Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Malware Writer Allegedly Spied on Computers for 13 Years

Justice Department Accuses Ohio Man of Authoring 'Fruitfly' Malware

Source: Justice Department, Synack

One year ago, a malicious program for Mac surfaced nicknamed Fruitfly. The malware was an oddball in the context of modern malware: It used Perl, a programming language first developed in the late 1980s.

See Also: How to Uplevel Your Defenses with Security Analytics

Fruitfly, experts say, appeared to be designed to spy on Apple Macs. As security experts began analyzing Fruitfly, it turns out that law enforcement was on the heels of its author (see Mac Malware Targets Biomedical Institutions).

The Justice Department on Wednesday announced the indictment of Phillip R. Durachinsky, 28, of North Royalton, Ohio. He was charged with 16 counts in federal court, including violating the Computer Fraud and Abuse Act, plus wire fraud, aggravated identity theft, illegal wiretapping and child pornography.

Prosecutors allege that Durachinsky spied on computers for more than 13 years, from 2003 through early last year. He is accused of developing Fruitfly for both Apple macOS and Microsoft Windows.

The indictment against Durachinsky.

Durachinsky spied on thousands of people, plucking millions of photos and other sensitive data from their computers, while keeping "detailed notes of what he observed," according to the indictment.

"Defendant used his access to Fruitfly victims' computers to collect and save personal data from Fruitfly victims including tax records, medical records, photographs, internet searches performed, banking records and potentially embarrassing communications and data," the indictment says.

Aside from personal computers, Fruitfly was discovered on a computer run by a subsidiary of the U.S. Department of Energy, one police department, as well as schools and businesses. Security firm Malwarebytes last year also found that the malware had infected biomedical research institutions.

Odd Malware Specimen

Fruitfly proved to be such an odd malware specimen that Patrick Wardle, chief security researcher for the vulnerability testing firm Synack, undertook deep research into it.

Def Con 25 presenation: Patrick Wardle talk offensive malware analysis as he dissects OS X Fruitfly.

Wardle reverse-engineered the command-and-control infrastructure for a "B" variant of Fruitfly, finding that at least 400 computers were infected with it and that the malware had been around for at least five years. In a finding that proved prescient, about 20 percent of the infected machines were in Ohio.

In July 2017, Wardle presented his findings at the Def Con security conference in Las Vegas. His presentation focused on creating a custom command-and-control system for someone else's malware in order to better analyze it (see Mac 'Fruitfly' Infections More Numerous Than Believed).

Screenshot from Patrick Wardle's Fruitfly Def Con presentation.

Wardle concluded that Fruitfly "was created by a hacker or some malware author to basically spy on victims for perverse reasons, which kind of sucks."

That's exactly what prosecutors now allege.

"In certain cases, the Fruitfly malware alerted defendant if a user of an infected computer types certain words associated with pornography," the indictment says. "Defendant used the Fruitfly malware to watch and listen to Fruitfly victims without their knowledge or permission."

Durachinsky also been charged with using minors to engage in sexually explicit conduct.

Live Victim Feeds

It's still unclear how Fruitfly ended up on computers. But it was a Swiss Army knife type of malware, capable of logging keystrokes, capturing authentication credentials, taking screenshots and turning on the camera and microphone, according to the indictment.

Fruitfly had a control panel that also allegedly allowed Durachinsky "to view live images and data from several infected computers simultaneously," the indictment says.

To store the information and obscure the activity, Fruitfly needed bandwidth and storage. Once he captured login credentials for Fruitfly-infected machines, Durachinsky is accused of creating virtual machines on those computers.

"Defendant used certain Fruitfly victims' computer networks to access sufficient bandwidth to allow the Fruitfly malware to infected protected computers," not only in Ohio but worldwide, the indictment reads.