- Jan 24, 2011
- 9,378
Malware most likely used in cyber-espionage campaigns
A security researcher that goes online only by the nickname of FireFOX (@hFireF0X) has discovered and analyzed a unique malware family that pays a lot of attention to remaining undetected, and not to having great features or efficient data exfiltration procedures.
The researcher named the malware Furtim, the Latin word for "stealthy" and tracked down some of its command & control servers to a Russian domain, which resolves back to a Ukrainian IP.
At the time of his analysis, despite managing to break down a large part of Furtim's mode of operation, FireFOX didn't manage to discover how crooks are spreading the malware, how it gains an initial foothold on the infected devices, or what kind of targets it is seeking.
Furtim, a.k.a. "the paranoid malware"
FireFOX also noted something different about Furtim that he didn't see in other types of malware. Furtim paid a lot of attention, actually more than it should, to avoiding getting detected by security products.
During its installation, the malware would check for the presence of virtualized or sandboxed environments, tools which security researchers use for malware debugging.
Additionally, Furtim also includes filters for over 400 security products. If it finds at least one of these installed on the PC, Furtim aborts the installation.
After it has set up itself, the malware blocks DNS filtering services by replacing DNS servers with public IPs provided by Google and Level3 Communications, and also blocks users from accessing nearly 250 websites from the infosec domain.
Furtim is really, really, really paranoid
But the self-defense mechanism doesn't stop here, though, because Furtim also disables the Windows notification and pop-up mechanisms, and his access to the command line and the Task Manager.
After Furtim feels comfortable within its infected environment, it collects data from the infected device and sends it to the server.
The server uses this data to identify between its targets and also deliver the final payloads since Furtim is only a malware downloader, a stepping stone for more dangerous threats.
FireFOX noticed that the server sent the malware payloads only once to each target, a tactic also employed to make reverse engineering by security researchers much harder.
Read more: Paranoid Furtim Malware Checks for 400 Security Products Before Execution
A security researcher that goes online only by the nickname of FireFOX (@hFireF0X) has discovered and analyzed a unique malware family that pays a lot of attention to remaining undetected, and not to having great features or efficient data exfiltration procedures.
The researcher named the malware Furtim, the Latin word for "stealthy" and tracked down some of its command & control servers to a Russian domain, which resolves back to a Ukrainian IP.
At the time of his analysis, despite managing to break down a large part of Furtim's mode of operation, FireFOX didn't manage to discover how crooks are spreading the malware, how it gains an initial foothold on the infected devices, or what kind of targets it is seeking.
Furtim, a.k.a. "the paranoid malware"
FireFOX also noted something different about Furtim that he didn't see in other types of malware. Furtim paid a lot of attention, actually more than it should, to avoiding getting detected by security products.
During its installation, the malware would check for the presence of virtualized or sandboxed environments, tools which security researchers use for malware debugging.
Additionally, Furtim also includes filters for over 400 security products. If it finds at least one of these installed on the PC, Furtim aborts the installation.
After it has set up itself, the malware blocks DNS filtering services by replacing DNS servers with public IPs provided by Google and Level3 Communications, and also blocks users from accessing nearly 250 websites from the infosec domain.
Furtim is really, really, really paranoid
But the self-defense mechanism doesn't stop here, though, because Furtim also disables the Windows notification and pop-up mechanisms, and his access to the command line and the Task Manager.
After Furtim feels comfortable within its infected environment, it collects data from the infected device and sends it to the server.
The server uses this data to identify between its targets and also deliver the final payloads since Furtim is only a malware downloader, a stepping stone for more dangerous threats.
FireFOX noticed that the server sent the malware payloads only once to each target, a tactic also employed to make reverse engineering by security researchers much harder.
Read more: Paranoid Furtim Malware Checks for 400 Security Products Before Execution
