On January 18, 2017, all three organizations took simultaneous actions. Arrest and arraignmentĪpple had been acting as an intermediary, coordinating with both the FBI and Malwarebytes. In this manner, thousands of computers were infected over more than a decade. “The attack vector included the scanning and identification of externally facing Mac services to include the Apple Filing Protocol (AFP, port 548), RDP, VNC, SSH (port 22), and Back to My Mac (BTMM), which would be targeted with weak passwords or passwords derived from 3rd party data breaches.” FBI Flash (The latter is referred to as “credential stuffing.”) The FBI found more than 20 million files collected from victim machines on hardware confiscated from Durachinsky’s home.Īccording to an FBI Flash document released to affected organizations on March 27, 2017, machines were infected with FruitFly via brute force attacks, using weak passwords or passwords from breaches of other systems. This name did not catch on.)įruitFly included a number of very powerful capabilities, including file exfiltration, screen capture, execution of arbitrary commands, and remote access to the webcam and microphone. (This led to Malwarebytes initially using the name “Quimitchin” for the malware, after the name for ancient Aztec spies that infiltrated enemy tribes. There were many references to functions that dated back to the early days of the Macintosh, and that had been deprecated in macOS for years. Initial investigation of the FruitFly malware showed something very interesting: some of the code in the malware was extremely old. In an interview following his 2017 arrest, a local law enforcement representative said that Durachinsky was “not unknown to the authorities.” The FruitFly malware While at CWRU, he was accused of “cracking passwords” on a CWRU network. He was rumored to have hacked into his high school’s computer system, although those rumors were never confirmed. However, Durachinsky was frequently in trouble for his other computing activities. Brown regarding nanoparticle behavior, assisting with software to visualize the behavior in 3D. In college at CWRU, he participated in a philosophy club, where he was “interested in the philosophy behind mathematics.” In 2012, as a senior soon to graduate with a physics degree, he worked on a project with faculty member Robert W. Interviewed by a local newspaper reporter following one of these wins, Durachinsky said, “It’s about teamwork, knowing your strengths and weaknesses to help the team.” As a member of the club, he competed in a local programming competition, helping the team to win in both 20. In high school, he participated in a computer club. Despite this, he was active in extracurricular activities. Who is Phillip Durachinsky?ĭurachinsky, a resident of northeast Ohio, was seen by his peers as “awkward and eccentric” throughout grade school and college. On Decem– nearly 7 years later – a judge ruled that Durachinsky is incompetent to stand trial. On January 25, 2017, Durachinsky was arrested for involvement with the FruitFly malware. We shared our investigation with Apple, and learned that it was working with the FBI and calling the malware “FruitFly” internally. On January 10 2017, and unaware of this ongoing investigation, Malwarebytes became aware of the Mac version of the malware that would become known as FruitFly. Together, CWRU and the FBI were able to identify that an IP address with which the malware was communicating had also been used to access the alumni email account of a man called Phillip Durachinsky. The university was notified by an undisclosed third party, who provided information to help the team find and identify the malware.ĬWRU began working with the FBI, who determined that the systems had been infected for several years. On January 4, 2017, Case Western Reserve University (CWRU), located in Cleveland, Ohio, became aware of an infection on more than 100 of its computers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |