Patrick Wardle of Synack Digs Into the Mysterious Malware Source: Synack
Apple doesn’t like it when someone attacks its operating system. The company has carefully cultivated an image that its computers are safer than its Windows counterparts. But often that doesn’t hold up to close scrutiny. Attackers have success; it’s just that they usually prefer Windows.
It’s been a fairly slow year for Mac malware. But a former researcher at the U.S. National Security Agency has dug into the first Mac malware sample that was detected earlier this year – dubbed “Fruitfly” – and found at least 400 computers, and possibly more, infected with a variant of the malware.
Patrick Wardle, now director of research at the penetration-testing firm Synack, took a deep investigative dive into Fruitfly B, finding that whoever created it could have resumed spying on computers, flicking on the web cam, stealing files and browsing around.
It doesn’t appear Fruitfly is designed to steal financial information. Instead, it’s a surveillance tool. A testament to its invasiveness is its capability to send an alert to the hacker when someone is sitting at a computer, Wardle says.
“My opinion … is this was created by a hacker or some malware author to basically spy on victims for perverse reasons, which kind of sucks,” says Wardle, who will give a presentation on Wednesday about his findings at the Black Hat conference in Las Vegas. “If some creepy hacker guy is perhaps turning on your web cam and watching you, that’s kind of a whole next level of creepy.”
The first analysis of Fruitfly came in January from Thomas Reed, a researcher with Malwarebytes. Fruitfly showed several curious attributes.
Some of its code appears to go back “decades,” Reed wrote. Fruitfly, in part, used Perl, a programming language that stretches back nearly 30 years. Reed also noticed it contained functions that predate Apple’s rewrite of its operating system more than 15 years ago.
Instead of reverse-engineering Fruitfly B, Wardle tried a different approach to figure out how it runs. Fruitfly contained encrypted backup command-and-control domains, which are used to funnel instruction to infected computers. If the malware couldn’t talk to its main command-and-control servers, it would revert to backup domains.
While the primary command-and-control servers had been taken down, surprisingly, some of those backup domains were still available. He registered a few of them and created a custom command-and-control server to send instructions to the malware and passively observe how it behaves.
“This malware was a great candidate for that because it speaks a pretty basic protocol,” Wardle says.
Fruitfly was coded with commands numbered one through 47. Wardle wasn’t sure what each command did until he watched the result on Fruitfly-infected virtual machine. Command number two, for example, sent back a PNG image to his attacker, which proved to be a screen capture.
When he registered the domains, within two days about 400 infected Macs checked in. “All these victims – infected Fruitfly hosts – connected to my command-and-control server,” Wardle said.
Fruitfly immediately sends the name of the registered user, the name of the computer and an IP address. Usually, the name of the computer is the full username. Most of the computers were in the U.S., with some 20 percent in Ohio, Wardle says.
“They just appeared to be normal, everyday people,” he says.
Why those backup command-and-control domains had not been made unavailable remains unclear. Wardle, however, has shared his findings with both law enforcement and Apple.
What’s concerning is that after Wardle obtained a Fruitfly B sample, not many anti-virus products were detecting it, and neither was Apple.
That was despite the fact that the sample was in Virus Total’s malware repository. He estimates Fruitfly has been around for at least five years, but it’s unclear how long the 400 computers had been infected.
XProtect, Apple’s built-in anti-malware tool, only checks files the first time they’re run, Wardle says. For his part, Wardle has built a suite of free tools for detecting changes in Apple OS that might indicate a malware infection.
Wardle thinks Fruitfly doesn’t pose a risk to users now, in part because the backup command-and-control servers have been sinkholed. It’s unclear how users get infected, but Wardle suspects it requires a degree of social engineering, such as getting someone to click on a malicious attachment or running pirated software.
But it is a warning to Apple, as well as Apple users, that low-grade malware can still find its way onto machines.
“They [Apple] continually push the story that these Macs are secure,” Wardle says. “So most Mac users are overconfident and aren’t as careful as they should be when they’re clicking on email links.”