A new strain of malware checks to see if 400 different security products are installed on a victim’s computer prior to completing installation.
Yotam Gottesman, a senior security researcher at enSilo, observes that the developers of the malware, which has been dubbed “Furtim” (Latin for “stealthy”), were first and foremost concerned about making sure their software evaded detection.
To be sure, the malware comes pre-loaded with a series of checks to prevent it from being discovered.
Gottesman explains in a blog post:
“Prior to installation, Furtim checks whether the target machine includes any security product, virtualized or sandboxed environment and foregoes installation if any is found. In fact, Furtim tests the existence of these security parties against a monstrous-size list of more than 400 items, from the obvious well-known products, to those on the verge of the esoteric. While we have seen cases where downloaders and other malwares do not install if other products are present, the list that Furtim tests against is beyond any typical malware.”
That’s just the beginning of the Furtim malware’s paranoia. The malware also blocks access to 250 security-related websites, such as BleepingComputer; makes some configuration changes to prevent the user from accessing the command line and task manager; and avoids DNS filtering by scanning the network interfaces on an infected machine.
Only when it has carefully ascertained the security of its environment will it install onto the target machine.
But even when it executes, it is careful to not give too much away lest security researchers found a way to bypass all of its other defenses. Gottesman clarifies this point:
“Upon initial communication, Furtim collects unique information from the device it is running on, such as the computer name and installation date and sends that information to a specific server. The server stores the received details about the infected machine to ensure that the payload is sent only once. In fact, even if the infected machine sends the unique information from a different IP, the C&C server will know not to re-send this payload and will return 404 error on any of these subsequent requests. We believe that this is done to prevent security researchers and AV companies trying to collect the samples from the server by repeating previous requests or running the sample multiple times.”
Ultimately, Furtim accepts three payloads from its command and control (C&C) server: a power configuration tool that makes sure the computer never sleeps, the Pony Stealer, and an unknown payload that sends information about any discovered virtualization environments or security products back to the C&C server.
At this time, there is no concrete information as to who might be behind this malware, whom it is infecting, and how it is targeting individuals.
Users should, of course, follow the normal procedures of malware prevention, such as avoiding clicking on suspicious links and email attachments, applying the latest security patches and running an up-to-date anti-virus product. In addition, organisations should always be on the lookout for suspicious behavior on their computer systems, and be ready to terminate any malicious communication they might happen to come across.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.