Mac Fruitfly virus
Found a fascinating article on an insidious virus for Macs on the Malwarebytes site.
Six months after it was discovered, the first Mac malware of the year is still causing a stir.
The recently discovered Fruitfly malware is a stealthy but highly-invasive malware for Macs that went undetected for years. The controller of the malware has the capability to remotely take complete control of an infected computer — files, webcam, screen, and keyboard and mouse.
But despite its recent discovery, little is known about the malware.
Given how rare Mac malware is, especially one with all the hallmarks of what could be a nation state attacker, Patrick Wardle, a former NSA hacker who now serves as chief security researcher at Synack, got to work.
Apple released security patches for Fruitfly earlier this year, but variants of the malware have since emerged. The core of the malware is an obfuscated perl script using antiquated code, with indicators in the code that suggest the malware may go back almost half a decade or more, the security firm said. Nevertheless, the malware still works well on modern versions of macOS, including Yosemite. Fruitfly connects and communicates with a command and control server, where an attacker can remotely spy on and control an infected Mac.
But what it does, and why, aren’t widely known.
“It’s not the most sophisticated Mac malware,” said Wardle in a Signal call last week, but he described it as “feature complete.” Like others, he wasn’t sure what the malware did exactly on first glance.
Instead of reverse-engineering the malware’s code to see what it did, he took a novel approach of creating his own command and control server to interact directly with a sample of the malware in his lab.
“I had to figure out how to create a command and control server that could speak the ‘language’ of the malware,” he said. That let him fully deconstruct what the malware did simply by “asking” the malware the right questions, giving him an unprecedented view into its capabilities.
He found that he could take complete control of an infected Mac, including its keyboard and mouse, take screenshots of the display, remotely switch on the webcam, and modify files. The malware can also run commands in the background, and even kill the malware’s process altogether — likely in an effort to avoid detection.
“The most interesting feature is that the malware can send an alert when the user is active,” said Wardle, so that the attacker can then avoid interfering with the computer to remain stealthy. “I haven’t seen that before,” he said. He even found that some commands supported additional parameters. What he called the “second byte” to each command would offer more granular options. He explained that he could take screenshots of the display of varying quality — a useful feature for low-bandwidth connections or trying to evade network detection.
He noticed that the malware was communicating out to primary servers that were offline. But some of the backup servers were available.
Armed with his Python-based command and control scripts, he registered some domains, and fired up his servers. And that’s when his screen began to fill up with victims’ computers connecting to his servers, one after the other.
“I thought — ‘f**k!’ — I have to be responsible here,” he said. When the malware connects, you get the IP address, name of the user, and the computer name (which is typically the full name of the user). “I just logged the connections and parsed the computer names, then closed the connection,” he said.
The early analysis was that as many as 90 percent of the victims were in the US, with no obvious connection between the users, he said. “It was just a general smattering of users.”
But questions remain over where the malware came from, and what purpose it performs.
Wardle said based on the target victims, the malware is less likely run by a nation state attacker, and more likely operated by a single hacker “with the goal to spy on people for perverse reasons.” He wouldn’t say how many were affected by the malware, but suggested it wasn’t widespread like other forms of malware.
He also wasn’t sure on the exact delivery method of the malware, but suggested it could infect a computer through a malicious email attachment.
Wardle has since informed and is now working with law enforcement on the matter, handing over the list of victims and command and control servers.
“You have to realize that this kind of re-exposes the fact that you can be an ordinary person and still be victim of a really insidious attack,” he said. “This is just another illustration that Macs are just as vulnerable as any other computer.”
In part for that reason, Wardle spends his spare time developing free-to-download Mac tools to protect against this kind of attack, including Oversight, which notifies users when their microphone or webcam becomes active; essentially protecting against some of the features of this malware.
“It’s not surprising that this malware wasn’t detected for five or more years, because current Mac security software is often rather ineffective,” he said. “Most don’t even look for this kind of activity.”
Wardle is set to talk about the malware in more detail at the Black Hat conference in Las Vegas on Wednesday.
Apple did not respond to a request for comment.
Originally posted at
How to shut down Windows!
You wouldn’t believe how many people I run into who still think turning off the ocmputer is just hitting the power button! I recently came across this article, which is one of the best descrpitions of how to properly shut down your computer I’ve found. you don’t need to eve read any further down than “Shur Down from the Start Menu”, but if you do you’ll find some even more clever tricks!
Contact information does not appear in the address book in Outlook
When you use your address book to select recipients for an e-mail message or a fax message in Microsoft Outlook, information from your Contacts folder does not appear in the list.
This is likely happening because the Outlook Address Book Service isn’t running, iut has either been corrupted or deleted from the accounts tab.
Install the Outlook Address Book service
To do this, follow these steps, as appropriate for the version of Outlook that you are running.
Microsoft Outlook 2002 and Microsoft Office Outlook 2003
1.On the Tools menu, click E-mail Accounts.
2.Click to select View or change existing directories or address books, and then click Next.
3.If your Outlook Address Book is listed, click Cancel, and then go to the steps in the “How to Mark Your Contact Folder for Use with Your Address Book” section.
4.If your Outlook Address Book is not listed, click Add.
5.Click to select Additional Address Books, and then click Next.
6.Click to select Outlook Address Book, and then click Next.
7.Click OK when you receive the prompt that the address book you added will not start until you click Exit from the File menu.
9.Click Exit from the File menu, and then restart Outlook.
Microsoft Office Outlook 2007
1.On the Tools menu, click Accout Settings .
2.Click the Adress Books tab.
3.If your Outlook Address Book is not listed, click New.
4.Select Additional Address Books, and then click Next.
5.Select Outlook Address Book, and then click Next.
6. You receive a message that states that the address book that you added will not start until you click Exit on the File menu. Click OK.
8.Click Close, and then restart Outlook.
Microsoft Office Outlook 2010
1.On the File tab in the Ribbon, and then select the Infotab in the menu.
2.Click the Accounts Settings tab, and then click Accounts Settings again.
3.Click the Address Books tab.
4.If your Outlook Address Book is not listed, click New.
5.Select Additional Address Books, and then click Next.
6.Select Outlook Address Book, and then click Next.
7. You receive a message that states that the address book that you added will not start until you click Exit on the File menu. Click OK.
9.Click Close, and then restart Outlook.
Acronis Backup and Recovery Causing Disk full on C:
Are you getting a “Disk Full” error on your hard drive? The backup program Acronis may be to blame. Check you’re Temp Folder. You’ll find some acr* files in the user temp folder that need deleted.