Latest Threat: MacCinema
MacCinema is the latest OS X threat. It’s not really new, it is an update of MacAccess although this time it uses different strings and clever obfuscation but overall the installation and behavior remains the same.
So, here’s the fixed one…
This will output script below…
Notice the IP Address “213.163.64.78″- This is the backdoor IP which executed through cronjob. The backdoor is responsible for executing or installing “DNSChanger” which will change or add malicious DNS entries : 85.255.112.81, es : 85.255.112.114
Notice “enialbdivad 777 nigeb”, obviously we have to fix again …. 
To fill up our curiosity, here’s the final deobfuscated script.
To remove this threat, just follow MacAccess removal instruction.
Whoa. I had NEVER seen any Mac malware out in the wild. I try to be VERY security conscious.
I downloaded an app that sounded not quite right and I started digging through the innards of the install package and found that it is an installer for this MacCinema malware.
This is why I intensely dislike installer packages. Apple should discourage, rather than encourage their use. Once code is running the user doesn’t have control over what the installer does. Especially in this case where it looks like it requests root access. No way.
This has rocked my world. Do you have a suggestion for a malware scanner? Looks like I need something. I was lucky this time.
How to get rid of MacCinema? Clamxav!
Apple support told me to download Clamxav (by Apple): http://www.clamxav.com/index.php?page=dl
It worked. And it’s free!