ID: IRCNE2012121689
Date: 2012-12-04
According to "cnet", security company Intego is reporting the discovery of a new malware package for OS X. The package is a Trojan horse called OSX/Dockster.A, that appears to have keylogging features to record what is being typed on an infected system in addition to remote-access features for backdoor access into the system. When installed, the Trojan attempts to contact the server "itsec.eicp.net," likely to receive instructions for allowing remote access to the system.
As with other recent malware for OS X, Dockster is a Java-based threat that will not run unless you have Java installed on your system. It also currently uses the patched CVE-2012-0507 vulnerability in Java.
As with other OS X malware, this new Trojan utilizes launch agents, which are small configuration files that tell the launcher processes in the system (one that runs globally and another that runs for each log-in session) to automatically and conditionally start or stop various background routines.
While the use of these launcher configuration files makes it easy for malware developers to have programs launch automatically, it also makes it easy to detect this malicious behavior. By setting up a folder monitoring service, you can have the system notify you if a file has been added to these folders, so you can check it out and further investigate its origin and function.
AppleScript is relatively behind the scenes in OS X, so setting this service does take a couple of steps to complete, but everything you need to do it is available on the system, making it a relatively painless process.
- 2