Mac OS X Mac Defender Malware Detection

2011-05-26T00:00:00
ID MACOSX_MACDEFENDER_DETECTION.NASL
Type nessus
Reporter Tenable
Modified 2018-05-25T00:00:00

Description

Using the supplied credentials, Nessus has found evidence that a fake antivirus software named Mac Defender (alternatively, MacDefender, MacGuard, MacProtector or MacSecurity) is installed on the remote Mac OS X host.

The software is typically installed by means of a phishing scam targeting Mac users by redirecting them from legitimate websites to fake ones that tell them their computer is infected with a virus and then offers this software as a solution.

Once installed, the malware will perform a 'scan' that falsely identifies applications such as 'Terminal' or even the shell command 'test' ('[') as infected and will redirect a user's browser to porn sites in an attempt to trick people into purchasing the software in order to 'clean up' their system.

                                        
                                            #TRUSTED 16e3e9124e53000e074ed5e047018affeadcd57c1f9664135a24903eed49590d2125227a52a248bcb63d74b9077744c625c4d1188596ed25fb6b94e33c7c3004bbdf637055dc66fb094827b2c1252b509ddb975ae927890cf08b467c219d8d869b2f112bb48dfc206783fcffb902c19dfc9c310da4cad6354d4fb826bf1ead73983ce0fe47b9720fb4c7f9f6819c7067d190a2dd3cfb56aaef82707eaa6b56ef67f49c31750d85bc79ba2316423f4e3040da0ea469da26b9d8ad9dc73bd4e58eebac6729cca91b98ac325bac17730e7637c64ec112899392c654668a87fcbe21d364719e0e03bcb30f6dddd0a02de273cdb0cc7dee572759c295e3523311d441e081b6dfefe0790b05e53b1a53b5ff3f5c8fec5a1e12d29e6a377674660541b3d4c73f9591d7ce9f65cbdd807a62185d2a26f91af9af49f64ad6e44f16a7c511759e7ab4af7a6844a18718bb94dd6bf4cf540332415b21387d825e02f90cd90b5d6d12a1053b317c4d5ab11495a05693dea1c488df5ae8e19c86e79c3110ef86b12afe2671d6fb0ac6254f7f8bcd36e309ea8b3b3135d3f460e9c03ed1253486035dce912e706805aa402948381ff01be3a6be311d6b20bee351305c5416a11b2aeedc301d2a7fbe5f63fe22ef47fad27da88bee9460bd3b4bbfc8532ef554921a7a15c28320022b54b595bf50b33520a8cf534c6c87ead79f08d1d300f1d18f
#
# (C) Tenable Network Security, Inc.
#


if (!defined_func("bn_random")) exit(0);


include("compat.inc");


if (description)
{
  script_id(54832);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/05/25");

  script_name(english:"Mac OS X Mac Defender Malware Detection");
  script_summary(english:"Checks for evidence of MacDefender");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote Mac OS X host appears to have been compromised."
  );
  script_set_attribute(
    attribute:"description",
    value:
"Using the supplied credentials, Nessus has found evidence that a fake
antivirus software named Mac Defender (alternatively, MacDefender,
MacGuard, MacProtector or MacSecurity) is installed on the remote Mac
OS X host. 

The software is typically installed by means of a phishing scam
targeting Mac users by redirecting them from legitimate websites to
fake ones that tell them their computer is infected with a virus and
then offers this software as a solution. 

Once installed, the malware will perform a 'scan' that falsely
identifies applications such as 'Terminal' or even the shell command
'test' ('[') as infected and will redirect a user's browser to porn
sites in an attempt to trick people into purchasing the software in
order to 'clean up' their system."
  );
  # http://nakedsecurity.sophos.com/2011/05/02/mac-users-hit-with-fake-av-when-using-google-image-search/
  script_set_attribute(
    attribute:"see_also", 
    value:"http://www.nessus.org/u?abf43744"
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"http://support.apple.com/kb/HT4650"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Follow the steps in Apple's advisory to remove the malware."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_publication_date", value:"2011/05/26");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/MacOSX/packages");

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("ssh_func.inc");
include("macosx_func.inc");



if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
  enable_ssh_wrappers();
else disable_ssh_wrappers();

packages = get_kb_item_or_exit("Host/MacOSX/packages");


apps = make_list(
  "MacDefender",
  "MacGuard",
  "MacSecurity",
  "MacProtector",
  "MacShield"
);

report = '';
foreach app (apps)
{
  # Look for a couple of different indicators.
  info = make_array();

  # - application directory.
  appdir = '/Applications/' + app + '.app';
  cmd1 = 'test -d \'' + appdir + '\' && ls -ld \'' + appdir + '\'';

  # - active process.
  #   nb: this just lists all processes.
  cmd2 = 'ps -axwww -o user,pid,command';

  # - login items.
  #   nb: this just lists all login items.
  cmd3 = '(echo ; /usr/bin/dscl  . -readall /Users NFSHomeDirectory UniqueID) |while read sep; do read Home; read Record; read UniqueID; UniqueID=`echo $UniqueID |awk \'{print $2}\'`; test "$UniqueID" -gt 499 && echo $Record:|awk \'{print $2}\' && Home=`echo $Home|awk \'{print $2}\'` && test -f "$Home"/Library/Preferences/com.apple.loginitems.plist  && /usr/bin/defaults read "$Home"/Library/Preferences/com.apple.loginitems; done';

  results = exec_cmds(cmds:make_list(cmd1, cmd2, cmd3), exit_on_fail:FALSE);
  if(!isnull(results))
  {
    if (strlen(results[cmd1]) >= strlen(app) && app >< results[cmd1])
    {
      info["Application directory"] = appdir;
    }

    if (!strlen(results[cmd2])) exit(1, "Failed to get a list of active processes.");
    else
    {
      matches = egrep(pattern:'('+app+'\\.app/|MacOS\\/'+app+')', string:results[cmd2]);
      if (matches)
      {
        info["Active process"] = join(matches, sep:"");
      }
    }

    if (strlen(results[cmd3]))
    {
      user = "";
      foreach line (split(results[cmd3], keep:FALSE))
      {
        match = pregmatch(pattern:'^/Users/([^:]+):', string:line);
        if (match) user = match[1];

        match = pregmatch(pattern:'^ +Path = "(.+/'+app+'\\.[^"]*)"', string:line);
        if (match && user) info["Login item"] += user + ' (' + match[1] + ')\n';

        if (preg(pattern:'^} *$', string:line)) user = '';
      }
    }

    if (max_index(keys(info)))
    {
      max_item_len = 0;
      foreach item (keys(info))
      {
        if (strlen(item) > max_item_len) max_item_len = strlen(item);
      }

      report += '\n  - ' + app + ' : ';
      foreach item (sort(keys(info)))
      {
        val = info[item];
        val = str_replace(find:'\n', replace:'\n'+crap(data:" ", length:max_item_len+11), string:val);
        val = chomp(val);

        report += '\n      o ' + item + crap(data:" ", length:max_item_len-strlen(item)) + ' : ' + val;
      }
      report += '\n';
    }
  }
}

if (report)
{
  report = data_protection::sanitize_user_paths(report_text:report);
  gs_opt = get_kb_item("global_settings/report_verbosity");
  if (gs_opt && gs_opt != 'Quiet') security_hole(port:0, extra:report);
  else security_hole(0);
}
else exit(0, "MacDefender is not installed.");