A computer programmer from Ohio was indicted for spying Mac users for 13 years

[captain_to_fire]

Sources: United States Department of Justice via Bitdefender and USA Today

 

Need more proof that Mac aren't immune to malware? How about 13 years of cyberespionage that goes unnoticed until recently?

Quote

 

A computer programmer from Ohio was recently indicted on 16 charges involving developing and using spyware to exfiltrate sensitive user data, and producing child pornography.

 

Developed for MacOS devices, the FruitFly malware is believed to have been infecting thousands of victims for over 13 years. Although security experts estimate that it remained undetected for years, possibly because it relied on unsophisticated code, 28-year-old Phillip R. Durachinsky, who is believed to have developed the spyware, faces charges of Computer Fraud and Abuse Act violations, Wiretap Act violations, and identify theft, amongst others.

 

The malware is believed to also be compatible with Linux-based systems, as it shares similarities with macOS code. If that’s the case, the extent of Fruitfly’s surveillance capabilities could be far greater than authorities first believed.

Serves him right though but it only shows that despite the many people who believes up to this very day that Macs are immune to malware, this is one example that this isn't really the case. Here's what the indictment document said in detail from the DOJ website:

 

Spoiler

More information about the indictment in the link above. Basically, once a Mac computer got infected by "Fruitfly malware", it will collect personal information and transmit it to a remote command and control center (C&C) and do a lot of nefarious things unknown to the user such as:

• take screenshots and upload to a remote C&C
• log user keystrokes
• remotely turn on camera and microphone
• malware uses social engineering to trick users
• Once infected, it collects tax records, medical records, internet searches, banking and other potentially embarrassing information and transmit it to a remote C&C
• The remote C&C was found to be located in a residence in Northern District of Ohio, Eastern Division
• The cyberespionage lasted from around 2003 to January 20, 2017

 

 

Around 2003, the Mac operating systems available that time are Mac OS X Jaguar and Puma until macOS Sierra. I think the earliest versions of Mac OS X doesn't really have security in mind other than it's secure because not so much people bother with it until 2011 when there was a Mac Trojan named "Mac Defender" which infected a lot of Macs but isn't really that malicious other than it's constantly nagging users of virus infections that doesn't exist and unlike Windows malware that can execute without user intervention, most Mac malware requires saying yes to an installation.

 

Then later that year to show that Apple is serious about securing their users, they added an overdue security feature that existed in Windows since Vista which is ASLR in Mac OS X Lion then with OS X Mountain Lion, they extended ASLR to the kernel which isn't meant to make Macs invulnerable but just to make it more difficult to exploit vulnerabilities by constantly changing memory locations of programs and if a hacker guessed the location wrong, the application will crash and the attack has been foiled which I read somewhere is more effective with 64-bit processes because of the larger address space than the 4GB limitation of 32-bit ASLR.

Quote

“This defendant is alleged to have spent more than a decade spying on people across the country and accessing their personal information,” said First Assistant U.S. Attorney Sierleja.

 

“Durachinsky is alleged to have utilized his sophisticated cyber skills with ill intent, compromising numerous systems and individual computers,” said Special Agent in Charge Anthony. “The FBI would like to commend the compromised entities that brought this to the attention of law enforcement authorities.  It is this kind of collaboration that has enabled authorities to bring this cyber hacker to justice.” 

 

The charges in the indictment are merely allegations, and the defendant is presumed innocent unless proven guilty beyond a reasonable doubt in a court of law.

 

The case was investigated by the FBI. This case is being prosecuted by Senior Counsel Brian L. Levine of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorneys Daniel J. Riedl, Michelle M. Baeppler and Om M. Kakani of the Northern District of Ohio.

The method on how they caught Phillip Durachinsky is not yet disclosed but I'm guessing someone tracked changes happening to the Mac or someone with the technical know-how noticed something unusual and reported it to authorities. What's disappointing is how it remained unnoticed for more than a decade especially from the likes of Apple who has more controls in their hardware and software. Granted, by no means Apple ever advertised that Macs are immune to malware, it only shows that Macs will become much more valuable targets for cybercriminals as the years pass by. Maybe it's time for Apple to either lock down macOS just like iOS but that will piss off a lot of people or do Microsoft-style built in anti-virus just like Windows Defender Antivirus which got better in Fall Creators Update. But unlike Microsoft which has been dealing with malware infections for decades already, I don't think Apple has the experience and technical know-how to actually make something just like Windows Defender for macOS other than they quickly patch vulnerabilities once they get reported either in the wild or through their bug bounty program which some have said that it doesn't pay that much. 

 

This hacking and cyberespionage reminds me a lot of that University of Iowa student who was put behind bars for hacking the university's database and changed his grades multiple times and it remained unnoticed as well for a long time thanks to keyloggers.

 

Edited January 12, 2018 by hey_yo_

[Master Disaster]

With what he's done I wouldn't be at all surprised if he ended up working for the NSA.

 

10 years spying on thousands of people unnoticed, the NSA wishes they could do that.

[captain_to_fire]

1 minute ago, Master Disaster said:

With what he's done I wouldn't be at all surprised if he ended up working for the NSA.

 

10 years spying on thousands of people unnoticed, the NSA wishes they could do that.

The US Government could've hired him when the Patriot Act was signed. Well the NSA might need new spying tools nowadays as their previous playbook has been exposed already and surprisingly, some of the NSA's existing espionage tools are fairly simple and cheap.

[mynameisjuan]

Sick bastard but actually quite amazing. Code can even infect linux, that on its own is impressive. But fuck you do for spying on people.

[captain_to_fire]

1 minute ago, mynameisjuan said:

Sick bastard but actually quite amazing. Code can even infect linux, that on its own is impressive. But fuck you do for spying on people.

I'm guessing this year someone can take the source code of the spyware and infect datacenters, virtual machines and servers running openSUSE or CentOS.

[mynameisjuan]

1 minute ago, hey_yo_ said:

I'm guessing this year someone can take the source code of the spyware and infect datacenters, virtual machines and servers running openSUSE or CentOS.

Yeah if this code gets out it could compromise quite a bit of equipment actually, all depending on how it makes its way on the machine of course.

[CryptoMatt]

1 hour ago, Master Disaster said:

Not defending him at all, guy is a scumbag 100% but I seriously doubt his intention or main focus was to create CP, my guess is he caught some things via webcam and the press are focusing on it because it's the worst thing they can think of. Maximum attention and all that.

still its not right, if they can prove he distributed/saved it or even jacked off  to it burn that fucker

[captain_to_fire]

Just now, vorticalbox said:

-snip-

Edited it now. 

[vorticalbox]

1 minute ago, CryptoMatt said:

still its not right, if they can prove he distributed/saved it or even jacked off  to it burn that fucker

Actually, as I said above, just the fact of his malware recording when porn is searched is enough to prove intent. It doesn't matter if he watched it or not he still created it even if not meaning to.

 

Please remember at this point these are still allegations and he has yet to be convicted of anything. 

[mynameisjuan]

11 minutes ago, vorticalbox said:

In this case it was because the malware would trigger when searching for porn related term and would then start recording from a web cam.

This point is pretty big. If you have malware spread on random PCs that turns on the webcam or screen recording its not like he could help what they were doing. This was random, not targeted, thats a huge difference. Young and older people are the ones are the ones most likely to get malware due to lack of how the internet works or that malware is a thing so recording webcam footage of younger people or old pedophiles searching illegal shit would not be surprising. Hell maybe this might help catch pedos and throw them in prison too. 

 

On the other hand, enabling the webcam when someone searches porn is going to lead to some nasty footage...nobody sits and just watches it for the plot. 

[captain_to_fire]

4 minutes ago, mynameisjuan said:

Yeah if this code gets out it could compromise quite a bit of equipment actually, all depending on how it makes its way on the machine of course.

Just like the Shadow Brokers dump on Github which lead to WannaCry and NotPetya/ExPetr. At least people who staunchly believe that Macs and Linux distros are immune to malware can now stop. 

[CryptoMatt]

1 hour ago, vorticalbox said:

Actually, as I said above, just the fact of his malware recording when porn is searched is enough to prove intent. It doesn't matter if he watched it or not he still created it even if not meaning to.

 

Please remember at this point these are still allegations and he has yet to be convicted of anything. 

yes becase they just randomly pick a guy and blame and this stuff on him. seems like you do fishy stuff like this too to defend this person. innocent until proven guilty doesn't matter,  if you have enough money you can be innocent even if your not. or by having a single flaw or if evidence is obtained illegally you can get out of a case even if you are 100% guilty.

 

he had to know he would be seeing minors if you think minors dont watch porn then your just lying. 

[vorticalbox]

4 minutes ago, mynameisjuan said:

This point is pretty big. If you have malware spread on random PCs that turns on the webcam or screen recording its not like he could help what they were doing. This was random, not targeted, thats a huge difference. Young and older people are the ones are the ones most likely to get malware due to lack of how the internet works or that malware is a thing so recording webcam footage of younger people or old pedophiles searching illegal shit would not be surprising. Hell maybe this might help catch pedos and throw them in prison too. 

From what I have read the malware triggered on any porn term and started recording. This implies an intent to record people masturbating.

 

I believe this is also illegal in some places, recording without consent though the child porn is Likely there to help insure a conviction.

 

A jury will likely follow emotion "disgust at the child porn charge" rather than the evidence presented. 

 

Even if he didn't create it my money is on him going down for it anyway. 

[CryptoMatt]

1 hour ago, hey_yo_ said:

Just like the Shadow Brokers dump on Github which lead to WannaCry and NotPetya/ExPetr. At least people who staunchly believe that Macs and Linux distros are immune to malware can now stop. 

nothing is unhackable period. 

[CryptoMatt]

1 hour ago, vorticalbox said:

 

 

I believe this is also illegal in some places, recording without consent though the child porn is Likely there to help insure a conviction.

 

 

in some places. more like anywhere that is not a third world country 

[Phentos]

A waste of good talent for the NSA!

 

/s

 

But on a serious note, this just goes to show that nothing is immune to malware. The ability of this guy's malware to possibly infect Linux isn't surprising since Mac OS and Linux are fairly closely related (both based on Unix).

[Master Disaster]

2 hours ago, vorticalbox said:

From what I have read the malware triggered on any porn term and started recording. This implies an intent to record people masturbating.

 

I believe this is also illegal in some places, recording without consent though the child porn is Likely there to help insure a conviction.

 

A jury will likely follow emotion "disgust at the child porn charge" rather than the evidence presented. 

 

Even if he didn't create it my money is on him going down for it anyway. 

This was the point I was trying to make, I don't think for 1 second his intention was to create child porn, I think it was just a side effect of his methodology.

 

That in no way absolves him of that crime but thinking this guy's intention was to catch children is silly. My guess is the porn flag was an attempt to catch some high up, wealthy and influential people looking at things they shouldn't be or even cheating on partners etc, that stuff is worth a fortune to the right person.

 

Child porn has no real value to him at all so he would be crazy to specifically go after that.

 

Then again who knows, the guys is obviously very clever and very disturbed in equal measure, attempting to apply normal constraints to him might not be the best thing to do.

[mr moose]

3 hours ago, hey_yo_ said:

 

 

Need more proof that Mac aren't immune to malware? How about 13 years of cyberespionage that goes unnoticed until recently?

Serves him right though but it only shows that despite the many people who believes up to this very day that Macs are immune to malware, this is one example that this isn't really the case. Here's what the indictment document said in detail from the DOJ website:

 

 

 

It actually really surprised me after the Intel bug just how many people don't understand the nature of security exploits.  I understand that with macs having a lower market share they are naturally going to have a lower number of threats written for them, however this idea that one system/OS/device is intrinsically more secure than another really shows the lack of depth people have when appraising such issues. 

[captain_to_fire]

6 minutes ago, mr moose said:

It actually really surprised me after the Intel bug just how many people don't understand the nature of security exploits.  I understand that with macs having a lower market share they are naturally going to have a lower number of threats written for them, however this idea that one system/OS/device is intrinsically more secure than another really shows the lack of depth people have when appraising such issues. 

In the end security is about as good as the person sitting in front of a computer. When it comes to which ones are more secure, obviously newer operating systems like Windows 10 or macOS High Sierra are more secure than older ones like Windows XP and OS X Snow Leopard. I don't know if the kernel differences of Windows (proprietary NT) and macOS/Linux (open source UNIX/XNU) factor in to security. Who knows? Maybe one day an independent security researcher will one day publish results that 50% of iPhones and Android phones worldwide are infected with spyware that transmits data to remote C&C operated by a clandestine cybercrime syndicate.

[leadeater]

7 minutes ago, hey_yo_ said:

that transmits data to remote C&C operated by a clandestine cybercrime syndicate.

You mean Apple HQ? Sorry couldn't help it lol.

 

8 minutes ago, hey_yo_ said:

When it comes to which ones are more secure, obviously newer operating systems like Windows 10 or macOS High Sierra are more secure than older ones like Windows XP and OS X Snow Leopard.

That's a hard one because something that is newer and been rewritten could actually be less secure, you just don't know yet. It should be more secure against known threats though.

[mr moose]

4 minutes ago, hey_yo_ said:

In the end security is about as good as the person sitting in front of a computer. When it comes to which ones are more secure, obviously newer operating systems like Windows 10 or macOS High Sierra are more secure than older ones like Windows XP and OS X Snow Leopard. I don't know if the kernel differences of Windows (proprietary NT) and macOS/Linux (open source UNIX/XNU) factor in to security. Who knows? Maybe one day an independent security researcher will one day publish results that 50% of iPhones and Android phones worldwide are infected with spyware that transmits data to remote C&C operated by a clandestine cybercrime syndicate.

 

I was more referring to the concept that an  OS can be more secure due to the nature of that OS,  Just because mac is based on Unix and Linux is open source doesn't mean they have less exploitable bugs.  As this article demonstrates a bug was present in this for 13 years and we don't even know how it was discovered, suffice to say it certainly seems if this bloke had been better at covering his tracks they may not have discovered it for much longer.   How many bugs are there in each OS?  we don't know, we don't even know how many are already compromised including high sierra and win10.  Thus the idea that any specific product is "more secure" is false.

[captain_to_fire]

26 minutes ago, leadeater said:

You mean Apple HQ? Sorry couldn't help it lol.

Well I have given Apple my credit card number, landline number and address so I basically gave away my personal info to Apple's remote C&C in Cupertino, CA. I'm just glad tech companies like Apple, Google or Amazon isn't asking for my credit history, social security number or tax returns because that would be creepy. 

27 minutes ago, leadeater said:

That's a hard one because something that is newer and been rewritten could actually be less secure, you just don't know yet. It should be more secure against known threats though.

I could be wrong with this but I think the NT kernel used by Windows 2000 and beyond is more secure than Windows 98 and below just like how OpenVPN is more secure than decades old PPTP. But I do agree that newer doesn't mean more secure. I don't know if the 64-bit increase in WPA3 would mean less vulnerabilities like KRACK than the current WPA2. 

 

 

[leadeater]

2 minutes ago, hey_yo_ said:

I could be wrong with this but I think the NT kernel used by Windows 2000 and beyond is more secure than Windows 98 and below just like how OpenVPN is more secure than decades old PPTP. But I do agree that newer doesn't mean more secure. I don't know if the 64-bit increase in WPA3 would mean less vulnerabilities like KRACK than the current WPA2. 

Windows NT actually dates back to 1993, first release was called Windows NT 3.1, and it's been dragged through the ages ever improving but it's DNA is still from 1993. A bit shocking when you think about it but the DNA of Linux and Mac OS is even older mind you.

 

Windows 95/98 security, DOS in general, was garbage lol.

[captain_to_fire]

 

2 minutes ago, leadeater said:

Windows 95/98 security, DOS in general, was garbage lol.

no wonder things like this happened to PCs 20 years ago 

 

 

[captain_to_fire]

2 minutes ago, Tedny said:

Oh, Mac was hacked.... interesting news, I would say 

Macs getting owned by hackers isn't new nor malware targeted for Macs  https://www.macrumors.com/2017/03/16/researchers-macos-safari-exploits-pwn2own-2017/ https://www.computerworld.com/article/2531805/security0/researcher-cracks-mac-in-10-seconds-at-pwn2own--wins--5k.html