
FBI solves mystery surrounding 15-year-old Fruitfly Mac malware - curtis
https://www.zdnet.com/article/fbi-solves-mystery-surrounding-15-year-old-fruitfly-mac-malware/
======
ilamont
Very detailed background on Durachinsky here:
[https://www.cleveland.com/court-
justice/index.ssf/2018/02/th...](https://www.cleveland.com/court-
justice/index.ssf/2018/02/the_road_from_computer_whiz_to.html)

ZDNet has some more background on the case here:
[https://www.zdnet.com/article/fbi-solves-mystery-
surrounding...](https://www.zdnet.com/article/fbi-solves-mystery-
surrounding-15-year-old-fruitfly-mac-malware/)

------
sverige
Wow, apparently he designed this when he was only 14 years old, and it was
good enough to go undetected for another 14 years. Yet another example of why
locking down open ports should be taken seriously.

~~~
donatj
I’m curious about the arrest. Was he still making use of it? Isn’t there a
statute of limitations? Especially concidering he was a minor at the time?

~~~
molecule
> US authorities say he created the Fruitfly Mac malware (Quimitchin by some
> AV vendors) back in 2003 and used it until 2017...

~~~
dsfyu404ed
What does "used it" mean?

The government typically makes grandiose statements that sound impressive and
make the accused sound like the devil himself but reality is almost always an
order of magnitude more mild.

Unless I hear otherwise I'm gonna assume it was just pinging back to some C&C
infrastructure he owned or something like that.

~~~
jjjjjjjjjjjjjjj
> Court documents[0] reveal Durachinsky wasn't particularly interested in
> financial crime but was primarily focused on watching victims, having
> collected millions of images on his computer, including many of underage
> children.

[0] [https://www.scribd.com/document/389668977/Durachinsky-
Indict...](https://www.scribd.com/document/389668977/Durachinsky-Indictment)

~~~
golergka
> including many of underage children

This makes him sound like a pedophile, but given that he created it at 14, he
could watch "children" older than himself.

~~~
opencl
Except he continued using it until he was 28.

~~~
GranPC
But now we're circling back to - what does "used it" mean?

~~~
Insanity
He could have deleted the pictures though. I find it hard to believe those
pics would still be on a 14 year old drive.

~~~
dsfyu404ed
This is a computer guy. Nobody would be surprised if he had spare hardware
lying around from as far back as the 90s. If he just quick-formatted a bunch
of spare drives and tossed them on a shelf years ago any forensics software
would find what was on them before he formatted them. Considering that he's
been collecting pictures since he was 14 I think it would be hard not to get
him for possession if he's a hardware pack-rat.

Without details all we can do is speculate.

~~~
Insanity
That's a good point. I would probably forget about old drives as well - I
thought they found the pictures on an active drive but realise now that this
was a baseless assumption.

------
simula67
> one mystery remained. How was this malware infecting victims, and how was
> its creator spreading it around.

> The attack vector included the scanning and identification of externally
> facing services, to include the Apple Filing Protocol (AFP, port 548), RDP
> or other VNC, SSH (port 22), and Back to My Mac (BTMM), which would be
> targeted with weak passwords or passwords derived from third party data
> breaches.

~~~
askmike
Between your two quotes you are missing this one:

> But this mystery was solved earlier today by Wardle

~~~
jacquesm
No, it was solved by the FBI, Wardle merely communicated that it had been
solved.

~~~
Buge
It depends on what "it" refers to. If "it" refers to no one except Durachinsky
knowing how it spread, then yes, "it" was solved by the FBI a long time ago.
If "it" refers to no one outside the FBI and Durachinsky knowing how it
spread, then "it" was solved earlier "today" by Wardle.

------
fouc
> The attack vector included the scanning and identification of externally
> facing services [..] which would be targeted with [..] passwords derived
> from third party data breaches.

This is an interesting notion, that people's home computers can be hacked by
using their passwords from online data breaches.

~~~
appleflaxen
It's not _their_ password, per se, it's just using low-entropy (=common)
passwords to get access where people were lazy.

And the best way to find common passwords is by using frequency analysis from
prior breaches.

It's definitely clever, but it's also not super innovative - kind of a
standard tool in the toolbox.

------
newnewpdro
> But this mystery was solved earlier today by Wardle, who discovered an FBI
> flash alert sent earlier this year, on March 5. The FBI sends "flash alerts"
> to businesses detailing ongoing "threats" and details ways to prevent
> against them.

Just what did Wardle solve here? The FBI solved it.

~~~
ianhawes
Actually, it appears that Case Western solved it:

> The university identified more than 100 computers with active internet
> connections that were infected by malware. Agents learned the computers had
> been compromised for a few years, the affidavit says.

> The university also found an IP address, a number that identifies its
> location on the internet, associated with the malware was also used to
> access Durachinsky's alumni email account, Brian wrote.

------
jacquesm
So, how many more of these would there be in the wild? Given that this went
undetected for as long as it did there have to be more.

------
iopuy
Was there anything particularly special or intrusive about the virus? I'm
struggling to see the significance of the news. Surely viri of this caliber
are written and deployed all the time, no?

~~~
gammateam
I guess because nobody uses macs, despite the bubble we live in

this was just nobody looked because it wasn't that popular to look

~~~
toyg
Wouldn’t that mean the webcam light would be turned on, though? It’s supposed
to be hardware-linked...

~~~
tumetab1
No, it has been software for many years.

But I recall seeing something recent that Apple was trying to make it hardware
linked now.

~~~
saagarjha
It is hardware linked.

~~~
zeckalpha
Not on iOS devices

~~~
saagarjha
…which don't have a light? I don't see what your point is.

------
cm2187
I am surprised he would find any mac directly connected to the internet post
2003-2004. Unless you are connecting with 3g/4g directly, you are always
behind at least a nat.

~~~
jfindley
For IPv4, at least, if you connect via 3/4g you're going to be behind CGNAT.
Far as I'm aware, there are no mobile operators left that don't NAT IPv4
traffic. IPv6 is different, of course, but I'm uncertain how well 14yo malware
is going to deal with IPv6.

~~~
cm2187
Plus good luck scanning the ipv6 address space.

~~~
stephengillie
Massscan upgrade needed.

