Experts Warn of Super-Stealthy Furtim Malware by Phil Muncaster.
From the post:
Security experts are warning of newly discovered credential-stealing malware which prioritizes stealth, scoring a 0% detection rate in VirusTotal.
Furtim, a Latin word meaning “by stealth,” was first spotted by researcher @hFireF0X and consists of a driver, a downloader and three payloads, according to enSilo researcher Yotam Gottesman.
The payloads are: a power-saving configuration tool which ensures a victim’s machine is always on and communicating with Furtim’s C&C server; Pony Stealer – a powerful commercial credential stealer; and a third file that communicates back to the server but has yet to be fully analyzed.
Interestingly, Furtim goes to great lengths to stay hidden, going well beyond most malware in checking for the presence of over 400 security tools on the targeted PC, Gottesman claimed.
…
Phil’s post summarizes some of the better ideas used in this particular bit of malware.
The post by enSilo researcher Yotam Gottesman includes this description:
…
Upon initial communication, Furtim collects unique information from the device it is running on, such as the computer name and installation date and sends that information to a specific server. The server stores the received details about the infected machine to ensure that the payload is sent only once.
…
That reminds me of the search warrant Ben Cox posted in Here Is the Warrant the FBI Used to Hack Over a Thousand Computers, which reads in part:
From any “activating” computer described in Attachment A:
1. The “activating” computer’s actual IP address, and the date and time that the NIT determines what that IP address is;
2. a unique identifier generated by the NIT (e.g., a series of numbers, letters, and/or special characters) to distinguish data from that of other “activating” comptuers, that will be sent with and collected by the NIT;
3. the type of operating system running on the computer, including type (e.g., Windows), version (e.g., Windows 7), and architecture (e.g., x 86);
4. information about whether the NIT has already been delivered to the “activating” computer;
5. the “activating” computer’s Host name;
6. the “activating” computer’s active operating system username; and
7. the “activating” computer’s media access control (“MAC”) address;
….
I mention that because if the FBI can’t prove its NIT’s capabilities against the users computer, who knows where they got the information they now claim to have originated from a child porn website?
Considering the FBI knowingly gave flawed testimony for twenty years, including in death penalty cases, when prosecutors were aware of those flaws, absence both source code and a demonstration of its use against the defendant’s computer as it existed then, the NIT evidence should be excluded at trial.
Or at the very least, a jury instruction that recites the FBI’s history of flawed technical testimony in detail and cautioning the jury that they should view all FBI “evidence” as originating from habitual liars.
Could be telling the truth, but that hasn’t been their habit. (Judicial notice of the FBI practice of providing flawed evidence.)