A website related to the Dalai Lama is hosting attack code that attempts to surreptitiously install OS X-based spy software on the Macs of people who visit.
The backdoor trojan, dubbed Dockster by antivirus providers, has the ability to capture the keystrokes of infected machines. It also provides an interface that allows attackers to download and execute additional malware, according to this brief analysis from F-Secure. Dockster was uploaded to the VirusTotal malware detection service on Friday, presumably by attackers who wanted to see if it was detected by AV services, according to a separate post from competing AV provider Intego.
The drive-by attacks exploit a now-patched vulnerability in Oracle's Java software framework. CVE-2012-0507 is the same Java bug used earlier this year to infect more than 500,000 Mac users with malware known as Flashback. Oracle has since released an update that patches the hole, and recent changes introduced by Apple also remove a Java-based plugin from default versions of OS X. But users who are using older installations or have changed default settings could still be susceptible.
Dockster is only the latest Mac-based threat to hit organizations and people sympathetic to Tibet's conflict with the Chinese government. Earlier this year, researchers uncovered another malware-based espionage campaign that also targeted pro-Tibetan users of OS X.
The exploit pushing Dockster on gyalwarinpoche.com has been active since at least November 27, F-Secure said. The site is also pushing Windows-based malware, but those exploits don't appear to work.
reader comments
31