OSX/Dockster Spyware

Written by

On November 30th, Intego blogged about OS X spyware it calls OSX/Dockster.A. This relatively simple backdoor trojan, found on Virus Total, provides a remote shell to give a remote attacker access to the system, provides a channel for downloading additional files, and has keylogger functionality. They flagged it as low-risk, as at that time it was not known to be in the wild. It was, however, suggested that its exposure to Virus Total might be intended as a test before pushing it to the public.

Sure enough, F-Secure has blogged today (3rd December 2012) about a Dalai Lama-related website from which the Java-based exploit CVE-2012-0507 (also used by Sabpab and Flashback) to push the Dockster malware. While neither F-Secure nor Sophos seem sure whether Hxxp://gyalwarinpoche.com is a legitimate site that has been compromised, it is, in fact, the Dalai Lama’s Tibetan language site, set up in 2010.

However, it isn’t the first time it’s been compromised in order to attack sympathizers with the exiled Dalai Lama. Sophos informs us that it has been blocking the site for users of their software since they noticed a security problem with it in October 2012 and calls the malware OSX/Bckdr-RNW.


What’s hot on Infosecurity Magazine?