Patrick Wardle of Synack Digs Into the Mysterious Malware
It has been a fairly slow year for Mac malware. But a former NSA researcher has dug into the first Mac malware sample that was detected earlier this year – dubbed “Fruitfly” – and found at least 400 computers, and possibly more, infected with a variant of the malware.
Apple doesn’t like it when someone attacks its operating system. The company has carefully cultivated an image that its computers are safer than its Windows counterparts. But often that doesn’t hold up to close scrutiny. Attackers have success; it’s just that they usually prefer Windows.
It’s been a fairly slow year for Mac malware. But a former researcher at the U.S. National Security Agency has dug into the first Mac malware sample that was detected earlier this year – dubbed “Fruitfly” – and found at least 400 computers, and possibly more, infected with a variant of the malware.
Patrick Wardle, now chief security researcher at the penetration-testing firm Synack, took a deep investigative dive into Fruitfly B, finding that whoever created it could have resumed spying on computers, flicking on the web cam, stealing files and browsing around.
It doesn’t appear Fruitfly is designed to steal financial information. Instead, it’s a surveillance tool. A testament to its invasiveness is its capability to send an alert to the hacker when someone is sitting at a computer, Wardle says.
“My opinion … is this was created by a hacker or some malware author to basically spy on victims for perverse reasons, which kind of sucks,” says Wardle, who will give a presentation on Wednesday about his findings at the Black Hat conference in Las Vegas. “If some creepy hacker guy is perhaps turning on your web cam and watching you, that’s kind of a whole next level of creepy.”
The first analysis of Fruitfly came in January from Thomas Reed, a researcher with Malwarebytes. Fruitfly showed several curious attributes.
Some of its code appears to go back “decades,” Reed wrote. Fruitfly, in part, used Perl, a programming language that stretches back nearly 30 years. Reed also noticed it contained functions that predate Apple’s rewrite of its operating system more than 15 years ago.
Instead of reverse-engineering Fruitfly B, Wardle tried a different approach to figure out how it runs. Fruitfly contained encrypted backup command-and-control domains, which are used to funnel instructions to infected computers. If the malware couldn’t talk to its main command-and-control servers, it would revert to backup domains.
While the primary command-and-control servers had been taken down, surprisingly, some of those backup domains were still available. He registered a few of them and created a custom command-and-control server to send instructions to the malware and passively observe how it behaves.