Malware Discovered That Can Control a Mac's Webcam and Keyboard, But It's Old and Possibly Abandoned

[MacRumors]

Earlier this year, researchers from security firm Malwarebytes discovered a piece of Mac malware called Fruitfly that reportedly spied on computers in medical research centers for years before being detected. Apple has since updated macOS to automatically detect the malware, safeguarding users.

However, a new variant of the Fruitfly malware has recently been discovered by Patrick Wardle, a researcher with security firm Synack. Wardle said the malware has been targeting Macs for at least five years, with the number of infected Macs totaling nearly 400 and possibly much higher, reports Ars Technica.

The malware can supposedly capture screenshots, keystrokes, webcam images, and other info about each infected Mac. The Fruitfly variant also collects information about devices connected to the same network, according to the report.

Wardle said the method of infection remains unknown, but he suspects it involves tricking users into clicking on malicious links, as opposed to exploiting vulnerabilities in apps or in macOS. He added that the primary command-and-control server used by the malware's creators has since been shut down.

Many of the affected Macs have never been disinfected, however, allowing Wardle to create his own custom command-and-control server for the malware and witness the close to 400 infected machines connect to it.

After analyzing the new variant, Wardle was able to decrypt several backup domains that were hardcoded into the malware. To his surprise, the domains remained available. Within two days of registering one of the addresses, close to 400 infected Macs connected to the server, mostly from homes located in the United States. Although Wardle did nothing more than observe the IP address and user names of Macs that connected to his server, he had the ability to use the malware to spy on the users who were unwittingly infected.

Wardle will provide a briefing about his custom command-and-control server tactics on Wednesday at the Black Hat security conference in Las Vegas.

Since the method of infection is unknown, there aren't many specific steps users can take to ensure they're protected. But, given all domains known to be associated with the malware are no longer available, and the limited number of Macs infected beforehand, most users shouldn't be too worried about this malware.

One option Mac users have is to install OverSight, a free software tool that monitors a Mac's microphone and webcam, alerting the user when the internal microphone is activated, or whenever a process accesses the webcam.

Wardle has reported all of his findings to law enforcement officials, and the threat is likely neutralized, according to the report.

Article Link: Malware Discovered That Can Control a Mac's Webcam and Keyboard, But It's Old and Possibly Abandoned

 

[OldSchoolMacGuy]

People aren't aware of this? Been around for years.

 

[throAU]

Keep operating systems up to date. Exploitation of un-patched vulnerabilties by non-governments is exceedingly rare.

If you don't do security updates as they become available you almost deserve what you get.

 

[Mr_Brightside_@]

"totaling nearly 400 and possibly much higher" - this is...decidedly vague

 

[throAU]

Yeah, this has been doing the rounds for a while and from the sounds of the articles i read (some months back) it could have just been installed deliberately by a malicious administrator (i.e., someone with full admin control of the machine), or even under the command of someone in the business (i.e., not a "malicious admiin" per se, despite the end result) years ago.

I.e., there is no mechanism for it to spread. They haven't found how it spreads because it doesn't.

However my point regarding security updates above remains...

 

[Altis]

Keep operating systems up to date. Exploitation of un-patched vulnerabilties by non-governments is exceedingly rare.

If you don't do security updates as they become available you almost deserve what you get.

That's why security updates should be separate from feature updates.

A lot of people deliberately don't update because of adverse changes to the user experience, leaving security vulnerabilities.

 

[throAU]

That's why security updates should be separate from feature updates.

A lot of people deliberately don't update because of adverse changes to the user experience, leaving security vulnerabilities.

I get it, but it comes down to this:

Adapt or switch platforms if the user experience changes bother you that much.

No developer is going to support a massive number of platforms with security updates concurrently. They just can't afford to patch old platforms forever. Because every platform means a seperate codebase to maintain and backport/re-develop updates for, beta test, etc.

Apple right now supports 3 (? more?) OS revisions typically (i.e., they do split feature updates and security updates to that degree already), if you haven't dealt with the "user experience" changes after 2-3 new OS revisions, you should be jumping ship to another platform. Just not patching and becoming insecure isn't really a sensible choice.

I'm guessing the big cries from some still go back to the changes made in Lion. It is well beyond time to get over it.

But you'll get the same thing wherever you jump. MS won't support old operating systems forever, and neither will any Linux distribution. No one will.

Adapt, or deal with being insecure.

 

[pat500000]

People aren't aware of this? Been around for years.

You think grandparents would know about it?

 

[Col4bin]

"He added that the primary command-and-control server used by the malware's creators has since been shut down."

Well, that's comforting...

 

[QuantumLo0p]

People aren't aware of this? Been around for years.

I believe the variant is new or at least newly discovered.

 

[JosephAW]

I wonder how many windows pcs are infected right now?

 

[convergent]

I wonder how many windows pcs are infected right now?

I would place my guess at zero Windows PCs infected with malware targeting Mac webcams, but I could be wrong.

 

[Michaelgtrusa]

Well it's been out a while and now a new version to worry about.

 

[weup togo]

People aren't aware of this? Been around for years.

Well it's been out a while and now a new version to worry about.

From TFA:

FruitFly, the first OS X/macOS malware of 2017, is a rather intriguing specimen. Selectively targeting biomedical research institutions, it is thought to have flown under the radar for many years. In this talk, we'll focus on the 'B' variant of FruitFly that, even now, is only detected by a handful of security products.​

 

[Michaelgtrusa]

Vid. watch

 

[vicviper789]

Adapt or switch platforms if the user experience changes bother you that much.

But there are really only 3 ships to jump between.

 

[throAU]

But there are really only 3 ships to jump between.

Yup.

This is something you're going to have to deal with.

If you don't like macOS, or any of the others then unfortunately, too bad. Pick the one you dislike the least (that still gets security fixes) and deal with it, like an adult

Whining about lack of options isn't really going to help

We as adults make many unpleasant choices every day, this is merely another one of them.

I mean i don't like paying money for things or going to work, but i do so because there isn't any other acceptable option to me.

 

[charlituna]

That's why security updates should be separate from feature updates.

A lot of people deliberately don't update because of adverse changes to the user experience, leaving security vulnerabilities.

with Mac OS they often are

 

[afd]

Is there any way to check for this malware?

 

[MC6800]

Is there any way to check for this malware?

Supposedly, a

ls -la ~/Library/LaunchAgents

would show it (as a suspicious entry).

Anyone have an update on this? That is, did anyone attend Patrick Wardle's Black Hat briefing Wednesday or today?

 

[JPsDad]

From TFA:

FruitFly, the first OS X/macOS malware of 2017, is a rather intriguing specimen. Selectively targeting biomedical research institutions, it is thought to have flown under the radar for many years. In this talk, we'll focus on the 'B' variant of FruitFly that, even now, is only detected by a handful of security products.​

Supposedly, a

ls -la ~/Library/LaunchAgents

would show it (as a suspicious entry).

Anyone have an update on this? That is, did anyone attend Patrick Wardle's Black Hat briefing Wednesday or today?

I tried this and bash returned:
ls: /var/root/Launch/LaunchAgents: No such file or directory
This is an iMac which is running O/S 10.6.8 Snow Leopard, this latest available update. I am exploring Linux distressed to find best hardware support. Any suggestions?
Thx

 

[JosephAW]

I tried this and bash returned:
ls: /var/root/Launch/LaunchAgents: No such file or directory
This is an iMac which is running O/S 10.6.8 Snow Leopard, this latest available update. I am exploring Linux distressed to find best hardware support. Any suggestions?
Thx

sudo ls -la /var/root/Launch/LaunchAgents/

 

[MC6800]

I tried this and bash returned:
ls: /var/root/Launch/LaunchAgents: No such file or directory
This is an iMac which is running O/S 10.6.8 Snow Leopard, this latest available update. I am exploring Linux distressed to find best hardware support. Any suggestions?
Thx

Actually I had meant for that to be done as a normal user, not root, so the tilde would expand to your own home directory, i.e.:

ls -la /Users/yourloginname/Library/LaunchAgents

But this may have been different in 10.6.8.

 

[chrono1081]

Keep operating systems up to date. Exploitation of un-patched vulnerabilties by non-governments is exceedingly rare.

If you don't do security updates as they become available you almost deserve what you get.

We have such terrible IT security where I work that they're still under the impression that "Updates break everything!" so all of our crap is outdated. It blows my mind how these people ever got into these positions.

 

[throAU]

We have such terrible IT security where I work that they're still under the impression that "Updates break everything!" so all of our crap is outdated. It blows my mind how these people ever got into these positions.

the problem is updates do often break stuff. so in corporate land you need to test before roll out and sometimes you can't roll out because it breaks a business critical application that no one will fund to fix. so you need to lock things down in other ways.