More Mac Malware Found By Intego
December 4, 2012

New Mac Malware Found Which Targets Followers Of The Dalai Lama

Michael Harper for — Your Universe Online

Earlier this spring, a Russian security firm discovered a trojan piece of malware which took advantage of a Java vulnerability on many computers, Macs and PCs alike. This trojan, known as “Flashback,” was used to enlist some 600,000 infected computers into a botnet. Some of these computers were even located at Apple´s own 1 Infinite Loop campus in Cupertino, California.

Now, the security experts at Intego have discovered yet another piece of Mac malware that uses the same Java exploit as the previous Flashback trojan. According to F-Secure, a Dalai Lama related Web site is responsible for pushing out this Mac malware, which is known as “Dockster.”

This malware was first discovered by Intego on November 30 and was considered a low risk in the beginning. At the time, no infected users had been reported. Yesterday, Intego issued an update, saying: “This malware is now known to be in the wild, on a website dedicated to the Dalai Lama, and the remote address contacted by the backdoor is now active.”

Apple and Oracle (maker of Java) updated their software soon after Flashback had made headlines in April. With this fix and the likelihood of Apple users to update their software as soon as fixes are released, it´s likely very few Macs are vulnerable to this new Dockster malware.

Intego agrees, and is still considering it low-risk.

Dockster has been found to use the same exploit code as the previous SabPab virus to gain access through a backdoor.

According to Intego, this malware has a “very basic” backdoor functionality, bringing along with it a keylogger and file download capabilities.

Dockster is also said to launch an agent called mac.dockset.deman, which restarts each time a user logs in to their Mac.

When Dockster becomes active, it attempts to contact a wed address and await instructions, but according to Intego´s initial report on November 30, the web address had not yet been registered.

This isn´t the first time the Dalai Lama has been used to infect Macs with Trojans, of course. In April, another piece of malware, known as “Backdoor.OSX.SabPub,” or “SabPub” was found and distributed through Microsoft Office files sent to those who may sympathize with Tibet.

The attackers behind SabPub used a technique known as “Spear-Phishing,” a practice used to target smaller groups of people as opposed to sending out mass emails in hopes that someone will click a link.

Spear-Phishing is used to attack close groups of people, such as college students in the same dorm or co-workers in the same office.

The security team at Securelist found SabPub in a document sent to Tibetan sympathizers with the title “10thMarch Statemnet (sic).”

Every year, the Dalai Lama gives a statement on the anniversary of the Tibetan Uprising of 1959 on March 10.

Dockster and SabPub both target Macs specifically and both use Java exploits to drop backdoors on these machines.

While Intego is still listing this virus as “low-risk,” it is still important to note that they are in the antivirus business and therefore stand to profit from bringing attention to these types of attacks.