Researchers have discovered a new backdoor Trojan targeting Mac users, which many antivirus vendors are referring to as OSX/Dockster.A.
Dockster is said to be a basic backdoor Trojan that’s capable of capturing keystrokes, downloading arbitrary files and providing an attacker remote access to the system.
According to Intego, upon infection, Dockster will remove itself from the location it was ran and install in the user’s home directory under the filename .Dockset. This file cannot be seen when using Finder, but you will be able to see it using OS X’s Activity Monitor when it’s running.
Once it is all settled in on your Mac, Dockster will phone home to itsec.eicp.net for instructions.
Dockster is actively being served in-the-wild, but is considered a low-risk since it is not widespread and has only been seen on gyalwarinpoche.com, a website dedicated to the Dalai Lama that was compromised to drop the Trojan on visiting computers.
The exploit code used in the attack leverages the same Java vulnerability (CVE-2012-0507) that was used to infect machines with the Flashback & Sabpab Trojans earlier this year. (On a side note, F-Secure warns that this site is rigged with another Java exploit, CVE-2012-4681 to drop Trojan.Agent.AXMO on computers running Windows as well.)
Protecting Your Mac from OSX/Dockster.A
Here are some tips to keep your Mac safe from this threat:
- Keep your operating system fully patched & up-to-date, as Apple has previously released updates to deal with Java-based threats.
- Either toggle Java browser plugins as they’re needed or remove Java from your system if you don’t use it.
- Always run antivirus software on your system. It’s better to be safe than sorry!
Think Your System Has Been Infected?
Thankfully there are a few antivirus programs capable of detecting & removing this threat, so take your pick:
- Intego VirusBarrier X6
- Sophos Anti-Virus for Mac Home Edition (detected as OSX/Bckdr-RNW)
- F-Secure Anti-Virus for Mac