Apparently it overwrites a system binary that's launched on boot with another apple-signed binary "jsc" (a console javascript interpreter), which will evaluate some sort of .js that re-exploits everything. Pretty clever to re-use apple-signed binaries for nefarious purposes. (The binary must be apple-signed because when booting the kernel isn't exploited yet and so it enforces code signing, obviously).
