Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
52,097
13,719



Earlier this year, researchers from security firm Malwarebytes discovered a piece of Mac malware called Fruitfly that reportedly spied on computers in medical research centers for years before being detected. Apple has since updated macOS to automatically detect the malware, safeguarding users.

macbook-air.jpg

However, a new variant of the Fruitfly malware has recently been discovered by Patrick Wardle, a researcher with security firm Synack. Wardle said the malware has been targeting Macs for at least five years, with the number of infected Macs totaling nearly 400 and possibly much higher, reports Ars Technica.

The malware can supposedly capture screenshots, keystrokes, webcam images, and other info about each infected Mac. The Fruitfly variant also collects information about devices connected to the same network, according to the report.

Wardle said the method of infection remains unknown, but he suspects it involves tricking users into clicking on malicious links, as opposed to exploiting vulnerabilities in apps or in macOS. He added that the primary command-and-control server used by the malware's creators has since been shut down.

Many of the affected Macs have never been disinfected, however, allowing Wardle to create his own custom command-and-control server for the malware and witness the close to 400 infected machines connect to it.
After analyzing the new variant, Wardle was able to decrypt several backup domains that were hardcoded into the malware. To his surprise, the domains remained available. Within two days of registering one of the addresses, close to 400 infected Macs connected to the server, mostly from homes located in the United States. Although Wardle did nothing more than observe the IP address and user names of Macs that connected to his server, he had the ability to use the malware to spy on the users who were unwittingly infected.
Wardle will provide a briefing about his custom command-and-control server tactics on Wednesday at the Black Hat security conference in Las Vegas.

Since the method of infection is unknown, there aren't many specific steps users can take to ensure they're protected. But, given all domains known to be associated with the malware are no longer available, and the limited number of Macs infected beforehand, most users shouldn't be too worried about this malware.

One option Mac users have is to install OverSight, a free software tool that monitors a Mac's microphone and webcam, alerting the user when the internal microphone is activated, or whenever a process accesses the webcam.

Wardle has reported all of his findings to law enforcement officials, and the threat is likely neutralized, according to the report.

Article Link: Malware Discovered That Can Control a Mac's Webcam and Keyboard, But It's Old and Possibly Abandoned
 

throAU

macrumors 604
Feb 13, 2012
6,995
4,756
Perth, Western Australia
Yeah, this has been doing the rounds for a while and from the sounds of the articles i read (some months back) it could have just been installed deliberately by a malicious administrator (i.e., someone with full admin control of the machine), or even under the command of someone in the business (i.e., not a "malicious admiin" per se, despite the end result) years ago.

I.e., there is no mechanism for it to spread. They haven't found how it spreads because it doesn't.

However my point regarding security updates above remains...
 
Comment

Altis

macrumors 68030
Sep 10, 2013
2,986
4,481
Keep operating systems up to date. Exploitation of un-patched vulnerabilties by non-governments is exceedingly rare.

If you don't do security updates as they become available you almost deserve what you get.

That's why security updates should be separate from feature updates.

A lot of people deliberately don't update because of adverse changes to the user experience, leaving security vulnerabilities.
 
Comment

throAU

macrumors 604
Feb 13, 2012
6,995
4,756
Perth, Western Australia
That's why security updates should be separate from feature updates.

A lot of people deliberately don't update because of adverse changes to the user experience, leaving security vulnerabilities.


I get it, but it comes down to this:

Adapt or switch platforms if the user experience changes bother you that much.

No developer is going to support a massive number of platforms with security updates concurrently. They just can't afford to patch old platforms forever. Because every platform means a seperate codebase to maintain and backport/re-develop updates for, beta test, etc.

Apple right now supports 3 (? more?) OS revisions typically (i.e., they do split feature updates and security updates to that degree already), if you haven't dealt with the "user experience" changes after 2-3 new OS revisions, you should be jumping ship to another platform. Just not patching and becoming insecure isn't really a sensible choice.

I'm guessing the big cries from some still go back to the changes made in Lion. It is well beyond time to get over it.

But you'll get the same thing wherever you jump. MS won't support old operating systems forever, and neither will any Linux distribution. No one will.

Adapt, or deal with being insecure.
 
Last edited:
Comment

Col4bin

macrumors 68000
Oct 2, 2011
1,731
1,287
El Segundo
"He added that the primary command-and-control server used by the malware's creators has since been shut down."

Well, that's comforting... o_O
 
Comment

weup togo

macrumors 6502
May 6, 2016
355
1,234
People aren't aware of this? Been around for years.

Well it's been out a while and now a new version to worry about.

From TFA:
FruitFly, the first OS X/macOS malware of 2017, is a rather intriguing specimen. Selectively targeting biomedical research institutions, it is thought to have flown under the radar for many years. In this talk, we'll focus on the 'B' variant of FruitFly that, even now, is only detected by a handful of security products.
 
Comment

throAU

macrumors 604
Feb 13, 2012
6,995
4,756
Perth, Western Australia
But there are really only 3 ships to jump between.

Yup.

This is something you're going to have to deal with.

If you don't like macOS, or any of the others then unfortunately, too bad. Pick the one you dislike the least (that still gets security fixes) and deal with it, like an adult :)

Whining about lack of options isn't really going to help :D

We as adults make many unpleasant choices every day, this is merely another one of them.

I mean i don't like paying money for things or going to work, but i do so because there isn't any other acceptable option to me.
 
Last edited:
Comment

JPsDad

macrumors newbie
Sep 7, 2017
1
0
Orange County, CA
From TFA:
FruitFly, the first OS X/macOS malware of 2017, is a rather intriguing specimen. Selectively targeting biomedical research institutions, it is thought to have flown under the radar for many years. In this talk, we'll focus on the 'B' variant of FruitFly that, even now, is only detected by a handful of security products.
Supposedly, a
Code:
ls -la ~/Library/LaunchAgents
would show it (as a suspicious entry).

Anyone have an update on this? That is, did anyone attend Patrick Wardle's Black Hat briefing Wednesday or today?
I tried this and bash returned:
ls: /var/root/Launch/LaunchAgents: No such file or directory
This is an iMac which is running O/S 10.6.8 Snow Leopard, this latest available update. I am exploring Linux distressed to find best hardware support. Any suggestions?
Thx
 
Comment

JosephAW

macrumors 68040
May 14, 2012
3,710
4,393
I tried this and bash returned:
ls: /var/root/Launch/LaunchAgents: No such file or directory
This is an iMac which is running O/S 10.6.8 Snow Leopard, this latest available update. I am exploring Linux distressed to find best hardware support. Any suggestions?
Thx
sudo ls -la /var/root/Launch/LaunchAgents/
 
Comment

MC6800

macrumors 6502
Jun 29, 2016
368
126
I tried this and bash returned:
ls: /var/root/Launch/LaunchAgents: No such file or directory
This is an iMac which is running O/S 10.6.8 Snow Leopard, this latest available update. I am exploring Linux distressed to find best hardware support. Any suggestions?
Thx

Actually I had meant for that to be done as a normal user, not root, so the tilde would expand to your own home directory, i.e.:
Code:
ls -la /Users/yourloginname/Library/LaunchAgents

But this may have been different in 10.6.8.
 
Comment

chrono1081

macrumors 604
Jan 26, 2008
7,767
2,228
Isla Nublar
Keep operating systems up to date. Exploitation of un-patched vulnerabilties by non-governments is exceedingly rare.

If you don't do security updates as they become available you almost deserve what you get.

We have such terrible IT security where I work that they're still under the impression that "Updates break everything!" so all of our crap is outdated. It blows my mind how these people ever got into these positions.
 
Comment

throAU

macrumors 604
Feb 13, 2012
6,995
4,756
Perth, Western Australia
We have such terrible IT security where I work that they're still under the impression that "Updates break everything!" so all of our crap is outdated. It blows my mind how these people ever got into these positions.

the problem is updates do often break stuff. so in corporate land you need to test before roll out and sometimes you can't roll out because it breaks a business critical application that no one will fund to fix. so you need to lock things down in other ways.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.