Fruitfly: the first Mac malware of 2017

[kimmer]

Malwarebytes finds the ‘first Mac malware of 2017,’ Apple calls it ‘Fruitfly’

https://blog.malwarebytes.com/threat-analys...ntiquated-code/

https://9to5mac.com/2017/01/18/malware-macos-fruitfly/

According to Malwarebytes, “We still don't know how it gets installed. All samples so far have been observed installed in user space, so running in a standard user account will not protect against this.”

QUOTE

Malwarebytes will detect this malware as OSX.Backdoor.Quimitchin. (Why the name? Because the quimitchin were Aztec spies who would infiltrate other tribes. Given the “ancient” code, we thought the name fitting.) Apple calls this malware Fruitfly and has released an update that will be automatically downloaded behind the scenes to protect against future infections.

[Jack W]

QUOTE(kimmer @ Jan 18 2017, 12:08 PM) <{POST_SNAPBACK}>

Malwarebytes finds the ‘first Mac malware of 2017,’ Apple calls it ‘Fruitfly’

https://blog.malwarebytes.com/threat-analys...ntiquated-code/

https://9to5mac.com/2017/01/18/malware-macos-fruitfly/

According to Malwarebytes, “We still don't know how it gets installed. All samples so far have been observed installed in user space, so running in a standard user account will not protect against this.”

QUOTE

Malwarebytes will detect this malware as OSX.Backdoor.Quimitchin. (Why the name? Because the quimitchin were Aztec spies who would infiltrate other tribes. Given the “ancient” code, we thought the name fitting.) Apple calls this malware Fruitfly and has released an update that will be automatically downloaded behind the scenes to protect against future infections.

I ran FindAnyFile and entered ce07 and came up with a number of files containing that string.
They were all in a folder titled PubSub in my ~/Library folder:

[attachment=3355:PubSub_Folder.jpg]

Any relation to this Malware?

I have MalwareBytes in my Mavs partition, but not in my SL partition where these files appear.

Jack

[kimmer]

QUOTE(Jack W @ Jan 18 2017, 12:55 PM) <{POST_SNAPBACK}>

I ran FindAnyFile and entered ce07 and came up with a number of files containing that string.
They were all in a folder titled PubSub in my ~/Library folder:

[attachment=3355:PubSub_Folder.jpg]

Any relation to this Malware?

I have MalwareBytes in my Mavs partition, but not in my SL partition where these files appear.

Jack

No clue, Jack. I'd use MalwareBytes on your SL partition to be safe.

[Xairbusdriver]

You might have better luck searching for "com.client.client". just searching for a few letters that made up the SHA 'code' will surely turn up dozens of the randomly created names for temporary files. You could simply open your ~/Library/LaunchAgents directory and look for "com.client.client". My bet is you'll not find it, unless you've been installing stuff from sites you shouldn't even visit, much less download from!

[jchuzi]

'Fruitfly' malware patched by Apple relies on 'ancient' Mac system calls

[Xairbusdriver]

Had a Security Update just after I posted above.

[Jack W]

QUOTE(Xairbusdriver @ Jan 18 2017, 03:51 PM) <{POST_SNAPBACK}>

You might have better luck searching for "com.client.client". just searching for a few letters that made up the SHA 'code' will surely turn up dozens of the randomly created names for temporary files. You could simply open your ~/Library/LaunchAgents directory and look for "com.client.client". My bet is you'll not find it, unless you've been installing stuff from sites you shouldn't even visit, much less download from!

Not in there.
Besides, I have SL set to notify m if anything attempts to put something in the LaunchAgents.
Just a simple security measure.

Jack