Spying on Tibetan sympathisers and activists: Double Dockster*


Does the expression 'In the Wild' still mean anything today? Well yes, in the sense of something that is 'out there' threatening real-world systems. But things move a lot faster these days than they did in the 90s and later, fastburning mass-mailers notwithstanding.

Just a few days ago (on the 30th of November, to be precise) Intego – quite rightly – flagged the OS X spyware it calls OSX/Dockster.A as low-risk, because it had been found on Virus Total but wasn't known to be in the wild. As of yesterday, the thing had gone decidedly feral, though in a context that ensures that relatively few readers of this blog will see it. Intego may have been right in thinking that the binary found on Virus Total was some kind of test before letting it out into the wild. Acting on a tip-off, F-Secure found it lurking on a web site associated with the Dalai Lama. In fact, Hxxp://gyalwarinpoche.com (I don't want you accessing it accidentally as I don't know the protection status of your machine!) is the Dalai Lama’s Tibetan language site, set up in 2010. According to Sophos (which calls the malware OSX/Bckdr-RNW), the site was compromised (again) back in October, and right now it's serving the Java-based exploit CVE-2012-0507 (also used by Sabpab and Flashback) to push the Dockster malware.

This relatively simple backdoor trojan, found on Virus Total, provides a remote shell to give a remote attacker access to the system, provides a channel for downloading additional files, and has keylogger functionality. Presumably, it's another attempt to monitor and/or attack people who follow or sympathise with the exiled Dalai Lama. As remarked elsewhere, it's not only an effective way of gaining access to those followers with unprotected machines, but by compromising a system associated with a trusted religious leader, they also do harm to his cause, and it would be naive not to suspect that was part of the motive. 

Fortunately, whatever you may have heard to the contrary, anti-virus is not dead and does not only detect known viruses: AV companies have detected the Java exploits for some time, and the malware sample cited by F-Secure as OSX/Dockster.A has been detected by ESET since October 16th as OSX/Agent.AB.

*Totally irrelevant pun: punster tips hat to Jeff Lindsay

[Tenuously connected Yosemite coyote photo detail by Small Blue-Green World]

ESET Senior Research Fellow

Author David Harley, ESET

  • ThePersonWhoOriginallyUploadedItToVirusTotal

    This thing was in the wild for a while. It is sad that no antivirus vendors found the exploit payload earlier. The JAR exploit was probably up there for at least a month.
    I do not even work for an AV company and I was first to upload it to VirusTotal.
    If you want to hire me, just let me know ;)

    • David Harley

      You did see the bit about our already detecting it generically, didn’t you? We process over 100,000 samples a day, and it wouldn’t be a good idea to submit them all to VirusTotal. AV companies can share samples directly without swamping VT’s servers. There’s a lot more to sample processing than you might think. Because of the sheer volume of samples, much of it is automated, and unless something like the Intego post brings specific malware to our attention and makes a particularly interesting point, we may never mention it in a blog or press release. Thanks for the offer, but I doubt if we’ll be hiring you on the basis of your claiming to have uploaded a sample to VT that we (and other companies) may already have had. ;-)

Follow us

Copyright © 2015 ESET, All Rights Reserved.