Safari can't be opened because of a problem?

Il Principe Del Pasta wrote:

Dyld Error Message:

could not load inserted library: /Applications/Safari.app/Contents/Resources/.BosonHPPractice .xsl

Ouch! This sounds like a strain of Flashback. See

<http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml>

Try step 1 of "Disinfection", ie

Run the following command in Terminal:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

What's the result?

Could also be the new "K" variant, but they are pretty much the same for a full infection. It seems mostly the front end Trojan Downloader method was revised.

Install Firefox pkg onto a USB thumb drive, take it to the sick Mac and install it. (if you don't have another browser)

Follow the "browser" portion of my User TIP here

https://discussions.apple.com/docs/DOC-3046

ds store wrote:

Install Firefox pkg onto a USB thumb drive, take it to the sick Mac and install it.

I'm afraid I have to disagree in the strongest possible terms with this advice.

AFAIK, there is no legitimate reason why Safari should look for a hidden shared code library. The presence, or the instruction to look for, such an item is a strong indication of malware. Installing Firefox (or any other browser) on the affected computer does not deal with this problem, and leaves the malicious code untouched.

At this point, I do not know if the OP's machine is infected with a Trojan Horse, and I don't think anyone can tell. All that is available is a strong indication that this might be the case. Under such circumstances, it is my opinion that the prudent and responsible thing to do is to ascertain whether or not malware is present, and to take the steps appropriate to the situation. Installing a different browser is not one of them.

fane_j wrote:

At this point, I do not know if the OP's machine is infected with a Trojan Horse, and I don't think anyone can tell. All that is available is a strong indication that this might be the case.

Let me put it this way. I have not observed a crash involving a hidden file in this location that was not a Flashback infection, so I would feel very confident pronouncing this machine as infected.

And for those who have been saying the activity this weekend was no big deal, how about over a half a million Macs infected at this time http://news.cnet.com/8301-1009_3-57409619-83/ including 274 just down the street from where I sit.

MadMacs0 wrote:

And for those who have been saying the activity this weekend was no big deal, how about over a half a million Macs infected at this time http://news.cnet.com/8301-1009_3-57409619-83/ including 274 just down the street from where I sit.

Any thoughts on how Dr. Web managed to get those numbers? Supposedly a Sinkhole trap was used, but wouldn't that mean nothing was getting through to the C&C server running the botnet?

The CNET article quoted a response to Mikko Hypponen at F-Secure from Sorokin Ivan at Dr.Web on Twitter. This was Mikko's response to a recent question:

@ProfWoodward We've spoken with Dr. Web. They've sinkholed one of the Flashback domains, and Flashback uses a unique User-Agent. Looks real.

An earlier tweet from Mikko:

Flashback trojan uses MAC address as the User-Agent when connecting to C&C servers. If Dr. Web is counting them, their numbers are accurate.

PlatypusRex wrote:

The CNET article quoted a response to Mikko Hypponen at F-Secure from Sorokin Ivan at Dr.Web on Twitter. This was Mikko's response to a recent question:

@ProfWoodward We've spoken with Dr. Web. They've sinkholed one of the Flashback domains, and Flashback uses a unique User-Agent. Looks real.

What I'm asking is if the domain is "sinkholed" then is it true that nothing going through that domain is going anywhere besides into Dr Web's servers?

Il Principe Del Pasta wrote:

"DYLD_INSERT_LIBRARIES" = "/Applications/Safari.app/Contents/Resources/.BosonHPPractice\\U0090\003.xsl";

I'm not great with terminal so I didn't feel comfortable continuing the steps in your link, but thats what it came up with when I put in the first command.

Yes. Unfortunately, you've been infected by a strain of the Flashback Trojan Horse. (What is curious, and I believe this is the first reported instance, is the control character in the name of the malicious code library, which caused its loading to fail and Safari to crash.)

The instructions to clean it up are given on the site I directed you to, as well as in several threads in this forum. To my mind, however, there is only one way to clean it and be assured it's completely gone. And that is to boot from the Install DVD—or, in your case Recovery Partition—, erase the boot volume, and restore everything from Time Machine to a date prior to the infection. If you don't have a backup, then first back up your stuff, reboot as above, erase the disk, re-install the OS, re-install the apps from the original install media, and restore your docs (but only your docs—no prefs, no configuration files, no hidden files).

R C-R wrote:

Any thoughts on how Dr. Web managed to get those numbers? Supposedly a Sinkhole trap was used, but wouldn't that mean nothing was getting through to the C&C server running the botnet?

Yes, one of the folks helping out this weekend, lytic, apparently works for Dr. Web and posted this partial explanation and I can guess most of the rest. They registered three of the phoney sites with dns, redirecting them to their own server, which allowed them to count the number of unique machine/user identifiers and then extrapolate the total based on the total number of C&C servers (also an estimate, apparently).

Also, it looked like there were actually two sets of dns queries going out. When I first checked the first one never showed up in whois which made me believe it was just some check of whether the firewall was working, but I really don't know enough to know exactly how they could have been used to get to the real servers.

The second group of requests were coming from a series of "rr.nu" addresses which were being rapidly registered and changed which I suspect were the real C&C servers.

I would ask lytic for more details.

Thanks for the info. In another (private) ASC forum someone posted a link a few hours ago to this BBC story about the Dr Web stuff.

An excerpt (emphasis added):

"By introducing the code criminals are potentially able to control the machine," the firm's chief executive Boris Sharov told the BBC.

"We stress the word potential as we have never seen any malicious activity since we hijacked the botnet to take it out of criminals' hands. However, we know people create viruses to get money."

You're welcome. All's well that ends well.