Skip navigation

I broke Safari trying to get rid of Flashback malware. How do I fix it?

1891 Views 19 Replies Latest reply: Apr 6, 2012 2:13 PM by Linc Davis RSS
1 2 Previous Next
DougKW Level 1 Level 1 (0 points)
Currently Being Moderated
Apr 5, 2012 6:29 PM

I foolishly tried following the instructions on the CNET site for finding if I have the Flashback malware and supposedly fixing it:

http://reviews.cnet.com/8301-13727_7-57410096-263/how-to-remove-the-flashback-ma lware-from-os-x/?tag=mncol;txt

 

On the page, it says to run this command in Terminal and that if it returns a path result that you have the malware:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

 

When I ran the above, it gave me the following:

"DYLD_INSERT_LIBRARIES" = "/Applications/safari.app/contents/resources/.PassmarkMonitorTestV.xsl" 

 

Based on the instructions on the CNET site, I believed that this file was infected and I deleted it, even though it was a hidden file. I followed the rest of the instructions on the page as well, which would supposedly "reset" the infected application, but  this didn't work.

 

I now can't run Safari, It would apear that the file deleted was necessary for it to run.

 

I tried downloading Safari from the apple.com website so that I can reinstall it, but when I ran the installer, it said I couldn't use it because there was a newer version already on my machine.

 

I'm running Mac OS X Snow Leopard. I'm not sure what version of Safari I'm running (I can't open Safari) but it must be higher than the version on Apple's site, which is 5.1.4.

 

Here is the Safari error report:

Process:     Safari [516]
Path:        /Applications/Safari.app/Contents/MacOS/Safari
Identifier:  com.apple.Safari
Version:     ??? (???)
Build Info:  WebBrowser-75345503~2
Code Type:   X86-64 (Native)

Parent Process:  launchd [98]

 

Date/Time:   2012-04-05 21:14:59.436 -0400
OS Version:  Mac OS X 10.6.8 (10K549)

Report Version:  6

 

Interval Since Last Report:      2686299 sec
Crashes Since Last Report:       13

Per-App Crashes Since Last Report:   7

Anonymous UUID:                  ******

 

Exception Type:  EXC_BREAKPOINT (SIGTRAP)

Exception Codes: 0x0000000000000002, 0x0000000000000000

Crashed Thread:  0

 

Dyld Error Message:

  could not load inserted library: /Applications/Safari.app/Contents/Resources/.PassmarkMonitorTestV.xsl

 

Binary Images:


0x7fff5fc00000 - 0x7fff5fc3be0f  dyld 132.1 (???) <29DECB19-0193-2575-D838-CF743F0400B2> /usr/lib/dyld

 

How can I repair my Safari installation?

 

<Edited By Host>

MacBook (13-inch Aluminum Late 2008), Mac OS X (10.6.8)
  • Linc Davis Level 10 Level 10 (108,160 points)

    If you’re certain you know when the infection happened, and you back up with Time Machine or something similar, you can save yourself a lot of time by restoring your whole system from the most recent snapshot taken before it was infected. Then take Steps 7, 8, and 10 below.

     

    How can you tell when the infection took place? All you can be sure of is that you were infected some time before the problems started. You may have visited a blog that prompted you to install some kind of software, or a “certificate.” If you remember doing that recently, mention it in a reply, but don’t post a link.

     

    If you don’t know when you were infected, there's no easy, reliable way to remove the malware, because it's constantly changing. There are differences of opinion on this site as to the best of course of action, so you should do your own research before deciding how to proceed.

     

    I suggest you take the following steps:

     

    1. Back up all data to at least two different devices, if you haven't already done so.

     

    2. Boot from your recovery partition (if running Mac OS X 10.7 or later) or your installation disc (if running an earlier version of the Mac OS), launch Disk Utility, and erase the startup volume. This action will destroy all data on the volume, so you must be sure of your backups.

     

    3. Install the Mac OS.

     

    4. Reboot and go through the initial setup process to create an account with the same name as your old one. Don’t import anything from your backups at this stage.

     

    5. If running Mac OS X 10.6.x or earlier, run Software Update. You may have to run it more than once to fully update your system.

     

    6. Restore the contents of the top-level subfolders of your home folder except “Library” from the most recent backup. The Library folder may contain components of the malware. It’s best not to restore anything from there. If you must do so, restore only files, not whole folders with all their contents, and only if (a) they’re visible in the Finder, and (b) you know what they are, and (c) they haven’t been altered. Don’t restore anything in the home subfolder Library/LaunchAgents, if it exists, or any hidden files or folders, no matter where they are.

     

    7. If you’re running Mac OS X 10.5.8 or earlier, launch Safari and select Safari Preferences… Security from the menu bar. Uncheck the box labeled Enable Java. Because of known bugs, Java in those OS versions is unsafe to use on the Internet. (Note: I’m not referring to JavaScript, which is unrelated to Java, despite the similar names.) If you’re running Mac OS 10.6.8 or later, you should still disable the Java web plugin unless you really need it. Few websites have legitimate Java content nowadays. If you encounter one that does, enable Java temporarily.

     

    8. Change every Internet password you have, starting with banking passwords. Check all financial accounts for unauthorized transactions. Take this step only after you’ve secured your system in the preceding steps, not before.

     

    9. Reinstall your third-party software from fresh downloads or original media, not from backups which may be contaminated.

     

    10. If you use any third-party web browsers, disable Java in their preferences. As with step 7, this step is mandatory if you’re running any version of Mac OS X older than 10.6. Otherwise it’s optional, but recommended.

  • Topher Kessler Level 6 Level 6 (9,305 points)

    You may not have fully followed the instructions in the CNET article. The way to fix this is to remove the DYLD_INSERT_LIBRARIES reference in the Safari application, by running the following command (this was mentioned further down in the CNET article):

     

    sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment

     

    Follow this commad with this next one, to ensure the Info.plist file within the Safari package is properly readable:

     

    sudo chmod 644 /Applications/Safari.app/Contents/Info.plist

  • Linc Davis Level 10 Level 10 (108,160 points)

    May I ask how you know that those instruction will completely clear the infection, given that the OP executed a trojan with root privileges, and any file on his system might have been altered?

  • Topher Kessler Level 6 Level 6 (9,305 points)

    The instructions are based on what is known about the trojan so far through analysis of known variants; however, you are right that there may be others that behave differently and it is not always possible to determine which variant a person has encountered.

     

    Ultimately a full reinstall of the OS is the only way anyone can be be fully confident it is cleared; however, based on the latest findings, the methods for removing it will work for the variants that have been discovered to date.

  • Linc Davis Level 10 Level 10 (108,160 points)

    Some variants of the trojan have been reported to infect Skype. Apart from that, if I knew that a criminal had root access to a computer that had my data on it, I wouldn't accept F-Secure's assurances or anyone else's as to what he did or didn't do.

  • Topher Kessler Level 6 Level 6 (9,305 points)

    True with root access, but this malware specifically targets the same mode by altering launch environmental variables, and does so without root access by changing a global environmental variables property list in the user account. Its use of a filtering component that only runs it when certain programs are launched is highly suggestive of its preferred mode of attack, which is confirmed by the analysis that shows it is really doing one thing.

     

    I trust the analysis of the currently known variants to be complete, so should someone be affected then they can research and remove the variants, or use an anti-malware program to help with this.

     

    However, despite this I do agree that a full reinstall is for some people the only way to be absolutely certain nothing else was changed.

  • Topher Kessler Level 6 Level 6 (9,305 points)

    If you still have the non-working Safari application, try running the following command to see if the following defaults pair exists in the program's Info file. I'd be curious to see if it exists using the DYLD_INSERT_LIBRARIES key only, instead of the LSEnvironemnt key:

     

    defaults read /Applications/Safari.app/Contents/Info DYLD_INSERT_LIBRARIES

  • Linc Davis Level 10 Level 10 (108,160 points)

    ...this malware specifically targets the same mode by altering launch environmental variables, and does so without root access by changing a global environmental variables property list in the user account.

     

    That's what it does when the user doesn't enter a password to give it root privileges. When the password is entered, it has other ways of inserting code into processes. In the OP's case, a file was added to the Safari application bundle, which can only be done by a root process. So the OP did run the trojan payload as root, and his whole system is irrevocably compromised.

  • Linc Davis Level 10 Level 10 (108,160 points)

    I'd be curious to see if it exists using the DYLD_INSERT_LIBRARIES key only, instead of the LSEnvironemnt key...

     

    That makes no sense. "DYLD_INSERT_LIBRARIES" is not a key; it's a value. Stop giving advice about things you don't understand.

  • Topher Kessler Level 6 Level 6 (9,305 points)

    I understand, but I disagree with the blanket notion that the whole system is irrevocably compromized.

  • Linc Davis Level 10 Level 10 (108,160 points)

    During the time that you're wasting on this pointless discussion, the criminal who has control of your computer could be draining all the funds out of your bank accounts. Instead of futzing around with incorrect shell commands, start fixing the damage.

  • Topher Kessler Level 6 Level 6 (9,305 points)

    Link, allow me to discuss with someone without being a nuisance. I'm merely curious about how the alterations may have been done, and wish to see if it may have been implemented in different ways. Do not assume you have a grasp on my understanding of the situation at all, as it is quite clear you are simply trying to put down my approach without just coming out and saying so. To make it clear, I know it is a value that points to a linked file, but can be added to a file as a key (albeit erroneously) if one so chooses. I disagree with your blanket approach that disregards the research put into this situation and the understanding of it so far.

1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.