Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 6 subscribers
  • Views 3209 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How can I remove Troj/Iframe-HJ?

jk10003

I installed Sophos Anti-Virus 8.0.6C for Mac today.  It almost immediately found Troj/Iframe-HJ.  However, when I go to the Quarantine Manager, put in my admin password, and press Clean Up Threat, it says "Cleaning up threats..." but the task never finishes.  Is there another way, or another version, I should be using?  And can anyone tell me anything else about this threat?The Sophos website, http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Iframe-HJ/detailed-analysis.aspx  is kind of obscure.

Thanks.

JK

:1008452


This thread was automatically locked due to age.
Parents
  • 0

    When doing online banking, I highly recommend using a web browser you do not use for regular web browsing -- so if you use Safari for regular browsing, you can use Firefox, Chrome, Opera, etc. for your banking.  At the minimum, you should not have other tabs open in your browser at the same time as your banking tab.  This way, you'll be less susceptible to in-browser attacks.

    Other things to check are that you have Java disabled for your web browsers, that your default CSS page hasn't been modified for your browser, and that there are no extensions/plugins loading that you don't trust.

    You may also want to verify the DNS settings on your router and your computer; to be safe, the DNS settings should be set to the ones assigned by your ISP or some other trusted service such as OpenDNS or GoogleDNS.  Along with this, you may want to have a look at your /private/etc/hosts file, as it may have a redirect for your banking site slipped in by some malicious software.

    Other than this, the (highly unlikely) possibility is that you have some drive-by malware running in the background automatically monitoring/injecting code into your web browser.  Due to how much easier it is to attack one of the other mechanisms I've noted however, this is highly unlikely.

    As for the phony UPS notice, these are part of the Bredo attack package, and are indeed aimed at Windows currently -- although there's nothing to stop someone using that package from dropping Mac malware -- it just hasn't been seen to happen yet.  Most likely, this is unrelated to the strange behaviour you witnessed.  The Java part of these exploits is used purely to download and run the actual malware, which is (currently) a Windows executable that will not run natively on OS X.

    The other thing I can suggest if you feel like getting your hands dirty and spending some time on it is to open up console.app and search through your logs for anything suspicious around the time the strange behaviour happened, and around the time you opened the attachment with the hidden iFrame.  The syslog should record anything happening that required administrator priveleges to run, and you may also have safari logs or other program-specific logs that could shed some light on the matter.

    :1008760
Reply
  • 0

    When doing online banking, I highly recommend using a web browser you do not use for regular web browsing -- so if you use Safari for regular browsing, you can use Firefox, Chrome, Opera, etc. for your banking.  At the minimum, you should not have other tabs open in your browser at the same time as your banking tab.  This way, you'll be less susceptible to in-browser attacks.

    Other things to check are that you have Java disabled for your web browsers, that your default CSS page hasn't been modified for your browser, and that there are no extensions/plugins loading that you don't trust.

    You may also want to verify the DNS settings on your router and your computer; to be safe, the DNS settings should be set to the ones assigned by your ISP or some other trusted service such as OpenDNS or GoogleDNS.  Along with this, you may want to have a look at your /private/etc/hosts file, as it may have a redirect for your banking site slipped in by some malicious software.

    Other than this, the (highly unlikely) possibility is that you have some drive-by malware running in the background automatically monitoring/injecting code into your web browser.  Due to how much easier it is to attack one of the other mechanisms I've noted however, this is highly unlikely.

    As for the phony UPS notice, these are part of the Bredo attack package, and are indeed aimed at Windows currently -- although there's nothing to stop someone using that package from dropping Mac malware -- it just hasn't been seen to happen yet.  Most likely, this is unrelated to the strange behaviour you witnessed.  The Java part of these exploits is used purely to download and run the actual malware, which is (currently) a Windows executable that will not run natively on OS X.

    The other thing I can suggest if you feel like getting your hands dirty and spending some time on it is to open up console.app and search through your logs for anything suspicious around the time the strange behaviour happened, and around the time you opened the attachment with the hidden iFrame.  The syslog should record anything happening that required administrator priveleges to run, and you may also have safari logs or other program-specific logs that could shed some light on the matter.

    :1008760
Children
No Data