How can I remove Troj/Iframe-HJ?

Andrew,

Thanks very much. That is great information. Let me give you some more history and background for my concerns. While I was attempting to open an online bank account, a screen appeared - it apparently was not meant to appear - which referred to URL shortening and redirection, and gave me some concern. The bank claimed it had nothing to do with it. I then installed Sophos, and it produced a Troj/Iframe-HJ warning about an attachment to an email I had received in March. The email was a phony UPS notice with an attachment, and I thought I was aware of these kinds of things, but it came exactly when I was expecting a UPS shipment, and I have to suspect I clicked on the attachment, though I don't remember doing it.

I deleted the email after copying it and the attachment to a CD, for future reference, as well as deleting my entire Time Machine backup (at Apple support's recommendation) to remove back-up copies. The Sophos knowledge base, as well as Google, produced little information about Troj/Iframe-HJ that was useful to me. However when I Googled the name of the attachment, invoiceA43E088DB39ED40C.htm, I found more information, suggesting that the attachment pointed to a site which downloaded malware which captured and transmitted back credentials related to financial information. Most of what I saw seemed related to Windows, so I wondered how the subsequent malware could function on a Mac, but it seemed that some of the processing was done in Java, which seemed to be an environment which might make the Mac vulnerable (my guess, anyway). In any case the targeting of financial info, and the questionable screen appearing when opening a bank account, actually at the point when the new account number was displayed, has made me concerned about the possible extent of the intrusion. I also hoped that shutting down Java might eliminate an opportunity for this seemingly Windows-oriented malware to function on a Mac. I should also mention that I run a Windows virtual machine, using VMWare Fusion, but any issues so far have occurred in the OSX environment.

I have eliminated all other AV software than Sophos, and run two full scans with no other programs running, and with my three external drives disconnected. Is there anything else I can do to look for traces of this software, other than running the scans with the drives reconnected? Thanks very much for your assistance, and for your time.

John

When doing online banking, I highly recommend using a web browser you do not use for regular web browsing -- so if you use Safari for regular browsing, you can use Firefox, Chrome, Opera, etc. for your banking.  At the minimum, you should not have other tabs open in your browser at the same time as your banking tab.  This way, you'll be less susceptible to in-browser attacks.

Other things to check are that you have Java disabled for your web browsers, that your default CSS page hasn't been modified for your browser, and that there are no extensions/plugins loading that you don't trust.

You may also want to verify the DNS settings on your router and your computer; to be safe, the DNS settings should be set to the ones assigned by your ISP or some other trusted service such as OpenDNS or GoogleDNS.  Along with this, you may want to have a look at your /private/etc/hosts file, as it may have a redirect for your banking site slipped in by some malicious software.

Other than this, the (highly unlikely) possibility is that you have some drive-by malware running in the background automatically monitoring/injecting code into your web browser.  Due to how much easier it is to attack one of the other mechanisms I've noted however, this is highly unlikely.

As for the phony UPS notice, these are part of the Bredo attack package, and are indeed aimed at Windows currently -- although there's nothing to stop someone using that package from dropping Mac malware -- it just hasn't been seen to happen yet.  Most likely, this is unrelated to the strange behaviour you witnessed.  The Java part of these exploits is used purely to download and run the actual malware, which is (currently) a Windows executable that will not run natively on OS X.

The other thing I can suggest if you feel like getting your hands dirty and spending some time on it is to open up console.app and search through your logs for anything suspicious around the time the strange behaviour happened, and around the time you opened the attachment with the hidden iFrame.  The syslog should record anything happening that required administrator priveleges to run, and you may also have safari logs or other program-specific logs that could shed some light on the matter.

Andrew,

Your information has been thorough, and quite straightforward.  Thanks you very much.

I have pretty much followed all your steps - except that some some the system logs seem to wrap, so they don't go back far enough - and I am now beginning to suspect/hope that the message that appeared might well have been a part of the bank's process, which I suspected at first.  I then could think that, although Sophos discovered the iFrame intrusion in an attachment in my email, that it was not executed, or perhaps could not have even gone past an attempt to download on the Mac, even if it had been executed.  I am greatly hoping that no further sign of intrusion from Sophos indicates that things are safe.

John