Posted by: David Harley | December 3, 2012

Dockster in the Wild

[4th December: added link to Infosecurity Magazine article. 6th December, added link to ESET article and Kevin Townsend’s article.]

I previously noted Intego’s blog from 30th November about the OS X spyware it calls OSX/Dockster.A. As I said at the time, it was flagged it as low-risk, as at that time it was not known to be in the wild, though Intego blogger Lysa Myers did suggest that its exposure to Virus Total might be intended as a test before pushing it to the public. And in fact, F-Secure, Sophos, and Intego have all blogged today concerning the fact that the Dalai Lama’s Tibetan language web site Hxxp:// has been compromised with a Java exploit (CVE-2012-0507, also used by Sabpab and Flashback) to push the Dockster malware. (Actually, so did I at Infosecurity Magazine: OSX/Dockster Spyware. And subsequently at ESET: Spying on Tibetan sympathisers and activists: Double Dockster*) And here’s Kevin Townsend’s article at Infosecurity Magazine: Dalai Lama website hack spreads new Mac malware.

It seems clear that this malware is specifically meant to attack the followers and sympathisers of the Dalai Lama, while compromising that particular web site (not for the first time) is presumably intended to cause harm to its use as a legitimate channel of communication to Tibetan-speaking sympathisers.

Researchers may be interested in the hashes made available by F-Secure:

Exploit:Java/CVE-2012-0507.A — 5415777DB44C8D808EE3A9AF94D2A4A7
Backdoor:OSX/Dockster.A — c6ca5071907a9b6e34e1c99413dcd142
Exploit:Java/CVE-2012-4681.H — 44a67e980f49e9e2bed97ece130f8592
Trojan.Agent.AXMO — c3432c1bbdf17ebaf1e10392cf630847

David Harley
Small Blue-Green World/Mac Virus


  1. Let’s hope the Dalai Lama runs Software Update 😉

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: