Mac OS X Mac Defender Malware Detection

critical Nessus Plugin ID 54832

Synopsis

The remote Mac OS X host appears to have been compromised.

Description

Using the supplied credentials, Nessus has found evidence that a fake antivirus software named Mac Defender (alternatively, MacDefender, MacGuard, MacProtector or MacSecurity) is installed on the remote Mac OS X host.

The software is typically installed by means of a phishing scam targeting Mac users by redirecting them from legitimate websites to fake ones that tell them their computer is infected with a virus and then offers this software as a solution.

Once installed, the malware will perform a 'scan' that falsely identifies applications such as 'Terminal' or even the shell command 'test' ('[') as infected and will redirect a user's browser to porn sites in an attempt to trick people into purchasing the software in order to 'clean up' their system.

Solution

Follow the steps in Apple's advisory to remove the malware.

See Also

http://www.nessus.org/u?abf43744

http://support.apple.com/kb/HT4650

Plugin Details

Severity: Critical

ID: 54832

File Name: macosx_macdefender_detection.nasl

Version: 1.22

Type: local

Agent: macosx

Published: 5/26/2011

Updated: 11/27/2023

Asset Inventory: true

Supported Sensors: Nessus Agent, Nessus

Vulnerability Information

Required KB Items: Host/MacOSX/packages