FBI solves mystery surrounding 15-year-old Fruitfly Mac malware

Fruitfly malware author used port scanning with weak or no passwords to identify potential victims.
Written by Catalin Cimpanu, Contributor

The FBI has solved the final mystery surrounding a strain of Mac malware that was used by an Ohio man to spy on people for 14 years.

The man, 28-year-old Phillip Durachinsky, was arrested in January 2017, and charged a year later, in January 2018.

US authorities say he created the Fruitfly Mac malware (Quimitchin by some AV vendors) back in 2003 and used it until 2017 to infect victims and take control off their Mac computers to steal files, keyboard strokes, watch victims via the webcam, and listen in on conversations via the microphone.

Court documents reveal Durachinsky wasn't particularly interested in financial crime but was primarily focused on watching victims, having collected millions of images on his computer, including many of underage children.

Also: Tens of iOS apps caught collecting and selling location data

Durachinsky created the malware when he was only 14, and used it for the next 14 years without Mac antivirus programs ever detecting it on victims' computers.

The first known detection, at least according to court documents, was in early 2017, when the FBI Cleveland branch was called in to investigate a malware incident at the Case Western Reserve University. FBI investigators found the FruitFly malware on the university's computer systems, and the trail eventually led back to Durachinsky, resulting in his arrest.

News of Fruitfly's existence leaked online in the same month as Durachinsky's arrest when US cyber-security firm Malwarebytes published a report detailing the Fruitfly's intrusive capabilities, some of the most advanced at the time for a Mac malware strain.

A former NSA analyst, Patrick Wardle, found a more powerful strain in July 2017, which he broke down at the Black Hat USA 2017 security conference the following month.

Also: Why the NSA's cyber-weapons leak undermines institutional trust TechRepublic

During all this time, one mystery remained. How was this malware infecting victims, and how was its creator spreading it around.

Most experts speculated that the malware could have only been deployed via individually targeted phishing emails since it infected a very small number of victims and wasn't detected for so many years.

The mystery remained even after Durachinsky's public indictment since the court documents didn't go too deep into Fruitfly's technical details.

Also: More Mac apps are stealing and uploading your data CNET

But this mystery was solved earlier today by Wardle, who discovered an FBI flash alert sent earlier this year, on March 5. The FBI sends "flash alerts" to businesses detailing ongoing "threats" and details ways to prevent against them.

Describing the Fruitfly/Quimitchin malware, the FBI said the following:

The attack vector included the scanning and identification of externally facing services, to include the Apple Filing Protocol (AFP, port 548), RDP or other VNC, SSH (port 22), and Back to My Mac (BTMM), which would be targeted with weak passwords or passwords derived from third party data breaches.

In other words, Durachinsky had used a technique know as port scanning to identify internet or network-connected Macs that were exposing remote access ports with weak or no passwords.

He then logged into these remote systems via the open service ports and installed and hid Fruitfly on users' computers. This tactic served him well for 14 years until one lucky detection at the Case Western Reserve University.

Port scanning isn't something that only a hacker wielding the Fruitfly malware can exploit. Any attacker, regardless of the malware he plans to install can use this technique.

Mac users are advised to review the service ports their Macs are exposing online, and either shut them down or set up strong passwords to prevent attackers from barging in.

Free up disk space, remove malware, and speed up your Mac with CleanMyMac X

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

FBI solves mystery surrounding 15-year-old Fruitfly Mac malware

Fruitfly malware author used port scanning with weak or no passwords to identify potential victims.

Meet Torii, a new IoT botnet far more sophisticated than Mirai variants

The evolving IoT botnet is able to compromise an impressive array of architectures.

Teenage Apple hacker avoids jail for 'hacky hack hack' attack

The self-proclaimed Apple fan stole roughly 90GB of confidential data from the iPad and iPhone maker.

Related stories:

Editorial standards