New Mac Malware Strikes Again

  • 5 December 2012
  • 0 replies
  • 2 views

Userlevel 7
Hey All,
 
So you may have heard earlier about the discovery of new "Dockster" Mac malware on a site linked to the Dalai Lama. So what is it, exactly?
 
Here's what we know.
 
  • The site is dedicated to the Dalai Lama and is Gyalwarinpoche.com and the remote address (contacted via the backdoor) is itsec.eipc.net (please do not visit either of these sites at this time)
  • "Dockster" is a java-based exploit, which uses the same vulnerability as the Flashback malware that hit an estimated 600k Macs earlier this year.
  • At this time, "Dockster" is still considered low-risk and isn't known to be widespread. Also, the exploit code is corrected in the latest version of Java.
  • What happens is that the Trojan deletes itself from the location it was run (the aforementioned site) and installs itself in the user's home directory under the name .Dockset. This file isn't visible through Finder, but it can be seen within OS X's Activity Monitor if it's running.
  • It then creates a launch agent called mac.dockset.daemon so that the Trojan will restart each time the user logs in.
  • The backdoor provides a simple remote shell which allows the trojan's controller remote access and allows the controller to download additional files. It also logs the keystrokes.
So what does this mean from a broader perspective? Between "Dockster" , it's older "Flashback" cousin, and others, we should all be aware by now that Macs are not immune to malicious attacks. As they continue to increase in popularity, hackers and malware authors will continue to exploit them and develop malware specifically targeting the Mac OS's. This year saw a big jump in the number of Trojans that target Macs and we expect this trend to increase in 2013.
 
So, just like PC users, Mac users need to be aware of the threats and make sure their machines are armed with some great internet security.
 
Cheers,
 
 

0 replies

Be the first to reply!

Reply