Mac OS X Mac Defender Malware Detection

2011-05-26T00:00:00
ID MACOSX_MACDEFENDER_DETECTION.NASL
Type nessus
Reporter Tenable
Modified 2018-05-16T00:00:00

Description

Using the supplied credentials, Nessus has found evidence that a fake antivirus software named Mac Defender (alternatively, MacDefender, MacGuard, MacProtector or MacSecurity) is installed on the remote Mac OS X host.

The software is typically installed by means of a phishing scam targeting Mac users by redirecting them from legitimate websites to fake ones that tell them their computer is infected with a virus and then offers this software as a solution.

Once installed, the malware will perform a 'scan' that falsely identifies applications such as 'Terminal' or even the shell command 'test' ('[') as infected and will redirect a user's browser to porn sites in an attempt to trick people into purchasing the software in order to 'clean up' their system.

                                        
                                            #TRUSTED 3e3ec8ebdcb39104d08175dbf1d98035093fb02c38ab53cac6926c4c25820a52c867ec3d53efb0d1573250ae83090622bc1318fbd2a6bd1fbd993a162ecab40ad0ccd9d928a7676d5c6dbaaefee0d1edcf6efdedccff7de27c06914460bb1644226fd482339b2b5f31839965e094f325a9038bb1d4bd062b7034f8eb647c00830683b6b0bb6cbfcb24d9869763efb4022db9d089ba8bc0dec5e040b09a6cfb73970d81927496099f4e77c8c2ba4f4e79c8a11bf4246bafd291a548ac443c0ef2189a03af4f96d7304899b5cf4d57930f465d4a40826bbacb341d97f28625a8c638f2774a31f80bd42f3e874a9708991247aee119116934d06c6772d45932afc8cc2b154689b0cd4d746114f1abfc6d8a85aba94294f05a129412adb0256703635ecba28b9f053f52dda8bd9579c728af44822c951020813d514b537c9fe9adbbb71d6fe9b90d7edf92742af1fb1f680c449b5d030cdce2efb4493653e22bfbe6b5683367bcc875a84f6ad6a3f0e77f60e4e249aeecb76d50e3fd196d5b89e47f80a2b9ba6e13b7a2e1d15cf3684809c35110e8d22db5a76381770b3f5147683acd86b2cea5a5d7e4e3692daacebcc0d4bcc8e67832531551bab9d24946dd287fc5e2255c635f6be118086027305ab8c80096dc373cc9603c5a0ad31ed71d616d384124acf20576281ca9063a8405e6a2f81f9e7d4ae569aeab6ff8d9802c7c7a
#
# (C) Tenable Network Security, Inc.
#


if (!defined_func("bn_random")) exit(0);


include("compat.inc");


if (description)
{
  script_id(54832);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/05/16");

  script_name(english:"Mac OS X Mac Defender Malware Detection");
  script_summary(english:"Checks for evidence of MacDefender");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote Mac OS X host appears to have been compromised."
  );
  script_set_attribute(
    attribute:"description",
    value:
"Using the supplied credentials, Nessus has found evidence that a fake
antivirus software named Mac Defender (alternatively, MacDefender,
MacGuard, MacProtector or MacSecurity) is installed on the remote Mac
OS X host. 

The software is typically installed by means of a phishing scam
targeting Mac users by redirecting them from legitimate websites to
fake ones that tell them their computer is infected with a virus and
then offers this software as a solution. 

Once installed, the malware will perform a 'scan' that falsely
identifies applications such as 'Terminal' or even the shell command
'test' ('[') as infected and will redirect a user's browser to porn
sites in an attempt to trick people into purchasing the software in
order to 'clean up' their system."
  );
  # http://nakedsecurity.sophos.com/2011/05/02/mac-users-hit-with-fake-av-when-using-google-image-search/
  script_set_attribute(
    attribute:"see_also", 
    value:"http://www.nessus.org/u?abf43744"
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"http://support.apple.com/kb/HT4650"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Follow the steps in Apple's advisory to remove the malware."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_publication_date", value:"2011/05/26");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/MacOSX/packages");

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("ssh_func.inc");
include("macosx_func.inc");



if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
  enable_ssh_wrappers();
else disable_ssh_wrappers();

packages = get_kb_item_or_exit("Host/MacOSX/packages");


apps = make_list(
  "MacDefender",
  "MacGuard",
  "MacSecurity",
  "MacProtector",
  "MacShield"
);

report = '';
foreach app (apps)
{
  # Look for a couple of different indicators.
  info = make_array();

  # - application directory.
  appdir = '/Applications/' + app + '.app';
  cmd1 = 'test -d \'' + appdir + '\' && ls -ld \'' + appdir + '\'';

  # - active process.
  #   nb: this just lists all processes.
  cmd2 = 'ps -axwww -o user,pid,command';

  # - login items.
  #   nb: this just lists all login items.
  cmd3 = '(echo ; /usr/bin/dscl  . -readall /Users NFSHomeDirectory UniqueID) |while read sep; do read Home; read Record; read UniqueID; UniqueID=`echo $UniqueID |awk \'{print $2}\'`; test "$UniqueID" -gt 499 && echo $Record:|awk \'{print $2}\' && Home=`echo $Home|awk \'{print $2}\'` && test -f "$Home"/Library/Preferences/com.apple.loginitems.plist  && /usr/bin/defaults read "$Home"/Library/Preferences/com.apple.loginitems; done';

  results = exec_cmds(cmds:make_list(cmd1, cmd2, cmd3), exit_on_fail:FALSE);
  if(!isnull(results))
  {
    if (strlen(results[cmd1]) >= strlen(app) ) 
    {
      info["Application directory"] = appdir;
    }

    if (!strlen(results[cmd2])) exit(1, "Failed to get a list of active processes.");
    else
    {
      matches = egrep(pattern:'('+app+'\\.app/|MacOS\\/'+app+')', string:results[cmd2]);
      if (matches)
      {
        info["Active process"] = join(matches, sep:"");
      }
    }

    if (strlen(results[cmd3]))
    {
      user = "";
      foreach line (split(results[cmd3], keep:FALSE))
      {
        match = pregmatch(pattern:'^/Users/([^:]+):', string:line);
        if (match) user = match[1];

        match = pregmatch(pattern:'^ +Path = "(.+/'+app+'\\.[^"]*)"', string:line);
        if (match && user) info["Login item"] += user + ' (' + match[1] + ')\n';

        if (preg(pattern:'^} *$', string:line)) user = '';
      }
    }

    if (max_index(keys(info)))
    {
      max_item_len = 0;
      foreach item (keys(info))
      {
        if (strlen(item) > max_item_len) max_item_len = strlen(item);
      }

      report += '\n  - ' + app + ' : ';
      foreach item (sort(keys(info)))
      {
        val = info[item];
        val = str_replace(find:'\n', replace:'\n'+crap(data:" ", length:max_item_len+11), string:val);
        val = chomp(val);

        report += '\n      o ' + item + crap(data:" ", length:max_item_len-strlen(item)) + ' : ' + val;
      }
      report += '\n';
    }
  }
}

if (report)
{
  report = data_protection::sanitize_user_paths(report_text:report);
  gs_opt = get_kb_item("global_settings/report_verbosity");
  if (gs_opt && gs_opt != 'Quiet') security_hole(port:0, extra:report);
  else security_hole(0);
}
else exit(0, "MacDefender is not installed.");