The FBI has solved the final mystery surrounding a strain of Mac malware that was used by an Ohio man to spy on people for 14 years.
The man, 28-year-old Phillip Durachinsky, was arrested in January 2017, and charged a year later, in January 2018.
US authorities say he created the Fruitfly Mac malware (Quimitchin by some AV vendors) back in 2003 and used it until 2017 to infect victims and take control off their Mac computers to steal files, keyboard strokes, watch victims via the webcam, and listen in on conversations via the microphone.
Court documents reveal Durachinsky wasn't particularly interested in financial crime but was primarily focused on watching victims, having collected millions of images on his computer, including many of underage children.
Durachinsky created the malware when he was only 14, and used it for the next 14 years without Mac antivirus programs ever detecting it on victims' computers.
The first known detection, at least according to court documents, was in early 2017, when the FBI Cleveland branch was called in to investigate a malware incident at the Case Western Reserve University. FBI investigators found the FruitFly malware on the university's computer systems, and the trail eventually led back to Durachinsky, resulting in his arrest.
News of Fruitfly's existence leaked online in the same month as Durachinsky's arrest when US cyber-security firm Malwarebytes published a report detailing the Fruitfly's intrusive capabilities, some of the most advanced at the time for a Mac malware strain.
A former NSA analyst, Patrick Wardle, found a more powerful strain in July 2017, which he broke down at the Black Hat USA 2017 security conference the following month.
Also: Why the NSA's cyber-weapons leak undermines institutional trust TechRepublic
During all this time, one mystery remained. How was this malware infecting victims, and how was its creator spreading it around.
Most experts speculated that the malware could have only been deployed via individually targeted phishing emails since it infected a very small number of victims and wasn't detected for so many years.
The mystery remained even after Durachinsky's public indictment since the court documents didn't go too deep into Fruitfly's technical details.
But this mystery was solved earlier today by Wardle, who discovered an FBI flash alert sent earlier this year, on March 5. The FBI sends "flash alerts" to businesses detailing ongoing "threats" and details ways to prevent against them.
Describing the Fruitfly/Quimitchin malware, the FBI said the following:
The attack vector included the scanning and identification of externally facing services, to include the Apple Filing Protocol (AFP, port 548), RDP or other VNC, SSH (port 22), and Back to My Mac (BTMM), which would be targeted with weak passwords or passwords derived from third party data breaches.
In other words, Durachinsky had used a technique know as port scanning to identify internet or network-connected Macs that were exposing remote access ports with weak or no passwords.
He then logged into these remote systems via the open service ports and installed and hid Fruitfly on users' computers. This tactic served him well for 14 years until one lucky detection at the Case Western Reserve University.
Port scanning isn't something that only a hacker wielding the Fruitfly malware can exploit. Any attacker, regardless of the malware he plans to install can use this technique.
Mac users are advised to review the service ports their Macs are exposing online, and either shut them down or set up strong passwords to prevent attackers from barging in.
Previous and related coverage:
Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.
This simple advice will help to protect you against hackers and government surveillance.
Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.
Fruitfly malware author used port scanning with weak or no passwords to identify potential victims.
The evolving IoT botnet is able to compromise an impressive array of architectures.
The self-proclaimed Apple fan stole roughly 90GB of confidential data from the iPad and iPhone maker.
- iPhone XS, XS Max, and XR tech specs
- Apple's iPhone XS Max price tops out at $1,449 -- and 8 other keynote takeaways
- One less thing: No new Macs
- iPhone XR? What kind of name is that?
- Apple iPhone XS event: By the numbers
- Apple details new immersive AR experiences coming in ARKit 2
- Apple announces iOS 12 will be available September 17
- iPhone XS: I'm definitely buying Apple's new phone and here's why
- iPhone XS: Here's the one reason I won't buy Apple's new phone
- Apple Watch Series 4 launches, doubles down on digital health and wellness
- Mozilla releases Firefox Reality, its web browser for VR
- Tor Browser gets a redesign, switches to new Firefox Quantum engine
- Firefox 62 appears as Mozilla ends support for Windows XP
- Mozilla to block ad trackers on Firefox by default
- California governor signs country's first IoT security law CNET
- Cheat sheet: How to become a cybersecurity pro TechRepublic