I broke Safari trying to get rid of Flashback malware. How do I fix it?

If you’re certain you know when the infection happened, and you back up with Time Machine or something similar, you can save yourself a lot of time by restoring your whole system from the most recent snapshot taken before it was infected. Then take Steps 7, 8, and 10 below.

How can you tell when the infection took place? All you can be sure of is that you were infected some time before the problems started. You may have visited a blog that prompted you to install some kind of software, or a “certificate.” If you remember doing that recently, mention it in a reply, but don’t post a link.

If you don’t know when you were infected, there's no easy, reliable way to remove the malware, because it's constantly changing. There are differences of opinion on this site as to the best of course of action, so you should do your own research before deciding how to proceed.

I suggest you take the following steps:

1. Back up all data to at least two different devices, if you haven't already done so.

2. Boot from your recovery partition (if running Mac OS X 10.7 or later) or your installation disc (if running an earlier version of the Mac OS), launch Disk Utility, and erase the startup volume. This action will destroy all data on the volume, so you must be sure of your backups.

3. Install the Mac OS.

4. Reboot and go through the initial setup process to create an account with the same name as your old one. Don’t import anything from your backups at this stage.

5. If running Mac OS X 10.6.x or earlier, run Software Update. You may have to run it more than once to fully update your system.

6. Restore the contents of the top-level subfolders of your home folder except “Library” from the most recent backup. The Library folder may contain components of the malware. It’s best not to restore anything from there. If you must do so, restore only files, not whole folders with all their contents, and only if (a) they’re visible in the Finder, and (b) you know what they are, and (c) they haven’t been altered. Don’t restore anything in the home subfolder Library/LaunchAgents, if it exists, or any hidden files or folders, no matter where they are.

7. If you’re running Mac OS X 10.5.8 or earlier, launch Safari and select Safari ▹ Preferences… ▹ Security from the menu bar. Uncheck the box labeled Enable Java. Because of known bugs, Java in those OS versions is unsafe to use on the Internet. (Note: I’m not referring to JavaScript, which is unrelated to Java, despite the similar names.) If you’re running Mac OS 10.6.8 or later, you should still disable the Java web plugin unless you really need it. Few websites have legitimate Java content nowadays. If you encounter one that does, enable Java temporarily.

8. Change every Internet password you have, starting with banking passwords. Check all financial accounts for unauthorized transactions. Take this step only after you’ve secured your system in the preceding steps, not before.

9. Reinstall your third-party software from fresh downloads or original media, not from backups which may be contaminated.

10. If you use any third-party web browsers, disable Java in their preferences. As with step 7, this step is mandatory if you’re running any version of Mac OS X older than 10.6. Otherwise it’s optional, but recommended.

You may not have fully followed the instructions in the CNET article. The way to fix this is to remove the DYLD_INSERT_LIBRARIES reference in the Safari application, by running the following command (this was mentioned further down in the CNET article):

sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment

Follow this commad with this next one, to ensure the Info.plist file within the Safari package is properly readable:

sudo chmod 644 /Applications/Safari.app/Contents/Info.plist

May I ask how you know that those instruction will completely clear the infection, given that the OP executed a trojan with root privileges, and any file on his system might have been altered?

The instructions are based on what is known about the trojan so far through analysis of known variants; however, you are right that there may be others that behave differently and it is not always possible to determine which variant a person has encountered.

Ultimately a full reinstall of the OS is the only way anyone can be be fully confident it is cleared; however, based on the latest findings, the methods for removing it will work for the variants that have been discovered to date.

Some variants of the trojan have been reported to infect Skype. Apart from that, if I knew that a criminal had root access to a computer that had my data on it, I wouldn't accept F-Secure's assurances or anyone else's as to what he did or didn't do.

True with root access, but this malware specifically targets the same mode by altering launch environmental variables, and does so without root access by changing a global environmental variables property list in the user account. Its use of a filtering component that only runs it when certain programs are launched is highly suggestive of its preferred mode of attack, which is confirmed by the analysis that shows it is really doing one thing.

I trust the analysis of the currently known variants to be complete, so should someone be affected then they can research and remove the variants, or use an anti-malware program to help with this.

However, despite this I do agree that a full reinstall is for some people the only way to be absolutely certain nothing else was changed.

If you still have the non-working Safari application, try running the following command to see if the following defaults pair exists in the program's Info file. I'd be curious to see if it exists using the DYLD_INSERT_LIBRARIES key only, instead of the LSEnvironemnt key:

defaults read /Applications/Safari.app/Contents/Info DYLD_INSERT_LIBRARIES

...this malware specifically targets the same mode by altering launch environmental variables, and does so without root access by changing a global environmental variables property list in the user account.

That's what it does when the user doesn't enter a password to give it root privileges. When the password is entered, it has other ways of inserting code into processes. In the OP's case, a file was added to the Safari application bundle, which can only be done by a root process. So the OP did run the trojan payload as root, and his whole system is irrevocably compromised.

I'd be curious to see if it exists using the DYLD_INSERT_LIBRARIES key only, instead of the LSEnvironemnt key...

That makes no sense. "DYLD_INSERT_LIBRARIES" is not a key; it's a value. Stop giving advice about things you don't understand.

I understand, but I disagree with the blanket notion that the whole system is irrevocably compromized.

During the time that you're wasting on this pointless discussion, the criminal who has control of your computer could be draining all the funds out of your bank accounts. Instead of futzing around with incorrect shell commands, start fixing the damage.

Link, allow me to discuss with someone without being a nuisance. I'm merely curious about how the alterations may have been done, and wish to see if it may have been implemented in different ways. Do not assume you have a grasp on my understanding of the situation at all, as it is quite clear you are simply trying to put down my approach without just coming out and saying so. To make it clear, I know it is a value that points to a linked file, but can be added to a file as a key (albeit erroneously) if one so chooses. I disagree with your blanket approach that disregards the research put into this situation and the understanding of it so far.

Linc, this fear mongering is the exact disservice that people do not need. This alteration could have been done by a third-party add-on, and not necessarily by the malware in question. Instead of promoting an understaning of the situation and trying to get to the bottom of it, you're just blindly crying "reinstall" and getting nowhere, especially since your recommendation to restore from backup counters your effort to avoid this file and the infection at all costs. The file is installed in the application itself in some infection instances, and restoring this from backup will just restore the infected application.

Your approach to this as if it's a viral infection that's rampant through the system is a bit over the top.