06-07-2011 05:32 PM
I'm running the free Anti-Virus program, version 7.3.0C (threat detection engine 3.20.2, Threat data 4.66) on a Macbook with Leopard (10.5.8). I have a very stubborn piece of malware (Mal/Iframe-V) on my computer.
06-08-2011 09:09 AM
Hi, first off I thought I'd paste the description of Mal/iFrame-V for all those who don't know what it is:
Mal/Iframe-V is a small or hidden iframe within a web page that attempts to load further malicious content from a remote website.
Pages blocked as Mal/Iframe-V will often be within legitimate websites that have been compromised by malicious hackers. This technique is used to funnel web traffic from many compromised sites to the attack sites that are controlled by those attacks. At the time of writing, Mal/Iframe-V is loading malicious scripts that Sophos products block as Troj/ExpJS-BM and Troj/ExpJS-BO.
It was flagged as Windows in the description because while the script itself is cross platform (it will load in any web browser that supports iFrames), the target pages that it tends to load have traditionally led to Windows-only malware. However, it appears that the MacDefender FakeAV has been opened up to an affiliate program, so it is possible that we will see Macintosh targets in the future. As such, I've updated the description
The trick now is to find out what's creating the XML file with an embedded iFrame that redirects to a dodgy-looking domain. It is possible that this is a false positive, as it's showing up in an XML file when this malware predominantly gets injected into legitimate site's web pages, but your XML file keeps on coming back, indicating that it is being re-created by some other event.
If you run the lsof command from the Terminal, is that file shown as being open? If it is, what process has it open?
06-08-2011 12:15 PM
Since the malware isn't terribly dangerous, I did a bit of prodding at the actual file.
It seems it's an RSS for a service I use. The solution was to remove the RSS from my browser, then delete the file. At this point, it hasn't come back. I tried checking the RSS at the website, but it's broken at the moment. Hopefully that means they're fixing it, but I can't be sure.
At any rate, problem solved.
06-08-2011 02:16 PM
Interesting, and novel malware injection method... just inject the redirect into the RSS feed. Something to remember when this kind of attack starts carrying Mac-targetd payloads.