Skip to main content

Hot off the press, looks like it's a twist on the Flashback malware that hit us a while back...hoping an Extension Attribute can flag any of our Macs that might have it.

"We can live without religion and meditation, but we cannot survive without bacon" #NotDalaiLama

New Mac malware spreading from Dalai Lama tribute site
"Dockster" takes advantage of the same vulnerability exploited by the "Flashback" malware, which infected more than 600,000 computers.
http://news.cnet.com/8301-1009_3-57556939-83/new-mac-malware-spreading-from-dalai-lama-tribute-site/

Interesting follow up article...

New Mac malware uses OS X launch services
A new malware for OS X also acts as a reminder to monitor the launch services in OS X as a security precaution.
http://reviews.cnet.com/8301-13727_7-57556872-263/new-mac-malware-uses-os-x-launch-services/

Don

'K, so I'm confused. The wording of this as you posted - "Dockster" takes advantage of the same vulnerability exploited by the "Flashback" malware,……" How can this be if that was patched? Or is this talking about unpatched Macs only? If this is taking advantage of the same issue that was supposedly plugged, then someone screwed up, royally.

Need to check into this to see what's really going on. Thanks for the heads up… I think.

Sounds like patched computers won't be effected, but wanted to FYI everyone.

I saw that same post on CNET earlier today. I clicked the link to set up folder actions to detect if any files get added to the folder that the Dockster.A tries to go in.

http://reviews.cnet.com/8301-13727_7-57415311-263/monitor-os-x-launchagents-folders-to-help-prevent-malware-attacks/

I tried making a Composer package from it, but it only detected the /Users/<username>/LaunchAgents folder, but none of the local or system folders.

I know that two of the plists are com.apple.FolderActions.enabled.plist and com.apple.FolderActions.folders.plist but beyond that, I am not sure how to deploy it to many machines. I have it set up on mine, however. I will keep experimenting.

I've created a simple Extension Attributes to individually check for the file /Users//.Dockset and /Users//Library/LaunchAgents/mac.Dockset.deman.plist and see if they exist, and then create a smart group to delete the files on affected computers. So far 0 computers, and they're all patched, so I don't expect to see any, but better safe than sorry I guess.

http://www.reedcorner.net/new-dockster-malware-discovered/

@Hkim do you mind sharing your Extension Atribute?

It's quite simple really, and to be honest, I'm not sure if it's going to work, I encourage anyone here to please correct or suggest changes. It's bare bones and simply looks for $HOME/.Dockset

https://gist.github.com/4208696

I don't know if Casper EA actually will look in every $HOME or just the $HOME of the user logged in when Recon runs.

I feel the most effective way to stop this is to patch Java via Policy, thus you cover your bases for hopefully anything in the future.

Thanks!

Terms & ConditionsCookie settingsAccessibility statement