Home > malware report, OS X > Latest Threat: MacCinema

Latest Threat: MacCinema

maccinemaMacCinema is the latest OS X threat. It’s not really new, it is an update of MacAccess although this time it uses different strings and clever obfuscation but overall the installation and behavior remains the same.

preinstall

So, here’s the fixed one…

fixedThis will output script below…

Notice the IP Address “213.163.64.78″- This is the backdoor IP which executed through cronjob. The backdoor is responsible for executing or installing “DNSChanger” which will change or add malicious DNS entries : 85.255.112.81, es : 85.255.112.114

integostrikesagainNotice “enialbdivad 777 nigeb”, obviously we have to fix again …. davidblaine

To fill up our curiosity, here’s the final deobfuscated script.

final

To remove this threat, just follow MacAccess removal instruction.

  1. dm33
    April 2, 2009 at 2:56 pm | #1

    Whoa. I had NEVER seen any Mac malware out in the wild. I try to be VERY security conscious.

    I downloaded an app that sounded not quite right and I started digging through the innards of the install package and found that it is an installer for this MacCinema malware.

    This is why I intensely dislike installer packages. Apple should discourage, rather than encourage their use. Once code is running the user doesn’t have control over what the installer does. Especially in this case where it looks like it requests root access. No way.

    This has rocked my world. Do you have a suggestion for a malware scanner? Looks like I need something. I was lucky this time.

  2. August 8, 2009 at 4:26 pm | #2

    How to get rid of MacCinema? Clamxav!
    Apple support told me to download Clamxav (by Apple): http://www.clamxav.com/index.php?page=dl
    It worked. And it’s free!

  1. March 18, 2009 at 11:01 am | #1
  2. October 17, 2010 at 8:35 pm | #2

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: