View my documents ()
 Home > Insights > Blogs 

CA Community

This Blog

Syndication

Latest Mac Threat: ‘MacCinema’

Published: March 23 2009, 11:30 PM
by Methusela Cebrian Ferrer

OSX/Jahlav, the family of malware that has successfully penetrated the Mac world through social engineering – offering users free software, cracks and keygens – is now calling the installer for its latest variant, ‘MacCinema’ [Figure 01].

Website distributing OSX/Jahlav variant

[Figure 01 – Rogue site]

Who would have thought the website shown above is a rogue site? Yes, it looks perfectly fine until you download "HDTVPlayerv3.5.dmg" and see the MacCinema Installer [Figure 02]:

Example of OSX/Jahlav installer GUI

[Figure 02 – MacCinema installer]

To avoid detection by scanners, the attacker continuously modifies a few strings in the script, then obfuscates and repackages it as shown in Figures 03 and 04.

Example of changing scripts in OSX/Jahlav variant's code

[Figure 03 – Preinstall]

Example of OSX/Jahlav variant's changing installer filenames

[Figure 04 – Sample DMG installers]

Overall, the behavior and installation sequence of this variant remains the same.

As described in our encyclopedia, OSX/Jahlav is a family of trojans that install and execute malicious script. The backdoor component listens to a remote server which often executes another script and thereafter modifies the user’s DNS settings by adding a new IP address starting with 85.xx.xx.xx.

We advise OS X users to be on the lookout to avoid falling for this malware’s tricks.

Share this post:  EmailEmail
ShareShare

Tags: , , ,

Leave a comment

By: Methusela Cebrian Ferrer
Methusela “Meths” Cebrian Ferrer joined CA ISBU in mid 2008 as Senior Researcher leading Internet Security Intelligence initiative. Her focus is proactive research, identifying emerging and prevalent threats to provide strategic security response through product solutions, internal & external awareness...
Read More..

30 people have left comments:

I downloaded Open Office 3 and this MacCinema Installer came along with it.  Luckily I investigated what it is and found this site.  Thanks for the warning !!!!!

Posted by: John | March 25, 2009 12:11 PM

This is an update from earlier posting. I'm not sure if the downloading of the Open Office 3 caused the download of the malware (MacCinema).  I only noticed it a few hours after the downloading of the OpenOffice.  It could have been done after Googling.  

Posted by: john | March 25, 2009 2:16 PM

Hey, I unfortunately downloaded this...

How do I get rid of it?

Posted by: Jeff Small | March 25, 2009 4:12 PM

I am in the same shoes as Jeff...how can I remove this malware? Which of the CA packages will take care of this ?

Thanks for your help!

Posted by: maria | March 26, 2009 2:41 AM

I also downloaded this (stupidly)...any advice?

Posted by: Marc | March 26, 2009 5:14 PM

I just notice it on my desktop. I haven't installed the package, am I ok?

It appeared on my desktop after I up grade office 08.

Posted by: Marie | March 28, 2009 10:32 AM

HEY i also downloaded this. how do i get rid of it

Posted by: MICHAEL Elieff | April 16, 2009 6:01 PM

I got to the Install MacCinema window and selected continue, but I didn't go through the next steps to install.  Am I ok?

Posted by: Bob | April 16, 2009 10:22 PM

Help--I downloaded this and apple support can tell me nothing!  is there any way to remove the malware? Thank you!

Posted by: Markey | April 23, 2009 9:02 PM

This trojan requires user to manually install it. If you mistakenly downloaded and cancel the installation, then your Mac is safe.

To check for possible infection, look for any of these files below:

/cron.inst

/i386

/Library/Internet Plug-Ins/AdobeFlash

/Library/Internet Plug-Ins/Mozillaplug.plugin

Please take note that the files /cron.inst and /i386 may not exists since it usually gets deleted after the trojan successfully executed its code.

To fix the infection, simply delete any of these files.

Also,  this trojan creates a cron (or scheduling) job (/cron.inst) that executes a malicious Perl script named “AdobeFlash” found in “/Library/Internet Plugins/” and this  is important that you check this part through terminal.  Execute “sudo crontab -l” to list or display the scheduled job.

To remove, simply execute “sudo crontab -r” and double check by executing “sudo crontab -l”  - it should display "no cronjob...".

It is also best to check your DNS settings and notice if there is some dodgy entries like IP starting with 85.xx.xx.xx. To fix, just simply remove it and restore back your legitimate DNS settings.

Posted by: Methusela Cebrian Ferrer | April 27, 2009 7:21 AM

OSX/JAHLAV A new variant of OSX/Jahlav was spotted inside an installer named “MacPlay.dmg”. This variant

Posted by: CA Security Advisor Research Blog | May 11, 2009 2:42 AM

stupid me, i did install it. I deleatet the files, am I now save?

Posted by: Cashmere | May 19, 2009 4:23 PM

Thanks Methusela. I too got MacCinema. I thought it was suspicious when I didn't get a movie and couldn't find the

MacCinema app. Luckily, I found your post right away and deleted the files before cron could execute. You've saved

us all from a big headache. Thanks again!

Posted by: cindy | June 1, 2009 4:20 AM

i followed the steps in the terminal and after entering the sudo crontab -r and rentering the sudo crontab -l its said the isnt one....now does this means that everything is off? and if not how do you check the DNS setting?

Posted by: jack | June 2, 2009 9:27 PM

Thanks a lot Methusela...

Posted by: Schtouf | June 4, 2009 7:30 PM

How do u find these files i downloaded it and i don't know how to remove these please help.

Posted by: AS | June 25, 2009 11:41 PM

thanks so much for this - much appreciated.  I checked the Library and couldn't find that adobeflash file or the mozilla one - BUT when I used the terminal as per the instructions they were hiding.  

David

Posted by: david | July 3, 2009 10:13 PM

Another one here saved by this post! Thank Goodness I searched before installing it! Thanks a lot!

Posted by: Ellygeh | July 8, 2009 9:38 AM

To erase DSN adresse flush your etehernet or Airport network seting at the first level of system pref network.

Posted by: Marc | July 9, 2009 4:45 PM

Methusela Cebrian Ferrer

i am a stupid idiot and downloaded this, i followed every direction and got rid of the adobe and removed the schedule through the cron. I just checked my Dns server ip and i have only have two ip adresses showing(85.255.112.233 and 85.255.112.91) both are unable to be removed. How do i get rid of them? I am connecter to the internet via airpot on a Netgear wireless router.

Posted by: Brad Kaneshiro | July 18, 2009 11:53 PM

I feel for it and installed MacCinema.  I went to the Library and dragged the AdobeFlash  and Mozillaplug.plugin in the trash.  

I'm not a techie.  How do I follow your instruction,

"To remove, simply execute “sudo crontab -r” and double check by executing “sudo crontab -l”  - it should

display "no cronjob..."? How do i get to the EXECUTE mode on my MacBook?

Thanks

Posted by: James | July 19, 2009 9:47 AM

I found how to access terminal (Applications - utilities - terminal)  I typed in

sudo crontab -l

and got

* */5 * * * "/Library/Internet Plug-Ins/AdobeFlash" vx 1>/dev/null 2>&1

then I typed in

sudo crontab -r

then "sudo crontab -l" again

and got

no crontab for root

Do I need to do anything else? I'm using Airport.

Thanks so much for your help!!!

Posted by: james | July 19, 2009 10:44 AM

I deleted those files, the AdobeFlash one and MozillaPlug one. I couldn't find the other two things.

I think i ran the command right in Terminal it said "no crontab for root".

I also deleted the IPs in DNS settings.

Am i now safe?

If not what do i do?

Posted by: Ollie Kerswell | August 3, 2009 10:00 AM

I inadvertently installed this and I found the Adobeflash and the Mozillaplug and I deleted them.

How do you execute the sudo crontab -r??  I didn't find the 85.xx.xx.xx DNS.  Is it safe now?

Thanks!

Posted by: Rob | August 3, 2009 11:27 AM

Faites attention, j'ai cliqué sur ce lien,

earthrace.net/.../move.php

et j'ai installé ce logiciel "maccinema" sans le vouloir. J'espère que cela ne va pas créer des problème pour mon ordinateur.

Posted by: kneesaa | August 3, 2009 1:22 PM

omg, Google is my savior, and so is this site.

Good thing I searched instead of continuing the download. Wow, imagine if I actually didn't delete it..

THANK YOU!

Posted by: hanz | August 5, 2009 8:02 AM

Methusela Cebrian Ferrer shows how to remove MacCinema at the following:

ithreats.net/.../how-to-remove-macaccess-trojan

Posted by: patrick9 | August 13, 2009 11:09 AM

I was looking for maps of the Station Fire in Los Angeles, and one site that claimed it had a map triggered a download of MacCinema.  Beware if you are looking for news.

Posted by: m. | August 31, 2009 12:50 PM

The wild and deadly fires burning in southern California are still out of control, and for many of us

Posted by: CA Security Advisor Research Blog | September 1, 2009 4:01 AM

Whoah, Godbless You guys! I was going to download

this crap! Im always watching movies online, and I can't watch

I think its something like zshare-it has the blue x as the avatar,

but anyway, when it said Mac cinema, I thought it was a means to

watch the movies, and so sometimes it aggravates me, and so I

before I accepted, I decided to investigate and bam! You guys saved

me! Thank you. Hopefully others will catch this before they make

a huge mistake....

Posted by: mc74ny | October 7, 2009 5:32 AM

Leave a Comment

* An asterisk indicates a required field

* :  

:

* :  
 
 
Page Tools
ShareShare