EA to detect Dalai Lama malware infection?

Sounds like patched computers won't be effected, but wanted to FYI everyone.

I saw that same post on CNET earlier today. I clicked the link to set up folder actions to detect if any files get added to the folder that the Dockster.A tries to go in.

http://reviews.cnet.com/8301-13727_7-57415311-263/monitor-os-x-launchagents-folders-to-help-prevent-malware-attacks/

I tried making a Composer package from it, but it only detected the /Users/<username>/LaunchAgents folder, but none of the local or system folders.

I know that two of the plists are com.apple.FolderActions.enabled.plist and com.apple.FolderActions.folders.plist but beyond that, I am not sure how to deploy it to many machines. I have it set up on mine, however. I will keep experimenting.

I've created a simple Extension Attributes to individually check for the file /Users//.Dockset and /Users//Library/LaunchAgents/mac.Dockset.deman.plist and see if they exist, and then create a smart group to delete the files on affected computers. So far 0 computers, and they're all patched, so I don't expect to see any, but better safe than sorry I guess.

http://www.reedcorner.net/new-dockster-malware-discovered/

@Hkim do you mind sharing your Extension Atribute?

It's quite simple really, and to be honest, I'm not sure if it's going to work, I encourage anyone here to please correct or suggest changes. It's bare bones and simply looks for $HOME/.Dockset

https://gist.github.com/4208696

I don't know if Casper EA actually will look in every $HOME or just the $HOME of the user logged in when Recon runs.

I feel the most effective way to stop this is to patch Java via Policy, thus you cover your bases for hopefully anything in the future.

Thanks!