Macs have been relatively free of viruses, worms, trojans, and spyware, but they have been affected by phishing scripts. As Macs have become ever more popular, we’ve seen a slow rise in the amount of malware. Apple has been good at releasing updates that defeat other kinds of malware, so the phishing script is the primary kind of malware we see.

If you notice that your Mac is slower than usual, or you begin receiving lots of email bounce messages saying that messages know you never sent couldn’t be delivered, you should suspect that you might have a phishing script on your computer.

What is a phishing script?

Phishing scripts run in the background, without your knowledge, sending out thousands of legitimate-looking email message that appear to come from banks, auction sites like eBay or Amazon, payment processing companies like PayPal, social web sites, shipping companies, and web or email hosting companies.

The goal of a phishing message is identify theft. The messages tries to fool the recipient into clicking a link in the message, which takes them to a web site where they can “take care of” whatever the message was about. Of course the site requires that they enter personal information (for security purposes, of course…) like account numbers, credit card numbers, pin numbers, names, dates, and social security numbers. It all looks very legitimate, except that the site is a fake…the goal is to get you to enter the information so that they can use it to steal your identity, sell your credit card info, drain your bank account, or make purchases using your info.

We haven’t seen a phishing script that does any damage to a Mac or its files, but an infected Mac may be slower than normal because it’s splitting its attention between the work that you’re doing and sending out the phishing messages.

It used to be that the messages would be sent to everyone in your Address Book or Contacts. More recently, however, the phishing script uses outgoing addresses it gets from a huge list of potential email addresses for victims maintained by whoever created the script. Since the script creator doesn’t really know whether those email addresses actually exist, you’ll end up receiving a bounce message for each message that was sent to a non-existent email address.

Antivirus software will identify and delete phishing scripts. Our favorite is ClamXav, a free virus scanner for Mac OS X. It uses the very popular ClamAV open source antivirus engine as a back end and has the ability to detect both Windows and Mac threats.

Here are instructions for downloading, installing, and running ClamXav.

Download ClamXav

Download ClamXav at

Install and Set Up ClamXav

When the download is done, the following window should appear on your screen.

Drag the ClamXav icon to your Applications folder.

Drag the ClamXav icon from the window to the Applications folder on your hard disk. Then double-click the ClamXav icon in the Applications folder.

The first time you run ClamXav, an alert box tells you that you must first install the Clam Anti-Virus scanning engine. Click the Install button.

Click the Install button to install the ClamXav scanning engine.

The Installer will launch, and you’ll see the following window. Click the Continue button.

Click the Continue button in the Scanning Engine installer window.

Next is the “license” window. Click the Continue button.

Click the Continue button in the license screen.

Next is another window asking you to specifically agree to the license. Click the Agree button.

Click Agree in the License Agreement window.

Next is a window for choosing the standard installation or changing the installation location. Simply click the Install button.

Click the Install button in the Installer window.

Finally you’ll see the window for entering your user name and password. The user name should already be entered for you…just enter your password and click the OK button.
Enter your password and click the OK button.
The installation will take place, after which ClamXav will open and display the following window. You’ll now install the latest virus definitions. Click the Update Now button in the Alert window.
Click the Update Now button in the ClamXav main window.

ClamXav downloads the latest virus definitions from the ClamXav web site. When it’s done, the window looks like this:
ClamXav main window.

Before we actually scan for malware, let’s add a Delete button to the toolbar that will make it easy to delete any malware files we find. To do that, click Customize Toolbar… in the View menu.
Customize Toolbar in the View menu
In the new window that appears right on top of the ClamXav window, drag the Delete File button (look like the OS X Trash icon) to the toolbar of the ClamXav window, then click the Done button. Now the Delete File button is in the toolbar, and you’re back to the original ClamXav window.
Add Delete Button to Toolbar
Now, click on your startup disk icon on the desktop and drag it into the blue Source List at the left side of the ClamXav window. This adds the startup disk to the selections that can be quickly scanned with ClamXav. Installation and setup is done.
Drag your startup disk icon to the blue column at the left of the ClamXav window.

Run a Virus Check

Launch ClamXav (by double-clicking its icon in the Applications folder). The main window appears. Click the Update Definitions button at the top of the window to be sure you have the very latest virus definitions.

Click to highlight your hard disk in the blue column at the left of the window, then click the Start Scan button.

To run a scan of your entire hard disk (recommended, especially if you’ve been having peformance issues), click to highlight your startup disk in the blue Source List at the left side of the ClamXav window, then click the Start Scan button.

You can also click on any of the other folders in the source list to run a virus check that’s limited to that folder. You can also drag additional folders or disks into the Source List to check them.

The virus scan will take a while…the bigger the folder or disk being scanned, and the more files within it, the longer it takes.

Any viruses, worms, trojans, and other malware files that are found will be listed in the upper pane of the ClamXav window. To get rid of them, click on one of them to highlight it, then click Select All in the Edit menu…which highlights the entire list. Finally, click the Delete File button at the top of the ClamXav window. That moves all the malware file to the Trash. Now quit from ClamXav. To permanently eliminate the malware files, click Empty Trash… in the File menu.