Mac OS X Mac Defender Malware Detection

This script is Copyright (C) 2011-2012 Tenable Network Security, Inc.


Synopsis :

The remote Mac OS X host appears to have been compromised.

Description :

Using the supplied credentials, Nessus has found evidence that a fake
antivirus software named Mac Defender (alternatively, MacDefender,
MacGuard, MacProtector or MacSecurity) is installed on the remote Mac
OS X host.

The software is typically installed by means of a phishing scam
targeting Mac users by redirecting them from legitimate websites to
fake ones that tell them their computer is infected with a virus and
then offers this software as a solution.

Once installed, the malware will perform a 'scan' that falsely
identifies applications such as 'Terminal' or even the shell command
'test' ('[') as infected and will redirect a user's browser to porn
sites in an attempt to trick people into purchasing the software in
order to 'clean up' their system.

See also :

http://www.nessus.org/u?abf43744
http://support.apple.com/kb/HT4650

Solution :

Follow the steps in Apple's advisory to remove the malware.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Family: MacOS X Local Security Checks

Nessus Plugin ID: 54832 ()

Bugtraq ID:

CVE ID: