Q
Problem solve Get help with specific problems with your technologies, process and projects.

Fruitfly Mac malware: How does its decades-old code work?

The Fruitfly Mac malware has decades-old code, but has been conducting surveillance attacks for over two years without detection. Expert Nick Lewis explains how it works.

A new type of Mac malware, known as Fruitfly, has been found conducting surveillance attacks for possibly over...

two years, but has code that is decades old. The Fruitfly malware library can also run on Linux systems. If Fruitfly's code is so ancient, why does it still work? And why wasn't it discovered earlier? How can enterprises secure their Mac and Linux devices?

Effective code, algorithms and techniques typically have very long lifespans, and they often get included in more places than was initially anticipated.

One of the key practices of software development is code reuse, which enables developers to reduce the time necessary to develop and test their code. It appears the authors of the Fruitfly Mac malware had this in mind when they wrote the code.

Malwarebytes analysis showed that this cross-platform malware uses APIs that go back decades. Apple and other operating system developers know that APIs have very long lifespans, and if they change how an API works, it could break a legitimate program, so backwards compatibility is maintained for as long as possible. Malwarebytes reported Fruitfly Mac malware could have evaded detection by limiting the targets of attack. Macs do not face as many malware attacks as some Windows systems, and may not be as carefully monitored, which also could have reduced the likelihood of the malware being identified.

Enterprises can secure their Mac and Linux devices the same way they secure their Windows systems, by keeping the systems up to date with patches, managing the systems with the least privileges necessary, using secure configurations and monitoring the systems. The standards and specific configuration settings will differ from Windows systems, but the same general steps can be used. Some system management tools are multi-platform and can manage Windows, Macs and Linux systems. These same steps haven't significantly changed in a long time.

As for the specific case of Fruitfly Mac malware, using a file integrity monitor could alert enterprises when an unknown binary is run on a system, which could then be investigated to determine more details on the attack. The initial indicator of compromise was suspicious network traffic originating from an infected endpoint.

Next Steps

Learn how to prevent the Keydnap malware from stealing Mac passwords

Find out how Rakos malware attacks embedded Linux systems

Read about a Linux vulnerability that enables attacks on TCP communications

This was last published in June 2017

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your enterprise protect its Mac and Linux systems from malware attacks?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close