iThreats

What’s new? Here’s a static analysis of this new variant. Notice the header, it seems the compression used was changed. 

The preinstall/preupgrade script now looks like this: 

Which previous variants contains code or sequence of strings as follows: 

Before,the installer name was “MacVideo” and “Porn4Mac”, today it’s “MacAccess”. 

Most known IPs and nodes of this threats is currently active serving this variant. 

Stay safe and report Dodgy websites!

Working in Mac OS X is now my past time, so I noticed that there’s a new DNSChanger variant.