New Mac malware uses OS X launch services

Security company Intego is reporting the discovery of a new malware package for OS X. The package is a Trojan horse called OSX/Dockster.A, that appears to have keylogging features to record what is being typed on an infected system in addition to remote-access features for backdoor access into the system. When installed, the Trojan attempts to contact the server "itsec.eicp.net," likely to receive instructions for allowing remote access to the system.

As with other recent malware for OS X, Dockster is a Java-based threat that will not run unless you have Java installed on your system. It also currently uses the patched CVE-2012-0507 vulnerability in Java that was used by the Flashback malware in OS X, and appears to be in a testing phase. As a result, this Trojan is a minimal threat; however, its mode of infection offers a reminder to OS X users that simply monitoring the system launcher configurations on your Mac can be an easy way to determine if malware or other unwanted software is being installed on your computer.

As with other OS X malware, this new Trojan utilizes launch agents, which are small configuration files that tell the launcher processes in the system (one that runs globally and another that runs for each log-in session) to automatically and conditionally start or stop various background routines. To do so, a developer simply has to create a properly formatted configuration file and drop it into one of the folders monitored by the launcher process. After doing this, the next time the system is restarted or if you log out and log back in, the task will load and run.

The default folders the launcher uses are called "LaunchDaemons" and "LaunchAgents," and are located directly inside the Library folders either for the system, for all users, or for individual users. While a Trojan or other malware will need administrative access (e.g., prompt for a password) to install a configuration file in global resources such as the system folder or in the library folder for all users, it can write to the LaunchAgents folder for your personal account without prompting you, resulting in a targeted process or routine running when you log into your account.

In this case, a launch agent file called "mac.Dockset.deman" is created in the user's account; it has the system launch the Trojan at log-in, and when run will load an executable that appears as ".Dockset" in Activity Monitor.

While the use of these launcher configuration files makes it easy for malware developers to have programs launch automatically, it also makes it easy to detect this malicious behavior. By setting up a folder monitoring service, you can have the system notify you if a file has been added to these folders, so you can check it out and further investigate its origin and function.

While you can write custom scripts and programs to do this, Apple does have all the components necessary for monitoring a folder built into OS X. In order to run Applescript routines when a folder's contents are changed, Apple provides a service called Folder Actions that can be set up to monitor folders on the file system. This service can be used to bind some built-in scripts Apple provides as examples of AppleScript functions to a folder in order to monitor the contents of the various launch agent and launch daemon folders in the system, and prompt you with a warning whenever a file is added or removed.

AppleScript is relatively behind the scenes in OS X, so setting this service does take a couple of steps to complete, but everything you need to do it is available on the system, making it a relatively painless process. I recently outlined how to use this service to monitor launch agent folders, which I recommend all Mac users do for their systems to ensure they are aware of what is being configured to run automatically on their systems.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.