A 28-year-old Ohio man has been named by federal prosecutors as the alleged author of a decade-old Mac malware, which he is accused of using to remotely spy on thousands of unsuspecting victims.
Phillip Durachinsky, 28, a resident of North Royalton, Ohio, is accused in an indictment of building Fruitfly, a highly-invasive Perl-based malware that can allow the controller to secretly take complete control of an infected computer — including recording from the webcam and microphone, viewing what’s on the screen, controlling the keyboard and mouse, and remotely downloading files.
Durachinsky, who was 14 years old when he allegedly wrote the malware, used Fruitfly to infect thousands of computers — including one government-owned machine — to steal personal data, like tax and medical records, banking information, and passwords, according to an indictment filed Wednesday.
He’s also accused of remotely watching and listening to victims, and saving and storing “millions of images,” including images of countless children — leading prosecutors to charges of the production of child pornography.
Justice Dept. prosecutors are also charging Durachinsky with wire fraud and wiretapping relating to use of the malware.
Fruitfly was discovered a year ago by security firm Malwarebytes, forcing Apple to issue a malware signature update — which protected users by locking the alleged malware controller out of his victims’ computers for good.
But it was later in the year when Patrick Wardle, who now serves as chief research officer at Digita Security, reverse-engineered the malware’s code and fired up his own command and control server, revealing an insidious network of infected Mac computers.
“Here we have an example of someone who’s created custom malware, targeting users very selectively, and keeping a low profile — for what, 13 years,” Wardle told ZDNet in a phone call Wednesday, after the indictment was filed.
“The fact that this guy was able to do this for over a decade is mind-blowing,” he said.
Through his work, Wardle was able to identify thousands of victims of the malware. He registered the domain names that the malware’s code pointed to as a backup, in case the primary command servers ever went down, and started to see his screen fill up with victim computers ensnared by the malware.
“Once the malware would connect to my server, I would just log that and close the connection — so now I had all the IP addresses and names of the victims,” he said.
He thought it was a cyber-espionage campaign in progress but the malware seemed to target everyday people. Most of the victims were located in the US, he said.
Wardle, a former NSA employee who is well known for building free Mac security tools and blogging his malware analysis, informed the FBI and provided a list of known victims, his technical analysis, and access to the command and control servers. The FBI is said to have already opened an investigation into the malware, but the motives of the malware’s author weren’t immediately clear.
Wardle provided the FBI with technical insight into the malware amid the ongoing investigation. The FBI also sought help from Apple.
But Apple, according to Wardle, seemed equally focused on the prospect of negative media attention.
He said that was a “turning point” in his relationship with Apple, describing it as a “striking example of what Apple’s priorities are.”
“I don’t blame Apple for the malware that broke into all these Macs,” he said. “From my point of view, it’s imperative that everyday Mac users should be aware that there are these sick, perverse hackers out there who are targeting their families. And we have Apple continually pushing out this marketing propaganda that Macs are so incredibly secure. But the side effect of that is that Mac users become naive or over-confident.”
“That’s not necessarily Apple’s fault but [the company] should take some responsibility,” he said.
Apple did not respond to a request for comment.
Wardle later presented his first public analysis of Fruitfly at the Black Hat security conference in Las Vegas in July.
The malware is no longer active, the command and control servers are shut down, and a suspect has been indicted, awaiting trial.
Wardle said the malware is a “wake-up call” to the security community.
“Computers can so easily be turned into spying devices, and normally people don’t worry too much — they say, ‘the Russians’ or ‘the NSA,’ and think that they don’t have anything to hide,” he said.
“But it’s really important [to know] that there are other, very perverse people out there who’re trying to accomplish the same goal,” he said.