again, Apple will block it again, and that will be repeated a few times. By that time this will become too costly and they give up. That's probably the intention behind a simple check that they can get around: To add cost to the malware creators. Since nowadays the purpose of creating malware is making money, making it costly deters them.

 

[zed1291]

Great news. Though I've said it before, all software must pass through my built-in antivirus called "common sense." It's updated frequently.

So I'm not too worried.

I have plenty of common sense and have no clue when I installed it. I only saw ads in Google Chrome (which I rarely use), which is why I'm not sure when. I was actually able to browse the package contents of Chrome and delete it off my Mac before Apple recognized it as adware.

 

[turtlez]

I get the mac keeper pop up when visiting certain sites a couple of times a week recently but when it was bigger news I never ever got the popup haha. I would have thought Apple would implement a mackeeper blocker in Safari or os x by now.

 

[pooprscooper]

I think if you rename the file, it will install. A little extra work, but this way you can get your freedom back.

I hope that's not true, otherwise this X.protect is useless as botnet owners would have already changed the name of the file by now.

 

[Silvereel]

I get the mac keeper pop up when visiting certain sites a couple of times a week recently but when it was bigger news I never ever got the popup haha. I would have thought Apple would implement a mackeeper blocker in Safari or os x by now.

Unfortunately, MacKeeper isn't malware per se. It's just a really bad app that can wreak havoc on some systems. Heck, Macworld gave it a 3.5 out of 5 review!

 

[Amazing Iceman]

I hope that's not true, otherwise this X.protect is useless as botnet owners would have already changed the name of the file by now.

Well, I hope the same, but that .plist file shown above seems to only register the name of the file. I don't see any kind of CRC or any other identifier.

I really hope there are more identifiers!

 

[Mike MA]

For now xprotect surely uses less system resources, but I'd wager that eventually the day will come for antivirus/antimalware on osx.

Isn't it already there? I mean, why do we need to manage it ourselves - I like this approach. It just works (in the background)

 

[gotluck]

I'm not following you here. What is the slippery slope toward MS Security Essentials mean?

MS Security Essentials is a free antivirus/malware maintained by Microsoft. If the user has it installed (and has Windows Update enabled), you really have to screw up to get your machine infected. It is always using system resources. I've always viewed the lack of a need to waste resources running AV as a great advantage of OSX. xProtect seems like a gateway drug to a full AV and a 'waste' of system resources. ...Well, maybe it's a personal problem that I hate to waste power on AV

----------

Shouldn't matter much to you since you're running Windows 7...

Well, I like OSX enough to buy a headless, upgradable Mac if Apple made one..