December 5, 2012
Several days ago Doctor Web was informed that the official site of Tibet’s spiritual leader, the Dalai Lama, had been compromised. Doctor Web's analysts discovered that when loading a page from the site in a browser, a .jar file containing an exploit (CVE-2012-0507) is simultaneously downloaded. This vulnerability is automatically exploited to launch a Trojan for Mac OS X. The malicious program has been added to the virus database as BackDoor.Dockster.
The malware is placed into the user's home folder in the Mac OS X system and then launched. The backdoor doesn't require administrative privileges and can run under an ordinary user account. BackDoor.Dockster logs key entries on an infected computer, transmits this data (which can include passwords) to criminals and executes various commands received from those criminals.
It is noteworthy that BackDoor.Dockster.1tries to get to the computers of all Dalai Lama website visitors, regardless of the target system platform. Probably the site attackers were not able to configure the compromised server to determine the client OS. The fact that Doctor Web's analysts found another .jar file containing CVE-2012-4681 on the compromised resource supports this assumption. This file is meant to facilitate the installation of a BackDoor.Gyplit program targeting Windows. The malware is used to collect and transmit information and execute various commands in an infected system. However, the JAR file is not downloaded to computers.
There are at least two other sites that check the client OS, and, depending on the results, an appropriate JAR file is downloaded to the computer. In the first case, a file for Windows contains Exploit.CVE2011-3544.83 to infect the system with Trojan.Inject1.14703. A JAR file for other operating systems exploits the vulnerability CVE-2012-0507 to infect a Mac OS X machine with BackDoor.Lamadai.1. This malicious program is downloaded from an infected website to Linux computers, too, but it won't run in such systems.
In the second case, a famous South Korean news site covering developments in North Korea contains a similar script to determine the visitor’s operating system, but the malicious file, which in this case is Trojan.MulDrop3.47574, is only delivered to Windows systems.
The theme of Tibetan independence and the Dalai Lama has been exploited before to spread malware and send targeted malignant mailings Apparently, criminals tend to use compromised sites to spread malicious software, and, in such cases, attacks target relatively small audiences because compromised sites usually include those related to Tibet or North Korea.
Administrators of the compromised websites were promptly notified about the attacks, and Doctor Web analysts waited for a few days for the malicious code to be removed.
During this period respective URLs were temporarily added to the content-filtering databases of Dr.Web SpIDer Gate to prevent the malware from infecting systems.