ComputerPress ReleaseSoftwareTechnology

New Apple Mac Trojan Called OSX/Dockster Found in the Wild on Tibetan Website

 

Malware: OSX/Dockster

Risk: Low; the threat is not known to be widespread and the vulnerability targeted by the exploit code is corrected by the latest version of Java.

Description: A sample of a new Mac spyware called OSX/Dockster.A was found on VirusTotal on Friday, possibly as part of a test before pushing it to the public. This trojan has backdoor functionality, including a keylogger component that records an affected user’s typing.

This malware is now known to be in the wild, on a website dedicated to the Dalai Lama that has been compromised to deliver the same exploit code as used by SabPab to push Dockster. (This Java vulnerability was also the same one used by Flashback.)

If it’s executed, the trojan deletes itself from the location where it was run and installs itself in the user’s home directory with the filename .Dockset. The file is not visible through Finder; however, if it’s running, it can be seen within OS X’s Activity Monitor.  It creates a launch agent called mac.Dockset.deman so that the trojan will restart each time an affected user logs in. Once the trojan is active, it tries to contact the remote address itsec.eicp.net to await instructions.

The backdoor functionality of this trojan is quite basic. It provides a simple remote shell which allows the trojan’s controller remote access, allows the controller to download additional files, and it logs keystrokes.

Means of protection: VirusBarrier X6 (www.intego.com/virusbarrier/) protects users from this malware with malware definitions dated November 30, 2012 or later. VirusBarrier X6’s real-time scanner will detect the exploit code as OSX/SabPab.A and OSX/Dockster.A when it is dropped, and its Anti-Spyware protection will block any connections to remote servers if a user has installed the Trojan horse.

VirusBarrier Express and VirusBarrier Plus, available exclusively from the Mac App Store, detect this malware with malware definitions dated November 30, 2012 or later, but these programs do not have a real-time scanner due to limitations imposed by the Mac App Store; users should scan their Macs after they have updated to the latest malware definitions, or manually scan any installer packages they have downloaded if they seem suspicious.

For additional protection against this threat, update to the latest version of Java, which has fixed this vulnerability.

[signoff]

Len Rapoport
Len Rapoport Administrator
IPA Editor-In-Chief, ID: 1000 • I am an internationally published photographer and the founder of International Press Association. As president and editor-in-chief, my duties at IPA are extensive. For over 50 years I have written articles, had my photos published in millions of publications, record album covers, books, and in the digital media. I was senior marketing and sales executive for major corporations, including my own and as a corporate communications consultant. I have taught photography and formed IPA 20 years ago. I currently work from my home office and continue to actively cover media events in addition to all of my other IPA and IMPress responsibilities.
×
Len Rapoport
Len Rapoport Administrator
IPA Editor-In-Chief, ID: 1000 • I am an internationally published photographer and the founder of International Press Association. As president and editor-in-chief, my duties at IPA are extensive. For over 50 years I have written articles, had my photos published in millions of publications, record album covers, books, and in the digital media. I was senior marketing and sales executive for major corporations, including my own and as a corporate communications consultant. I have taught photography and formed IPA 20 years ago. I currently work from my home office and continue to actively cover media events in addition to all of my other IPA and IMPress responsibilities.
Print Friendly, PDF & Email
Share

Comment here

This site uses Akismet to reduce spam. Learn how your comment data is processed.