Artifact Of The Ancients Mac OS

Artifact Of The Ancients Mac OS

May 30 2021

Artifact Of The Ancients Mac OS

Thu 31 December 2015 / tagged: firefox, desktop, build system, artifacts, mac os x I’m thrilled to announce support for Mac OS X artifact builds. Artifact builds trade expensive compile times for (variable) download times and some restrictions on what parts of the Firefox codebase can be modified. Operating System Forensics is the first book to cover all three critical operating systems for digital forensic investigations in one comprehensive reference. Users will learn how to conduct successful digital forensic examinations in Windows, Linux, and Mac OS, the methodologies used, key technical concepts, and the tools needed to perform examinations. Raspberry Pi devices are built with low-power ARM processors and only 1GB to 4GB of RAM, and so the Raspberry Pi Foundation’s in-house operating system for the Single-Board Computers is lightweight.

Apple has recently patched macOS against possible attacks from a backdoor trojan discovered by Malwarebytes, which Apple engineers call Fruitfly, and Malwarebytes detects as OSX.Backdoor.Quimitchin.

Discovered this year, Malwarebytes says this Mac backdoor contains routines that allow it to execute in some limited capacity on Linux systems.

An analysis of the code revealed that the malware is easy to detect because of its persistence mechanism, which works by creating a launch agent for a hidden file, a common practice that most Mac security products search for and should be able to easily detect.

Fruitfly malware built using ancient code

Artifacts in the malware's source code point to the fact that this threat existed for many years without being detected. Most notably, Fruitfly received updates for Yosemite (Mac OS X 10.10), which was released in October 2014.

Artifact

Furthermore, the malware uses very ancient code, such as system calls that haven't been used by developers since before the release of OS X (2001), and a library called libjpeg, which was last time updated in 1998.

What this means is that its creator has written the code long time ago and gradually updated it along the way, or just used old deprecated code, which he might have copy-pasted from other malware or code-sharing sites.

The Malwarebytes team also suspects that the Fruitfly author might have used old code 'to avoid triggering any kind of behavioral detection [systems] that might be expecting more recent code.'

Fruitfly can take screenshots, access the webcam

According to Malwarebytes, Fruitfly can take screenshots of the user's screen, access the webcam, simulate key presses, interact with the mouse cursor, provide remote control access, hide its process from the macOS Dock, and upload stolen data.

Some of these features are also doubled by code that allows Fruitfly to run on Linux machines, albeit researchers have not spotted a Linux variant in the wild.

Additionally, a mysterious Windows malware also connected and used the same C&C servers as Fruitfly, making researchers believe that the author of this tool might be operating malware with versions for all three major operating systems.

'The only reason I can think of that this malware hasn’t been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure,' said Thomas Reed, the Malwarebytes analyst that analyzed Fruitfly after a system administrator had contacted him after he noticed suspicious traffic in his network.

Reed didn't provide any in-depth details or evidence, but he also said that Fruitfly might be used in targeted attacks against biomedical research centers, possibly by actors focused on economic or state-sponsored espionage.

A technical breakdown of Fruitfly's mode of operation is available on the Malwarebytes blog, along with indicators of compromise.

Related Articles:

I’m thrilled to announce support for Mac OS X artifact builds. Artifact builds trade expensivecompile times for (variable) download times and some restrictions on what parts of the Firefoxcodebase can be modified. For Mac OS X, the downloaded binaries are about 100Mb, which might takejust a minute to fetch. The hard restriction is that only the non-compiled parts of the browser canbe developed, which means that artifact builds are really only useful for front-end developers. TheFirefox for Android front-end team has been using artifact builds with great success for almost ayear (see Build Fennec frontend fast with mach artifact! and my other posts on this blog).

Artifact Of The Ancients Mac Os Catalina

I intend to update the MDN documentation and the build bootstrapper (seeBug 1221200) as soon as I can, but in the meantime, here’s a quick start guide.

Quick start

You’ll need to have run mach mercurial-setup and installed the mozext extension (see Bug1234912). In your mozconfig file, add the lines

You’ll want to run mach configure again to make sure the change is recognized. This sets--disable-compile-environment and opts you in to running mach artifact installautomatically.

After this, you should find that mach build downloads and installs the required artifactbinaries automatically, based off your current Mercurial commit. To test, just try

After the initial build, incremental mach build DIR should also maintain the state of theartifact binaries — even across hg commit and hg pull && hg update.

You should find that mach build faster works as expected, and that the occasional mach buildbrowser/app/repackage is required.

Restrictions

Oh, so many. Here are some of the major ones:

  • Right now, artifact builds are only available to developers working on Mac OS X Desktop builds(Bug 1207890) and Firefox for Android builds. I expect Linux support to follow shortly (trackedin Bug 1236110). Windows support is urgently needed but I don’t yet know how much work it will be(tracked in Bug 1236111).
  • Right now, artifact builds are only available to Mercurial users. There’s no hard technicalreason they can’t be made available to git users, and I expect it to happen eventually, but it’snon-trivial and really needs a dedicated git-using engineer to scratch her own itch. This istracked by Bug 1234913.
  • Artifact builds don’t allow developing the C++ source code. As soon as you need to change acompiled component, you’ll need a regular build. Unfortunately, things like Telemetry arecompiled (but see tickets like Bug 1206117).
  • Artifact builds are somewhat heuristic, in that the downloaded binary artifacts may not correspondto your actual source tree perfectly. That is, we’re not hashing the inputs and mapping to aknown binary: we’re choosing binaries from likely candidates based on your version control statusand pushes to Mozilla automation. Binary mismatches for Fennec builds are rare (but do exist,see, for example, Bug 1222636), but I expect them to be much more common for Desktop builds.Determining if an error is due to an artifact build is a black art. We’ll all have to learn whatthe symptoms look like (often, binary component UUID mismatches) and how to minimize them.
  • Support for running tests is limited. I don’t work on Desktop builds myself, so I haven’t reallyexplored this. I expect a little work will be needed to get xpcshell tests running, since we’llneed to arrange for a downloaded xpcshell binary to get to the right place at the right time.Please file a bug if some test suite doesn’t work so that we can investigate.

Artifact Of The Ancients Mac Os Update

Troubleshooting

The command that installs binaries is mach artifact install. Start by understanding whathappens when you run

See the troubleshooting section of my older blog postfor more. As a last resort, the Firefox for Android MDN documentationmay be helpful.

Artifact of the ancients mac os x

Conclusion

Thanks to Gregory Szorc (@indygreg) and Mike Hommey for reviewing this work. Many thanks to MarkFinkle (@mfinkle) for providing paid time for me to pursue this line of work and to the entireFirefox for Android team for being willing guinea pigs.

There’s a huge amount of work to be done here, and I’ve tried to include Bugzilla ticket links sothat interested folks can contribute or just follow along. Dan Minor will be picking up some ofthis artifact build work in the first quarter of 2016.

Mozilla is always making things better for the front-end teams and our valuable contributors! Getinvolved with code contribution at Mozilla!

Discussion is best conducted on the dev-builds mailing list and I’m nalexander onirc.mozilla.org/#developers and @ncalexander on Twitter.

Notes

Artifact Of The Ancients Mac OS

Leave a Reply

Cancel reply