Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 6 subscribers
  • Views 2168 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Reoccurring Mac OSX Mal/Iframe-V

Arcblade

I'm running the free Anti-Virus program, version 7.3.0C (threat detection engine 3.20.2, Threat data 4.66) on a Macbook with Leopard (10.5.8). I have a very stubborn piece of malware (Mal/Iframe-V) on my computer.

According to the program and reference material online, the problem is an .xml file that contains some malicious code.  I have repeatedly "cleaned up" the file, but it kept coming back.  I also tried manually deleting it twice. Nothing is working.  My computer is not hemorrhaging popups, but it is annoying.  Sophos pops up with an alert about it every hour or so.  

Help?  

Thanks in advance.  

By the way, someone should probably tell the documentation folks that Mal/Iframe-V's come for Mac now.  

:1002959


This thread was automatically locked due to age.
  • 0

    Hi, first off I thought I'd paste the description of Mal/iFrame-V for all those who don't know what it is:

    Mal/Iframe-V is a small or hidden iframe within a web page that attempts to load further malicious content from a remote website.

    Pages blocked as Mal/Iframe-V will often be within legitimate websites that have been compromised by malicious hackers. This technique is used to funnel web traffic from many compromised sites to the attack sites that are controlled by those attacks. At the time of writing, Mal/Iframe-V is loading malicious scripts that Sophos products block as Troj/ExpJS-BM and Troj/ExpJS-BO.

    It was flagged as Windows in the description because while the script itself is cross platform (it will load in any web browser that supports iFrames), the target pages that it tends to load have traditionally led to Windows-only malware.  However, it appears that the MacDefender FakeAV has been opened up to an affiliate program, so it is possible that we will see Macintosh targets in the future.  As such, I've updated the description :)

    The trick now is to find out what's creating the XML file with an embedded iFrame that redirects to a dodgy-looking domain.  It is possible that this is a false positive, as it's showing up in an XML file when this malware predominantly gets injected into legitimate site's web pages, but your XML file keeps on coming back, indicating that it is being re-created by some other event.

    If you run the lsof command from the Terminal, is that file shown as being open?  If it is, what process has it open?

    :1002965
  • 0

    Since the malware isn't terribly dangerous, I did a bit of prodding at the actual file.  

    It seems it's an RSS for a service I use.  The solution was to remove the RSS from my browser, then delete the file.  At this point, it hasn't come back.  I tried checking the RSS at the website, but it's broken at the moment.  Hopefully that means they're fixing it, but I can't be sure.  

    At any rate, problem solved.  

    :1002973
  • 0

    Interesting, and novel malware injection method... just inject the redirect into the RSS feed.  Something to remember when this kind of attack starts carrying Mac-targetd payloads.

    :1002975