On January 4, 2017, Case Western Reserve University (CWRU), located in Cleveland, Ohio, became aware of an infection on more than 100 of its computers. The university was notified by an undisclosed third party, who provided information to help the team find and identify the malware.<\/p>\n
CWRU began working with the FBI, who determined that the systems had been infected for several years. Together, CWRU and the FBI were able to identify that an IP address with which the malware was communicating had also been used to access the alumni email account of a man called Phillip Durachinsky.<\/p>\n
On January 10 2017, and unaware of this ongoing investigation, Malwarebytes became aware of the Mac version of the malware that would become known as FruitFly<\/a>. We shared our investigation with Apple, and learned that it was working with the FBI and calling the malware \u201cFruitFly\u201d internally.<\/p>\n On January 25, 2017, Durachinsky was arrested for involvement with the FruitFly malware. On December 7, 2023 – nearly 7 years later – a judge ruled that Durachinsky is incompetent to stand trial.<\/p>\n Durachinsky, a resident of northeast Ohio, was seen by his peers as \u201cawkward and eccentric\u201d throughout grade school and college. Despite this, he was active in extracurricular activities. In high school, he participated in a computer club. As a member of the club, he competed in a local programming competition, helping the team to win in both 2005 and 2006. Interviewed by a local newspaper reporter following one of these wins, Durachinsky said, \u201cIt’s about teamwork, knowing your strengths and weaknesses to help the team.\u201d<\/p>\n In college at CWRU, he participated in a philosophy club, where he was \u201cinterested in the philosophy behind mathematics.\u201d In 2012, as a senior soon to graduate with a physics degree, he worked on a project with faculty member Robert W. Brown regarding nanoparticle behavior, assisting with software to visualize the behavior in 3D.<\/p>\n However, Durachinsky was frequently in trouble for his other computing activities. He was rumored to have hacked into his high school\u2019s computer system, although those rumors were never confirmed. While at CWRU, he was accused of \u201ccracking passwords\u201d on a CWRU network. In an interview following his 2017 arrest, a local law enforcement representative said that Durachinsky was \u201cnot unknown to the authorities.\u201d<\/p>\n Initial investigation of the FruitFly malware showed something very interesting: some of the code in the malware was extremely old. There were many references to functions that dated back to the early days of the Macintosh, and that had been deprecated in macOS for years. (This led to Malwarebytes initially using the name \u201cQuimitchin\u201d for the malware, after the name for ancient Aztec spies that infiltrated enemy tribes. This name did not catch on.)<\/p>\n FruitFly included a number of very powerful capabilities, including file exfiltration, screen capture, execution of arbitrary commands, and remote access to the webcam and microphone. The FBI found more than 20 million files collected from victim machines on hardware confiscated from Durachinsky\u2019s home.<\/p>\n According to an FBI Flash document released to affected organizations on March 27, 2017, machines were infected with FruitFly via brute force attacks, using weak passwords or passwords from breaches of other systems. (The latter is referred to as \u201ccredential stuffing.\u201d)<\/p>\n \u201cThe attack vector included the scanning and identification of externally facing Mac services to include the Apple Filing Protocol (AFP, port 548), RDP, VNC, SSH (port 22), and Back to My Mac (BTMM), which would be targeted with weak passwords or passwords derived from 3rd party data breaches.\u201d<\/p>\n FBI Flash<\/cite><\/p><\/blockquote>\n In this manner, thousands of computers were infected over more than a decade.<\/p>\n Apple had been acting as an intermediary, coordinating with both the FBI and Malwarebytes. On January 18, 2017, all three organizations took simultaneous actions. Apple released a security update to protect users against FruitFly, Malwarebytes published a blog post with technical details about the malware, and the FBI knocked on the door of the house linked to the IP address used by the malware. (The IP address was linked to the malware using data collected by CWRU, Malwarebytes, and AT&T.)<\/p>\n The house, as it turned out, was the home of Durachinsky\u2019s parents, who allowed the agents to enter and mentioned that Durachinsky had been in trouble in high school for breaking into his high school\u2019s website and hacking into teachers\u2019 email.<\/p>\n The FBI found a laptop in Durachinsky\u2019s room. When they entered the room, the laptop lid was slightly ajar, and agents were able to see that the cursor was moving – indicating that it was being remotely accessed – and that the control panel for the malware was visible on the screen. Agents disconnected the network router to prevent further remote access, which could have resulted in deletion of evidence. Also found were numerous hard drives.<\/p>\n On January 19, a judge signed a warrant allowing the FBI to examine the contents of the laptop and hard drives. As a result of the evidence found, Durachinsky was arrested on January 25. Following numerous requests by the defense and changes in Durachinsky\u2019s legal representation, he was finally arraigned nearly a year later, on January 19, 2018.<\/p>\n Durachinsky was charged with 16 counts, including accessing and damaging computers without authorization, accessing a non-public government computer without authorization, production of child pornography, three counts of wire fraud, four counts of aggravated identity theft, and five counts of illegal wiretapping.<\/p>\n During the lengthy trial, it was the child pornography charge that seemed to be of most concern to the defense. Repeated attempts were made to evade it, including an attempt to suppress evidence due to claims of improper seizure, an attempt to suppress a confession made by Durachinsky, and an attempt to separate that charge from all the others and try it separately.<\/p>\n Almost seven years after Durachinsky\u2019s arrest, judge Solomon Oliver ruled that Durachinsky was incompetent to stand trial, by reason of being unable to assist in his own defense due to autism spectrum disorder (ASD). If psychologists determine that his \u201ccondition\u201d can be treated to restore his competency, the trial will continue. Otherwise, he will be civilly committed.<\/p>\n Interestingly, although both prosecuting and defense attorneys agree on the competency ruling, Durachinsky himself does not. He has been cited as saying, \u201cI don\u2019t challenge the autism disorder diagnosis, but I disagree with the way this has been prosecuted.\u201d<\/p>\n This ruling has caused some concerns in the information security community. ASD is not something that can be \u201ccured,\u201d though therapy can help to teach people on the spectrum how to improve social and communication skills. This can take years, however.<\/p>\n Some have expressed skepticism about the ruling, arguing that Durachinsky\u2019s activities and public statements suggest that, like many affected by high-functioning ASD, he appears to be fully capable of understanding his situation and knowing the difference between right and wrong.<\/p>\n Others have expressed concerns about how this case has proceeded. Seven years of jail time without ever having been found guilty in a court of law is concerning. Although the evidence seems pretty damning, and it has been fully expected that Durachinsky would be found guilty, the US justice system is supposed to presume a defendant to be innocent until proven guilty.<\/p>\n It\u2019s unclear what\u2019s next for Mr. Durachinsky, but it would seem the saga is not yet over. Presumably he will be – or has been – released from jail, but there\u2019s still the question of civil commitment. It\u2019s unclear exactly what that will mean – whether this would require time in an institution and, if so, for how long. It\u2019s also unclear whether there will be any kind of treatment that the court deems successful at restoring his competency, in which case the trial could resume.<\/p>\n We don\u2019t just report on threats\u2014we remove them<\/strong><\/p>\n Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today<\/a>.<\/p>\nWho is Phillip Durachinsky?<\/strong><\/h2>\n
The FruitFly malware<\/strong><\/h2>\n
\n
Arrest and arraignment<\/strong><\/h2>\n
Ruling<\/strong><\/h2>\n
What next?<\/strong><\/h2>\n
\n