IE 11 is not supported. For an optimal experience visit our site on another browser.

Yontoo Trojan tries to lure Mac users with movie trailers

Dr. Web
Downloading a plug-in to see a movie trailer is one of the ways the Yontoo Trojan gets onto a computer.Dr. Web

Trojan.Yontoo.1 is a nasty bit of software. Already known to security researchers, it has begun sneaking onto computers running OS X by installing an adware plugin via the Chrome, Firefox and Safari Web browsers.

The toxic plugin brings additional ads to the user, part of a money-making scheme if you click on them — but more importantly gives outsiders access to track your Web surfing.

Russian security firm Dr. Web reported the problem, noting that "adware for Mac OS X has been increasing in number since the beginning of 2013. Trojan.Yontoo.1 is the most prominent of them: It can download and install an adware browser plugin in an infected system."

Symantec, too, has taken note of the Trojan for Windows users, where it installs a Web browser extension that displays ads that "appear to be from Facebook."

NBC News asked Apple about Trojan.Yontoo.1, but the company declined to comment.

Dr. Web says there are "several ways" for the Trojan to get onto a computer. Among them are movie trailer pages that ask users to install a browser plugin. In fact, "the prompt only imitates a common dialogue displayed when a plugin needs to be installed or additional configuration is necessary. After clicking on 'Install the plug-in,' the user is redirected to another site from which Trojan.Yontoo.1 is downloaded."

Trojan.Yontoo.1 can also be downloaded as a media player, video quality "enhancement program" or a download accelerator, the firm says.

Dialog window asking users if they want to install Free Twit Tube.Dr. Web

When the Trojan is launched, it shows a dialog window that asks the user if they want to install something called "Free Twit Tube." If the user selects "continue," that's when the Trojan downloads and installs Yontoo in the browser. "While a user surfs the Web, the plugin transmits information about the loaded pages to a remote server," Dr. Web says.

"In return, it gets a file that enables the Trojan to embed third-party code into pages visited by the user," Dr. Web says.

The best thing to do, of course, is make sure your security software is up-to-date. And beware of "free" offerings and "click here" schemes. They generally lead to nothing good, and sometimes, to things that are very bad. Also, if your computer asks your permission to install something called "Free Twit Tube" — just say no!

Check out Technology, GadgetBox, TODAY Tech and In-Game on Facebook, and on Twitter, follow Suzanne Choney.