Credit: Michael Kan
Posted on 01/19/2017 12:01:51 PM PST by Swordmaker
The malware, which Apple calls Fruitfly, can also run on Linux
A Mac malware that’s been spying on biomedical research centers may have been circulating undetected for years, according to new research.
Antivirus vendor Malwarebytes uncovered the malicious code, after an IT administrator spotted unusual network traffic coming from an infected Mac.
The malware, which Apple calls Fruitfly, is designed to take screen captures, access the Mac’s webcam, and simulate mouse clicks and key presses, allowing for remote control by a hacker, Malwarebytes said in a blog post on Wednesday.
The security firm said that neither it nor Apple has identified how the malware has been spreading. But whoever designed it relied on “ancient” coding functions, dating back before the Mac OS X operating system launch in 2001, said Malwarebytes researcher Thomas Reed in the blog post.
Surprisingly, Fruitfly is also built with Linux shell commands. Reed said he tried running the malware on a Linux machine and found that everything “ran just fine” except for Mac-specific code.
The old coding, along with the Linux commands, suggest that the malware’s makers maybe didn’t "know the Mac very well and were relying on old documentation" to develop it, Reed wrote.
Security researchers have said Mac malware is rare. Hackers generally focus on attacking Windows-based devices, because there are far more of them.
This particular Mac malware is easy to spot, according to Reed. It comes in two files, one of which acts as a launch agent.
Nevertheless, Malwarebytes found evidence suggesting that Fruitfly has been infecting Macs undetected for at least few years. For instance, a change made to the malicious coding was done to address OS X Yosemite, which was launched in Oct. 2014.
(Excerpt) Read more at computerworld.com ...
From what I've seen of the two exemplar installed command lines, they were installed in standard user partitions and did not require an administrator name and password to be installed, but were therefor not going to affect other users on the same Mac, just the one user on which the lines of code had been installed.
It is important to note that Apple has already closed this vulnerability and exploit on all versions of OS X and MacOS. — Swordmaker
A virus virus?
Pinging Shadow Ace for Linux interest.
The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.
If you want on or off the Mac Ping List, Freepmail me
Industrial espionage!
No way! Mac can’t have viruses. Say it ain’t so.
A gift from the People’s Liberation Army.
How nice of them.
All right.
It ain't so. . . because it isn't a virus. It's two lines of code that someone installed on the Mac by hand. That is not a virus. Sorry. Nice try.
“It’s two lines of code that someone installed on the Mac by hand. “
Actually, it’s two small files.
BTW, take a look at the calls, at first I didn’t recognize them but they are ancient.
You're right, my bad. They are really old and simple code.
I agree. I smell Chinese rats.
The Chinese looking for a cure for Rabies which has caused such a famine.
Theft, the way totalitarian regimes are able to compete with free market economies. Unfortunately, with the closing of the American mind and rigid codes of speech, innovation in the West will decrease. Free markets require freedom of thought and speech.
Oh, ok. It’s malware.
Nevertheless, Malwarebytes found evidence suggesting that Fruitfly has been infecting Macs undetected for at least few years. For instance, a change made to the malicious coding was done to address OS X Yosemite, which was launched in Oct. 2014.
I would think this would be better described as "espionage ware." It was, however, certainly installed by someone who had free access to the computers on which it was installed, someone with access to the labs. It could be inter company industrial espionage. It might even have been installed by upper management at the company where it was found to keep an eye on the researchers in their employ. Another possibility is that it was installed by a previous employee who left for other employment who wanted to keep an eye on what developments were being done by his previous colleagues. The lack of sophistication kind of implies the latter possibility. From what I have seen in reports, it has been found at only one site.
From what I gather, the company reported their finding to Apple before they reported it to MalwareBytes as Apple has had the fix released for some time. I would be interested in knowing the age of the Macs on which FruitFly was found and the level of operating systems running on them, but no articles on FruitFly report those data.
Excellent points! Thanks.
You may recall that a couple of weeks ago I mentioned that I had a problem with pop up tabs appearing on my MacBook Pro telling me to click a link to update Adobe Flashplayer or promoting some other software. It happened constantly and was driving me crazy. I installed Malwarebytes and the problem was solved. Whatever you want to call it I clearly had some kind of malware on my laptop. I learned about the solution because others have had a similar problem. So there must be some kind of vulnerability out there that doesn’t just apply to highly specialized situations like this.
Sounds like industrial espionage - installed by someone with physical access/clearance/permissions to install...
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.