The technical description of the “Fruitfly” malware is “spyware.” But given the way it has allegedly been used, a better label would be creepware – creepware that should have easily been detected, but somehow stayed under the radar for more than a decade.
According to a 16-count indictment unsealed on Wednesday in US District Court for the Northern District of Ohio, its creator, Phillip R. Durachinsky, 28, used it to spy on thousands of victims for more than 13 years. Durachinsky spent this time not only collecting personal data but also watching and listening to victims through their webcams and microphones, and using some of what he collected to produce child abuse imagery.
Durachinsky, of North Royalton, Ohio, was charged with Computer Fraud and Abuse Act violations, Wiretap Act violations, production of child abuse imagery, and aggravated identity theft, according to a Department of Justice (DoJ) press release.
The victims ranged from individuals to companies, schools, a police department and government entities including one owned by a subsidiary of the US Department of Energy.
According to the DoJ:
(It) enabled him to control each computer by accessing stored data, uploading files, taking and downloading screenshots, logging a user’s keystrokes, and turning on the camera and microphone to surreptitiously record images and audio.
(He) used the malware to steal the personal data of victims, including their logon credentials, tax records, medical records, photographs, banking records, internet searches, and potentially embarrassing communications.
The indictment charges that while Durachinsky primarily used Fruitfly to infect Macs, he also wrote variants of Fruitfly that were capable of infecting computers running Windows.
It said he saved millions of images, kept detailed notes on what he observed, and designed it to alert him if a user typed words associated with pornography.
Besides the creep factor, a stunning thing about Fruitfly is that it is both unsophisticated and relatively easy to spot, yet according to the DoJ, Durachinsky was able to use it undetected from 2003 until January 2017, when he was arrested and jailed on another charge. He remains in custody.
Forbes reported that Durachinsky was charged a year ago with hacking into computers at Case Western Reserve University (CWRU), which had reported to the FBI that 100 of its computers were infected. The FBI found that they had been infected for “several years” and that the same malware had infected other universities.
But apparently that arrest was not connected to Fruitfly, even though this was when the spyware was discovered.
Six months later, Forbes reported that Patrick Wardle, a former National Security Agency analyst and now a researcher specializing in Mac malware, found a new version of Fruitfly, decrypted the names of several backup domains hardcoded into the malware and found the addresses remained available.
Within two days of registering one of them, almost 400 infected Macs connected to his server, mostly from homes in the US. He then gave his findings to law enforcement, which may have provided the evidence used to bring this week’s indictment.
So far, it is not clear how Fruitfly infects computers, but since there is no evidence it exploited vulnerabilities, it likely gained access by tricking victims into clicking on malicious Web links or email attachments.
Wardle told Forbes that it was clear that surveillance was the primary purpose of Fruitfly.
This didn’t look like cybercrime type behaviour, there were no ads, no keyloggers, or ransomware. Its features had looked like they were actions that would support interactivity: it had the ability to alert the attacker when users were active on the computer, it could simulate mouse clicks and keyboard events.
And, he said there were signs it had been around for years, since the code included comments about updates for Mac OS X Yosemite, first released in 2014, indicating that it had been running well before that.
Within this week’s complaint, prosecutors also asked the court to order that Durachinsky forfeit any property he derived from his 13-year campaign, an indication that they allege he sold the images and data he acquired to others.
The DoJ didn’t say whether Durachinsky had entered a plea, but included the standard disclaimer in its press release:
The charges in the indictment are merely allegations, and the defendant is presumed innocent unless proven guilty beyond a reasonable doubt in a court of law.
Sophos detects Fruitfly as OSX/Bckdr-RUA and Troj/Bckdr-RUC.