New Mac Malware Found on Dalai Lama Related Website
Acting on a tip, a member of our Threat Research team (Brod) has discovered a Dalai Lama related website is compromised and is pushing new Mac malware, called Dockster, using a Java-based exploit.
Page source from gyalwarinpoche.com:
Here’s a screenshot of gyalwarinpoche.com from Google’s cache:
Note: Google’s November 27th snapshot also includes a link to the malicious exploit (so don’t visit).
The gyalwarinpoche site doesn’t seem to be as “official” as dalailama.com:
And the Whois information is similar:
The Java-based exploit uses the same vulnerability as “Flashback”, CVE-2012-0507. Current versions of Mac OS X and those with their browser’s Java plugin disabled should be safe from the exploit. The malware dropped, Backdoor:OSX/Dockster.A, is a basic backdoor with file download and keylogger capabilities.
There is also an exploit, CVE-2012-4681, with a Windows-based payload: Trojan.Agent.AXMO.
Exploit:Java/CVE-2012-0507.A — 5415777DB44C8D808EE3A9AF94D2A4A7
Backdoor:OSX/Dockster.A — c6ca5071907a9b6e34e1c99413dcd142
Exploit:Java/CVE-2012-4681.H — 44a67e980f49e9e2bed97ece130f8592
Trojan.Agent.AXMO — c3432c1bbdf17ebaf1e10392cf630847
On 03/12/12 At 11:08 AM