14 DAY TRIAL // Intego is late to report on OSX/Dockster, a new Trojan popping its head out in recent days, but you know what they say – better late than never. The company has issued a detailed advisory encouraging security-wary customers to use VirusBarrier in order to stay out of harm’s way.
Austin, Texas-based Intego acknowledges that a sample of a new Mac spyware was found on VirusTotal on Friday.
Considered a potential test subject for later widespread release, “This trojan has backdoor functionality, including a keylogger component that records an affected user’s typing,” Intego reports.
“This malware is now known to be in the wild, on a website dedicated to the Dalai Lama that has been compromised to deliver the same exploit code as used by SabPab to push Dockster,” the company says.
Intego outlines that the same Java flaw was used by Flashback, the most prominent piece of Mac malware ever recorded.
The trojan deletes itself from the location where it was run and makes the user’s home directory its own cradle, but only if it’s executed, Intego notes. The file names itself “.Dockset.”
The company elaborates: “The file is not visible through Finder; however, if it’s running, it can be seen within OS X’s Activity Monitor.”
“It creates a launch agent called mac.Dockset.deman so that the trojan will restart each time an affected user logs in. Once the trojan is active, it tries to contact the remote address itsec.eicp.net to await instructions.”
Intego acknowledges that the malware is low risk. Nonetheless, it offers VirusBarrier X6 as a solution to the threat. The malware definitions dated November 30, 2012 or later are able to recognize OSX/Dockster, says the company.
“VirusBarrier X6’s real-time scanner will detect the exploit code as OSX/SabPab.A and OSX/Dockster.A when it is dropped, and its Anti-Spyware protection will block any connections to remote servers if a user has installed the Trojan horse,” Intego reports.