Monday, May 23, 2016

Geographical distribution of Furtim malware infections

One month ago, someone posted a malware sample on the Kernelmode forum that uses a huge blacklist of security related programs. If one of this programs is found on the victims system the malware stops execution. Probably, this is the reason why this malware stayed undetected for quite some time. A description and an analysis of this threat called Furtim can be found here:

Due to a misconfigured C&C server which allowed a public directory listing, I was able to obtain over 1 GB of data from the victims. With this information, I can draw the geographical distribution of victims and present the top countries of infection.

The data

The C&C server contained several directories with text files named after the IP address of the victim. The earliest file dates back to 24. February 2016, so it stayed undetected for 2 months according to this data. Each file contains the following information:

- The CPU model
- A list of system drivers with path names
- The Network interfaces
- A list of processes along with the modules and their path names
- A list of installed programs
- A list of programs in the registry Run key
- A list of running Windows services with path names

It looks like the operators run different campaigns to spread their malware, because there are several directories which contain files with different creation date. For example, there is a directory named "1" which contains only victim data files created on 24. February 2016. Another folder named "2" contains only files created on 24., 25. and 26. February 2016 and so on.

Infection statistics

I assume the malware sends the information about a victim only once to the C&C server. Otherwise, you would have a ton of duplicate files from the same victim which would only differ in the volatile information (e.g. process list). Based on this assumption we have a total number of 15060 infected hosts during the period from 24. February - 26. April 2016.

The geographical distribution of the victims is presented in the following map:

Figure 1: Geolocation of Furtim infections

The markers on the map are based on the GeoLite databases which gives only an imprecise geolocation of IP addresses. For example, if there are multiple IP addresses located in and around a city, the geolocation results in the same coordinates. A lot of duplicate geolocations were therefore removed and thus not all of the 15060 victims are present in the map. However, the map should give a good overview of the distribution of victims.

The absolute numbers associated with countries are given in the following diagrams:

Figure 2: Top 30 countries of Furtim infections (logarithmic)
Figure 3: Top 30 countries of Furtim infections (linear)



Given the period of 2 months a total of 15060 victims were infected with Furtim. The malware is spread all over the world and the country with the highest infection rates is the Ukraine.

0 Kommentare:

Post a Comment