Spying on Tibetan sympathisers and activists: Double Dockster*

Does the expression 'In the Wild' still mean anything today? Well yes, in the sense of something that is 'out there' threatening real-world systems. But things move a lot faster these days than they did in the 90s and later, fastburning mass-mailers notwithstanding.

Just a few days ago (on the 30th of November, to be precise) Intego - quite rightly - flagged the OS X spyware it calls OSX/Dockster.A as low-risk, because it had been found on Virus Total but wasn't known to be in the wild. As of yesterday, the thing had gone decidedly feral, though in a context that ensures that relatively few readers of this blog will see it. Intego may have been right in thinking that the binary found on Virus Total was some kind of test before letting it out into the wild. Acting on a tip-off, F-Secure found it lurking on a web site associated with the Dalai Lama. In fact, Hxxp://gyalwarinpoche.com (I don't want you accessing it accidentally as I don't know the protection status of your machine!) is the Dalai Lama’s Tibetan language site, set up in 2010. According to Sophos (which calls the malware OSX/Bckdr-RNW), the site was compromised (again) back in October, and right now it's serving the Java-based exploit CVE-2012-0507 (also used by Sabpab and Flashback) to push the Dockster malware.

This relatively simple backdoor trojan, found on Virus Total, provides a remote shell to give a remote attacker access to the system, provides a channel for downloading additional files, and has keylogger functionality. Presumably, it's another attempt to monitor and/or attack people who follow or sympathise with the exiled Dalai Lama. As remarked elsewhere, it's not only an effective way of gaining access to those followers with unprotected machines, but by compromising a system associated with a trusted religious leader, they also do harm to his cause, and it would be naive not to suspect that was part of the motive. 

Fortunately, whatever you may have heard to the contrary, anti-virus is not dead and does not only detect known viruses: AV companies have detected the Java exploits for some time, and the malware sample cited by F-Secure as OSX/Dockster.A has been detected by ESET since October 16th as OSX/Agent.AB.

*Totally irrelevant pun: punster tips hat to Jeff Lindsay

[Tenuously connected Yosemite coyote photo detail by Small Blue-Green World]

David Harley CITP FBCS CISSP
ESET Senior Research Fellow