Acting on a tip, a member of our Threat Research
team (Brod) has discovered a Dalai Lama related
website is compromised and is pushing new Mac
malware, called Dockster, using a Java-based
exploit.
Page source from
gyalwarinpoche.com:
Here's a screenshot of
gyalwarinpoche.com from Google's cache:
Note: Google's November 27th
snapshot also includes a link to the malicious
exploit (so don't visit).
The
gyalwarinpoche site doesn't seem to be as
"official" as dalailama.com:
The
Java-based exploit uses the same vulnerability as
"Flashback", CVE-2012-0507. Current versions of
Mac OS X and those with their browser's Java
plugin disabled should be safe from the exploit.
The malware dropped, Backdoor:OSX/Dockster.A, is a
basic backdoor with file download and keylogger
capabilities.
This is not the first
time gyalwarinpoche.com has been compromised and
it certainly isn't the first time Tibetan related
NGOs have been targeted. Read more
here
and
here.
There is also an exploit,
CVE-2012-4681, with a Windows-based payload:
Trojan.Agent.AXMO.