Intego passed along word about a new variant of a trojan horse, called OSX.RSPlug.D. Like many trojan horses, it relies upon social engineering to catch its victims. Upon visiting a pornographic website (cough), you’re prompted to install a new plugin to handle content.
Naive users will click ok, let the disk image download, and either the installer will come up and be continued by the user or he will launch it himself. However, if you’re savvy, you’ll click cancel, but you will then get prompted to do it by a dialog with only an OK button that refers you back to the original dialog.
Obnoxious. The only way to avoid this is to either download or to quit the browser. The correct choice should be obvious (hint: quit the browser).
While I appreciate Intego’s continued vigilance and their reminder that their own Virusbarrier X5 will protect against this threat, I do find it amusing that I got three emails from them yesterday. The latter two were information about this malware (much appreciated). The first was an announcement about their involvement at Macworld Expo. The first two emails were separated by mere hours.
I wonder how stuff like this is found...
The article just told you: Porn a.k.a. Pron.
Apple has had an enviable security record for Mac OS X so far, but I worry that with the company going from success to success in sales, especially to 'switchers', an enlarged user base will surely result in an increase in bad publicity from Trojan attacks of this kind. Successful in-the-wild remote exploits (no user intervention needed) are unheard of (Inqtana was blocked before it became a danger), virus-infected programs of no concern so long as programs are downloaded only from trusted providers, but it is Trojan horse attacks against thoughtless or careless users that the Mac community has now to guard its reputation against. Education, education, education?
If I were in a position of influence at Apple, I'd be arguing for adding all the prophylactic security measures we could add - without damaging usability or scaring the user - to alert the user to the danger of downloading untrusted programs and plugins.
The problem is - what else can you do, short of preventing users from downloading anything? All I can think of is a mechanism to monitor programs/plugins for 'suspicious' activities, and perhaps not completely to trust newly downloaded items for a short time.
Can anyone tell me how to locate and uninstall this trojan horse?
I have a feeling that I unfortunatly and naively have downloaded this on my mac.
I have looked for the file name OSX.RSPlug.D itself, but have found nothing. Is it hiding in my system somehow? Should I not worry?
Best, Jens