Reoccurring Mac OSX Mal/Iframe-V

Hi, first off I thought I'd paste the description of Mal/iFrame-V for all those who don't know what it is:

Mal/Iframe-V is a small or hidden iframe within a web page that attempts to load further malicious content from a remote website.

Pages blocked as Mal/Iframe-V will often be within legitimate websites that have been compromised by malicious hackers. This technique is used to funnel web traffic from many compromised sites to the attack sites that are controlled by those attacks. At the time of writing, Mal/Iframe-V is loading malicious scripts that Sophos products block as Troj/ExpJS-BM and Troj/ExpJS-BO.

It was flagged as Windows in the description because while the script itself is cross platform (it will load in any web browser that supports iFrames), the target pages that it tends to load have traditionally led to Windows-only malware.  However, it appears that the MacDefender FakeAV has been opened up to an affiliate program, so it is possible that we will see Macintosh targets in the future.  As such, I've updated the description :)

The trick now is to find out what's creating the XML file with an embedded iFrame that redirects to a dodgy-looking domain.  It is possible that this is a false positive, as it's showing up in an XML file when this malware predominantly gets injected into legitimate site's web pages, but your XML file keeps on coming back, indicating that it is being re-created by some other event.

If you run the lsof command from the Terminal, is that file shown as being open?  If it is, what process has it open?

Hi, first off I thought I'd paste the description of Mal/iFrame-V for all those who don't know what it is:

Mal/Iframe-V is a small or hidden iframe within a web page that attempts to load further malicious content from a remote website.

Pages blocked as Mal/Iframe-V will often be within legitimate websites that have been compromised by malicious hackers. This technique is used to funnel web traffic from many compromised sites to the attack sites that are controlled by those attacks. At the time of writing, Mal/Iframe-V is loading malicious scripts that Sophos products block as Troj/ExpJS-BM and Troj/ExpJS-BO.

It was flagged as Windows in the description because while the script itself is cross platform (it will load in any web browser that supports iFrames), the target pages that it tends to load have traditionally led to Windows-only malware.  However, it appears that the MacDefender FakeAV has been opened up to an affiliate program, so it is possible that we will see Macintosh targets in the future.  As such, I've updated the description :)

The trick now is to find out what's creating the XML file with an embedded iFrame that redirects to a dodgy-looking domain.  It is possible that this is a false positive, as it's showing up in an XML file when this malware predominantly gets injected into legitimate site's web pages, but your XML file keeps on coming back, indicating that it is being re-created by some other event.

If you run the lsof command from the Terminal, is that file shown as being open?  If it is, what process has it open?