The FBI has solved the Fruitfly Mac malware case after fifteen years. It was created by a man from Ohio who was arrested in January 2017 (via ZDNet).
[Just Discovered Fruitfly Malware Uses Pre-OS X Code]
Fruitfly Mac Malware
A piece of Mac malware called “Fruitfly” was found back in 2003. The creator—Phillip Durachinsky—released the malware to take control of victims’ Macs and steal files, record keystrokes, watch them via webcam, and listen to conversations via microphone.
Court documents reveal Durachinsky wasn’t particularly interested in financial crime but was primarily focused on watching victims, having collected millions of images on his computer, including many of underage children.
Mr. Durachinsky created the Fruitfly Mac malware when he was 14 and has used it for 14 years. Mac antivirus programs were never able to detect it. The first known detection of it was in 2017. The FBI branch in Cleveland, Ohio was called in to investigate an incident at the Case Western Reserve University. They found Fruitfly on the university’s computers and eventually found the trail led back to Mr. Durachinsky.
Patrick Wardle, notable security researcher, discovered how Fruitfly spread to Macs:
The attack vector included the scanning and identification of externally facing services, to include the Apple Filing Protocol (AFP, port 548), RDP or other VNC, SSH (port 22), and Back to My Mac (BTMM), which would be targeted with weak passwords or passwords derived from third party data breaches.
Basically, Mr. Durachinskly used port scanning to find Macs exposed via a remote access ports. He then logged into them and manually installed and hid the malware on the computer.