The FBI has solved the final mystery surrounding a strain of Mac malware that was used by an Ohio man to spy on people for 14 years.
The man, 28-year-old Phillip Durachinsky, was arrested in January 2017, and charged a year later, in January 2018.
US authorities say he created the Fruitfly Mac malware (Quimitchin by some AV vendors) back in 2003 and used it until 2017 to infect victims and take control off their Mac computers to steal files, keyboard strokes, watch victims via the webcam, and listen in on conversations via the microphone.
Court documents reveal Durachinsky wasn't particularly interested in financial crime but was primarily focused on watching victims, having collected millions of images on his computer, including many of underage children.
Durachinsky created the malware when he was only 14, and used it for the next 14 years without Mac antivirus programs ever detecting it on victims' computers.
The first known detection, at least according to court documents, was in early 2017, when the FBI Cleveland branch was called in to investigate a malware incident at the Case Western Reserve University. FBI investigators found the FruitFly malware on the university's computer systems, and the trail eventually led back to Durachinsky, resulting in his arrest.
News of Fruitfly's existence leaked online in the same month as Durachinsky's arrest when US cyber-security firm Malwarebytes published a report detailing the Fruitfly's intrusive capabilities, some of the most advanced at the time for a Mac malware strain.
A former NSA analyst, Patrick Wardle, found a more powerful strain in July 2017, which he broke down at the Black Hat USA 2017 security conference the following month.
TechRepublic: How to access Microsoft Remote Desktop on your Mac
During all this time, one mystery remained. How was this malware infecting victims, and how was its creator spreading it around.
Most experts speculated that the malware could have only been deployed via individually targeted phishing emails since it infected a very small number of victims and wasn't detected for so many years.
The mystery remained even after Durachinsky's public indictment since the court documents didn't go too deep into Fruitfly's technical details.
But this mystery was solved earlier today by Wardle, who discovered an FBI flash alert sent earlier this year, on March 5. The FBI sends "flash alerts" to businesses detailing ongoing "threats" and details ways to prevent against them.
Describing the Fruitfly/Quimitchin malware, the FBI said the following:
The attack vector included the scanning and identification of externally facing services, to include the Apple Filing Protocol (AFP, port 548), RDP or other VNC, SSH (port 22), and Back to My Mac (BTMM), which would be targeted with weak passwords or passwords derived from third party data breaches.
In other words, Durachinsky had used a technique know as port scanning to identify internet or network-connected Macs that were exposing remote access ports with weak or no passwords.
He then logged into these remote systems via the open service ports and installed and hid Fruitfly on users' computers. This tactic served him well for 14 years until one lucky detection at the Case Western Reserve University.
Port scanning isn't something that only a hacker wielding the Fruitfly malware can exploit. Any attacker, regardless of the malware he plans to install can use this technique.
Mac users are advised to review the service ports their Macs are exposing online, and either shut them down or set up strong passwords to prevent attackers from barging in.