Nmedia - Fotolia
Fruitfly Mac malware: How does its decades-old code work?
The Fruitfly Mac malware has decades-old code, but has been conducting surveillance attacks for over two years without detection. Expert Nick Lewis explains how it works.
A new type of Mac malware, known as Fruitfly, has been found conducting surveillance attacks for possibly over two years, but has code that is decades old. The Fruitfly malware library can also run on Linux systems. If Fruitfly's code is so ancient, why does it still work? And why wasn't it discovered earlier? How can enterprises secure their Mac and Linux devices?
Effective code, algorithms and techniques typically have very long lifespans, and they often get included in more places than was initially anticipated.
One of the key practices of software development is code reuse, which enables developers to reduce the time necessary to develop and test their code. It appears the authors of the Fruitfly Mac malware had this in mind when they wrote the code.
Malwarebytes analysis showed that this cross-platform malware uses APIs that go back decades. Apple and other operating system developers know that APIs have very long lifespans, and if they change how an API works, it could break a legitimate program, so backwards compatibility is maintained for as long as possible. Malwarebytes reported Fruitfly Mac malware could have evaded detection by limiting the targets of attack. Macs do not face as many malware attacks as some Windows systems, and may not be as carefully monitored, which also could have reduced the likelihood of the malware being identified.
Enterprises can secure their Mac and Linux devices the same way they secure their Windows systems, by keeping the systems up to date with patches, managing the systems with the least privileges necessary, using secure configurations and monitoring the systems. The standards and specific configuration settings will differ from Windows systems, but the same general steps can be used. Some system management tools are multi-platform and can manage Windows, Macs and Linux systems. These same steps haven't significantly changed in a long time.
As for the specific case of Fruitfly Mac malware, using a file integrity monitor could alert enterprises when an unknown binary is run on a system, which could then be investigated to determine more details on the attack. The initial indicator of compromise was suspicious network traffic originating from an infected endpoint.
