Flashback malware on Snow Leopard

malwareSecuritysnow leopard

My Mac OSX Snow Leopard got exploited by the Flashback malware. There's a summary by F-Secure that I'm trying to follow in order to remove it. This link is similar, and provides a little more detail.

The first step is to type the following:

bash-3.2$ defaults read /Applications/Safari.app/Contents/Info LSEnvironment
{
 "DYLD_INSERT_LIBRARIES" = "/Applications/Safari.app/Contents/Resources/.NeroLite \022@.xsl";
}

This shows the malware. The next step is to do the following:

bash-3.2$ grep -a -o '__ldpath__[ -~]*' /Applications/Safari.app/Contents/Resources/.NeroLite \022@.xsl
grep: /Applications/Safari.app/Contents/Resources/.NeroLite: No such file or directory
grep: 022@.xsl: No such file or directory

As you can see the file path includes .NeroLite \022@.xsl and the space backslash combination has got me confused, and the system can't find the file. Anyone how I can locate this file? What is the \022@ trying to do? How to complete the next step?

UPDATE1

I've tried the following:

bash-3.2$ grep -a -o '__ldpath__[ -~]*' /Applications/Safari.app/Contents/Resources/.NeroLite\ \\022@.xsl
grep: /Applications/Safari.app/Contents/Resources/.NeroLite \022@.xsl: No such file or directory

bash-3.2$ grep -a -o '__ldpath__[ -~]*' "/Applications/Safari.app/Contents/Resources/.NeroLite \022@.xsl"
grep: /Applications/Safari.app/Contents/Resources/.NeroLite \022@.xsl: No such file or directory

bash-3.2$ ls /Applications/Safari.app/Contents/Resources/.Nero*
ls: /Applications/Safari.app/Contents/Resources/.Nero*: No such file or directory

bash-3.2$ grep -a -o '__ldpath__[ -~]*' /Applications/Safari.app/Contents/Resources/.NeroLit*
grep: /Applications/Safari.app/Contents/Resources/.NeroLit*: No such file or directory

UPDATE2

I executed the following commands:

# sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment 
# sudo chmod 644 /Applications/Safari.app/Contents/Info.plist 
# defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
2012-04-01 21:42:40.706 defaults[891:903] 
The domain/default pair of (/Users/myuser/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist

Which is good, according to the first link above.

THEN I REBOOTED THE SYSTEM. However, when I then try to start Safari, it won't start, but instead gives me the same old error:

Safari cannot be opened because of a problem.

Process:         Safari [882]
Path:            /Applications/Safari.app/Contents/MacOS/Safari
Identifier:      com.apple.Safari
Version:         ??? (???)
Build Info:      WebBrowser-75345503~2
Code Type:       X86-64 (Native)
Parent Process:  launchd [110]

Date/Time:       2012-04-01 21:41:24.286 -0700
OS Version:      Mac OS X 10.6.8 (10K549)
Report Version:  6

Interval Since Last Report:          501264 sec
Crashes Since Last Report:           11
Per-App Crashes Since Last Report:   11
Anonymous UUID:                      <removed>

Exception Type:  EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000002, 0x0000000000000000
Crashed Thread:  0

Dyld Error Message:
  could not load inserted library: /Applications/Safari.app/Contents/Resources/.NeroLite @.xsl

Binary Images:
0x7fff5fc00000 -     0x7fff5fc3bdef  dyld 132.1 (???) <removed> /usr/lib/dyld

<...lists installed hardware...>

Best Answer

The safest way to ensure removal of live malware is to (re)boot from external media and to then re-install the OS and all your apps and executables.

Related Question