Biz & IT —

Prosecutors say Mac spyware stole millions of user images over 13 years

Fruitfly creepware turned on cameras and mics, automatically detected porn searches.

Judge's gavel.

Early last year, a piece of Mac malware came to light that left researchers puzzled. They knew that malware dubbed Fruitfly captured screenshots and webcam images, and they knew it had been installed on hundreds of computers in the US and elsewhere, possibly for more than a decade. Still, the researchers didn't know who did it or why.

An indictment filed Wednesday in federal court in Ohio may answer some of those questions. It alleges Fruitfly was the creation of an Ohio man who used it for more than 13 years to steal millions of images from infected computers as he took detailed notes of what he observed. Prosecutors also said defendant Phillip R. Durachinsky used the malware to surreptitiously turn on cameras and microphones, take and download screenshots, log keystrokes, and steal tax and medical records, photographs, Internet searches, and bank transactions. In some cases, Fruitfly alerted Durachinsky when victims typed words associated with porn. The suspect, in addition to allegedly targeting individuals, also allegedly infected computers belonging to police departments, schools, companies, and the federal government, including the US Department of Energy.

Creepware

The indictment, filed in US District Court for the Northern District of Ohio's Eastern Division, went on to say that Durachinsky developed a control panel that allowed him to manipulate infected computers and view live images from several machines simultaneously. The indictment also said he produced visual depictions of one or more minors engaging in sexually explicit conduct and that the depiction was transported across state lines. He allegedly developed a version of Fruitfly that was capable of infecting Windows computers as well. Prosecutors are asking the court for an order requiring Durachinsky to forfeit any property he derived from his 13-year campaign, an indication that he may have sold the images and data he acquired to others.

Wednesday's indictment largely confirms suspicions first raised by researchers at antivirus provider Malwarebytes, who in January 2017 said Fruitfly may have been active for more than a decade. They based that assessment on the malware's use of libjpeg—an open-source code library that was last updated in 1998—to open or create JPG-formatted image files. The researchers, meanwhile, identified a comment in the Fruitfly code referring to a change made in the Yosemite version of macOS and a launch agent file with a creation date of January 2015. Use of the old code library combined with mentions of recent macOS versions suggested the malware was updated over a number of years.

More intriguing still at the time, Malwarebytes found Windows-based malware that connected to the same control servers used by Fruitfly. The company also noted that Fruitfly worked just fine on Linux computers, arousing suspicion there may have been a variant for that operating system as well.

Last July, Patrick Wardle, a researcher specializing in Mac malware at security firm Synack, found a new version of Fruitfly. After decrypting the names of several backup domains hardcoded into the malware, he found the addresses remained available. Within two days of registering one of them, almost 400 infected Macs connected to his server, mostly from homes in the US.

While Wardle did nothing more than observe the IP addresses and user names of the infected Macs that connected, he had the same control over them as the malware creator. Wardle reported his findings to law enforcement officials. It's not clear if Wardle's tip provided the evidence that allowed authorities to charge the defendant or if Durachinsky was already a suspect.

According to Forbes, which reported the indictment, Durachinsky was arrested in January of last year and has been in custody ever since. Forbes also reported that Durachinsky was charged in a separate criminal complaint filed in January 2017 that accused him of hacking computers at Case Western Reserve University in Cleveland, Ohio. The suspect has yet to enter a plea in the case brought Wednesday. It's not clear if he has entered a plea in the earlier complaint.

It's also not yet clear how Fruitfly managed to infect computers. There's no indication it exploited vulnerabilities, which means it probably relied on tricking targets into clicking on malicious Web links or attachments in e-mails. Wednesday's indictment provided no details about the Windows version of Fruitfly or whether Linux computers were targeted as well.

Channel Ars Technica