Previous 1 2 Next 19 Replies Latest reply: Apr 6, 2012 2:13 PM by Linc Davis
DougKW Level 1 (0 points)

I foolishly tried following the instructions on the CNET site for finding if I have the Flashback malware and supposedly fixing it: lware-from-os-x/?tag=mncol;txt


On the page, it says to run this command in Terminal and that if it returns a path result that you have the malware:

defaults read /Applications/ LSEnvironment


When I ran the above, it gave me the following:

"DYLD_INSERT_LIBRARIES" = "/Applications/" 


Based on the instructions on the CNET site, I believed that this file was infected and I deleted it, even though it was a hidden file. I followed the rest of the instructions on the page as well, which would supposedly "reset" the infected application, but  this didn't work.


I now can't run Safari, It would apear that the file deleted was necessary for it to run.


I tried downloading Safari from the website so that I can reinstall it, but when I ran the installer, it said I couldn't use it because there was a newer version already on my machine.


I'm running Mac OS X Snow Leopard. I'm not sure what version of Safari I'm running (I can't open Safari) but it must be higher than the version on Apple's site, which is 5.1.4.


Here is the Safari error report:

Process:     Safari [516]
Path:        /Applications/
Version:     ??? (???)
Build Info:  WebBrowser-75345503~2
Code Type:   X86-64 (Native)

Parent Process:  launchd [98]


Date/Time:   2012-04-05 21:14:59.436 -0400
OS Version:  Mac OS X 10.6.8 (10K549)

Report Version:  6


Interval Since Last Report:      2686299 sec
Crashes Since Last Report:       13

Per-App Crashes Since Last Report:   7

Anonymous UUID:                  ******



Exception Codes: 0x0000000000000002, 0x0000000000000000

Crashed Thread:  0


Dyld Error Message:

  could not load inserted library: /Applications/


Binary Images:

0x7fff5fc00000 - 0x7fff5fc3be0f  dyld 132.1 (???) <29DECB19-0193-2575-D838-CF743F0400B2> /usr/lib/dyld


How can I repair my Safari installation?


<Edited By Host>

MacBook (13-inch Aluminum Late 2008), Mac OS X (10.6.8)
  • Linc Davis Level 10 (184,990 points)

    If you’re certain you know when the infection happened, and you back up with Time Machine or something similar, you can save yourself a lot of time by restoring your whole system from the most recent snapshot taken before it was infected. Then take Steps 7, 8, and 10 below.


    How can you tell when the infection took place? All you can be sure of is that you were infected some time before the problems started. You may have visited a blog that prompted you to install some kind of software, or a “certificate.” If you remember doing that recently, mention it in a reply, but don’t post a link.


    If you don’t know when you were infected, there's no easy, reliable way to remove the malware, because it's constantly changing. There are differences of opinion on this site as to the best of course of action, so you should do your own research before deciding how to proceed.


    I suggest you take the following steps:


    1. Back up all data to at least two different devices, if you haven't already done so.


    2. Boot from your recovery partition (if running Mac OS X 10.7 or later) or your installation disc (if running an earlier version of the Mac OS), launch Disk Utility, and erase the startup volume. This action will destroy all data on the volume, so you must be sure of your backups.


    3. Install the Mac OS.


    4. Reboot and go through the initial setup process to create an account with the same name as your old one. Don’t import anything from your backups at this stage.


    5. If running Mac OS X 10.6.x or earlier, run Software Update. You may have to run it more than once to fully update your system.


    6. Restore the contents of the top-level subfolders of your home folder except “Library” from the most recent backup. The Library folder may contain components of the malware. It’s best not to restore anything from there. If you must do so, restore only files, not whole folders with all their contents, and only if (a) they’re visible in the Finder, and (b) you know what they are, and (c) they haven’t been altered. Don’t restore anything in the home subfolder Library/LaunchAgents, if it exists, or any hidden files or folders, no matter where they are.


    7. If you’re running Mac OS X 10.5.8 or earlier, launch Safari and select Safari Preferences… Security from the menu bar. Uncheck the box labeled Enable Java. Because of known bugs, Java in those OS versions is unsafe to use on the Internet. (Note: I’m not referring to JavaScript, which is unrelated to Java, despite the similar names.) If you’re running Mac OS 10.6.8 or later, you should still disable the Java web plugin unless you really need it. Few websites have legitimate Java content nowadays. If you encounter one that does, enable Java temporarily.


    8. Change every Internet password you have, starting with banking passwords. Check all financial accounts for unauthorized transactions. Take this step only after you’ve secured your system in the preceding steps, not before.


    9. Reinstall your third-party software from fresh downloads or original media, not from backups which may be contaminated.


    10. If you use any third-party web browsers, disable Java in their preferences. As with step 7, this step is mandatory if you’re running any version of Mac OS X older than 10.6. Otherwise it’s optional, but recommended.

  • DougKW Level 1 (0 points)

    Argh. I'm running OS X 10.6.8.


    I don't use Time Machine, but I backed up my data a couple of months ago when I downgraded my machine from Lion to Snow Leopard.


    I don't know exactly when I was infected, but I suspect it was in the last couple of weeks. I recall being prompted for my password by a dialog box that supposedly had something to do with System Update, but it appeared in an unusual way, which in hindsight was suspicious.


    Also, a couple of days ago my machine crashed with a kernal panic, which had never happened before.


    I`m pretty sure that my backed up flies pre-date the infection (or at least as sure as I can be.


    I'll give your process a try. Thanks.

  • Topher Kessler Level 6 (9,865 points)

    You may not have fully followed the instructions in the CNET article. The way to fix this is to remove the DYLD_INSERT_LIBRARIES reference in the Safari application, by running the following command (this was mentioned further down in the CNET article):


    sudo defaults delete /Applications/ LSEnvironment


    Follow this commad with this next one, to ensure the Info.plist file within the Safari package is properly readable:


    sudo chmod 644 /Applications/

  • Linc Davis Level 10 (184,990 points)

    May I ask how you know that those instruction will completely clear the infection, given that the OP executed a trojan with root privileges, and any file on his system might have been altered?

  • Topher Kessler Level 6 (9,865 points)

    The instructions are based on what is known about the trojan so far through analysis of known variants; however, you are right that there may be others that behave differently and it is not always possible to determine which variant a person has encountered.


    Ultimately a full reinstall of the OS is the only way anyone can be be fully confident it is cleared; however, based on the latest findings, the methods for removing it will work for the variants that have been discovered to date.

  • Linc Davis Level 10 (184,990 points)

    Some variants of the trojan have been reported to infect Skype. Apart from that, if I knew that a criminal had root access to a computer that had my data on it, I wouldn't accept F-Secure's assurances or anyone else's as to what he did or didn't do.

  • Topher Kessler Level 6 (9,865 points)

    True with root access, but this malware specifically targets the same mode by altering launch environmental variables, and does so without root access by changing a global environmental variables property list in the user account. Its use of a filtering component that only runs it when certain programs are launched is highly suggestive of its preferred mode of attack, which is confirmed by the analysis that shows it is really doing one thing.


    I trust the analysis of the currently known variants to be complete, so should someone be affected then they can research and remove the variants, or use an anti-malware program to help with this.


    However, despite this I do agree that a full reinstall is for some people the only way to be absolutely certain nothing else was changed.

  • DougKW Level 1 (0 points)



    I followed all of the instructions in your article to the best of my ability.


    When I ran this command:

    sudo defaults delete /Applications/ LSEnvironment


    I got this result:

    There is no (LSEnvironment) default for the (/Applications/ domain.

    Defaults have not been changed.


    I also ran:

    sudo chmod 644 /Applications/


    It just returned the prompt with no messages.

  • Topher Kessler Level 6 (9,865 points)

    If you still have the non-working Safari application, try running the following command to see if the following defaults pair exists in the program's Info file. I'd be curious to see if it exists using the DYLD_INSERT_LIBRARIES key only, instead of the LSEnvironemnt key:


    defaults read /Applications/ DYLD_INSERT_LIBRARIES

  • Linc Davis Level 10 (184,990 points)

    ...this malware specifically targets the same mode by altering launch environmental variables, and does so without root access by changing a global environmental variables property list in the user account.


    That's what it does when the user doesn't enter a password to give it root privileges. When the password is entered, it has other ways of inserting code into processes. In the OP's case, a file was added to the Safari application bundle, which can only be done by a root process. So the OP did run the trojan payload as root, and his whole system is irrevocably compromised.

  • Linc Davis Level 10 (184,990 points)

    I'd be curious to see if it exists using the DYLD_INSERT_LIBRARIES key only, instead of the LSEnvironemnt key...


    That makes no sense. "DYLD_INSERT_LIBRARIES" is not a key; it's a value. Stop giving advice about things you don't understand.

  • Topher Kessler Level 6 (9,865 points)

    I understand, but I disagree with the blanket notion that the whole system is irrevocably compromized.

  • Linc Davis Level 10 (184,990 points)

    During the time that you're wasting on this pointless discussion, the criminal who has control of your computer could be draining all the funds out of your bank accounts. Instead of futzing around with incorrect shell commands, start fixing the damage.

  • Topher Kessler Level 6 (9,865 points)

    Link, allow me to discuss with someone without being a nuisance. I'm merely curious about how the alterations may have been done, and wish to see if it may have been implemented in different ways. Do not assume you have a grasp on my understanding of the situation at all, as it is quite clear you are simply trying to put down my approach without just coming out and saying so. To make it clear, I know it is a value that points to a linked file, but can be added to a file as a key (albeit erroneously) if one so chooses. I disagree with your blanket approach that disregards the research put into this situation and the understanding of it so far.

Previous 1 2 Next