The Terrifying World of the Slingshot Virus

The Terrifying World of the Slingshot Virus

On March 9, 2018, Kaspersky Labs published a blog post about the newly discovered Slingshot APT. APT stands for advanced persistent threat; its a computer virus that sits on a computer for a long time, has built in tools to avoid detection and is thought to have specific targets. The Stuxnet virus is a good example of an APT; if the infected computer didn’t have a specific piece of software installed that controlled a nuclear centrifuge, the Stuxnet virus would shutdown and appear harmless to virus scanners. Most of the viruses pushed by cyber-criminals are designed to infect as many computers as possible and create monetary incentives to remove the software. A good example of a non APT virus is ransomware which encrypts a hard drive, and the cybercriminal requests payment to unlock your data. Slingshot appears to be designed as a spying tool with its built in network packet sniffer, keylogger, screenshot function, and ability to steal clipboard data. Slingshot also has about 1500 other functions that virus experts are just beginning to unravel but the already discovered functions are devastating,

  1. Network Packet Scanner: Imagine you visit a website on a computer that isn’t infected by Slingshot but it is on the same network as an infected computer. A packet scanner copies and decodes information from the non infected computer that is being passed through the network. This includes usernames, passwords, computer name information, copies of files and other such data.
  2. Keylogger: A keylogger logs every key that is pushed on the target keyboard. Imagine you click your browser address bar and type in and enter. Next you put in your username and password on the next screen. Even if a keylogger doesn’t see your screen, the three pieces of information that it just captured is enough to allow a hacker to login to your email account
  3. Screenshot: Many readers are familiar with screenshot technology, but imagine information not captured by the packet scanner and keylogger such as inbox email can be captured by a screenshot of the email as you read it
  4. Clipboard data: even if the screenshot grabber doesn’t get all the emails, there are times that an individual uses the copy feature from an email or webpage that contains sensitive information that a keylogger also won’t pickup but copying the clipboard data to a file exposes the user to additional leaks of data.

So why is this virus scarier than all other viruses that have similar functions? The fact that this virus has just been discovered publicly despite evidence of installations at least as early as 2012, means that its anti detection features are extremely sophisticated and it is possible that the virus captured data from millions of unknown computers for at least six years. In addition, Slingshot installs an encrypted virtual operating system that is undetected by Windows. Meaning, the virus carves a piece of the hard drive to install a second operating system which windows is unable to see. The virtual operating system is very stable and it works in tandem with a second virus that is installed on the Windows user level.

While Kaspersky says that so far infections were only detected on 100 computers in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania, the first comment on the blog mentions that the code infected the commenter’s personal network using an American router and ISP, Xfinity Comcast. Kaspersky also predicts that the creator of the virus is likely a state actor rather than an ordinary cybercriminal. I want to remind users that Israeli hackers recently hacked some Russian spies and determined that Kaspersky’s anti virus software was utilized by Russia to hack and search computers throughout the World for American intelligence programs.

I believe that in the coming months and years when this virus is unraveled a bit more, it is likely that the second operating system allows a hacker to listen in on conversations using computer microphones and webcams, allows the hacker to login to the computer remotely to view the screen in realtime and copy data directly from connected drives. Basically such a virus would be the ultimate spy, creating a network of information for a state to monitor anyone remotely without the need for human assets.  As a computer forensics expert, Slingshot opens up a whole world of unknowns that should be interesting to track. Any individual being accused of a computer crime should at least attempt to argue that Slingshot or similar software could have downloaded offending pictures or incriminating evidence and possibly create reasonable doubt. How do you think such an argument would play out in court? Post your responses in the comments below.

To Scan or Not To Scan That is the Question

To Scan or Not To Scan That is the Question

Elizarri v. Sheriff of Cook County, No. 07 C 2427, 2013 U.S. Dist LEXIS 20570 (N.D. Ill. Feb. 13, 2013)


Plaintiffs had sought “original intake receipts” and “any documents related to the processing of personal property and money belonging to individuals incarcerated in the Cook County Jail” for an approximate five year period.  Defendants scanned over 400,000 property receipts from the jail.  Plaintiffs sought production of the electronic versions of the property receipts.


The magistrate judge held that the defendants were not required to produce the scanned version of the property receipts, and had met their discovery obligations by permitting plaintiffs to inspect and copy the receipts.  The judge held that plaintiffs should not get the benefit of the electronic imaging when the defendants had incurred the expense of conversion, and further held that plaintiffs had received the receipts in the original paper format.


The district court reversed, holding that plaintiffs were entitled to the digital versions of the receipts.  The court first noted that defendants had not offered plaintiffs access to the original receipts, but the scanned versions.  Therefore, since the original documents were not being produced, defendants were obligated to produce them in a reasonably useful form.  As the scanned documents were presumably the form of the receipts which defendants would be using during the litigation, it was the electronic format which had to be produced, not a less manageable format.


Defendants basically did not want to turn the digital versions of the receipts over to the plaintiffs because they had incurred considerable expense in scanning them.  That was not a basis for denying plaintiffs’ request.  Defendants had not argued that the information was not reasonably accessible because of undue burden or cost.  Even materials prepared in anticipation of litigation must be produced if they are otherwise discoverable, and the party cannot obtain their equivalent without undue hardship.  Scanning documents does not result in a privileged work product.  Forcing the plaintiffs to copy the scanned documents, and then scan them again, would result in undue hardship to the plaintiffs.

If You Want to Avoid Sanctions, Hire an E-discovery Consultant!

If You Want to Avoid Sanctions, Hire an E-discovery Consultant!

Brown v. FPI Mgmt, No. 4:11-cv-5414 YGR (KAW), 2013 U.S. Dist. LEXIS 1040 (N.D. Cal. Jan. 3, 2013)

The Federal Rules of Civil Procedure were updated almost a decade ago to include rules regarding the production of ESI, but the case law involving the discovery of ESI is still maturing. Many litigants producing documents in litigation are still trying the old “my system isn’t good enough to find the documents” defense.  However the Courts are starting to become wary of such defenses and in the above captioned matter, defendant producer’s argument that producing requested documents was unduly burdensome was rejected:

Defendant argued that it would be difficult to find responsive documents because 1) the terms “Community Director” and “Portfolio Manager” are commonly used in email signatures, 2) the term “promotion” is commonly used throughout emails, and 3) FPI’s email system is not capable of conducting advanced searches. But the Court rejected the argument because Defendant could have used other search terms, or simply sort through the emails, to find the responsive documents. By interviewing its employees or by consulting its own records, Defendant ought to be able to narrow its searches by the persons involved and the approximate dates. Although Defendant may not know how to efficiently conduct a search of its email system, that does not relieve it of its discovery obligations. It may need to utilize the assistance of IT personnel or obtain a consultant to help conduct the search.

Defendant did not provide the Court with an estimate of the cost or the amount of time needed for discovery, nor did it provide a declaration of an e-discovery expert to substantiate its assertion that the documents were not reasonably accessible. Accordingly, the Court held that Defendant did not make a good-faith effort to produce  responsive documents.

The court acknowledged that defendants might still find that the documents were not reasonably accessible.  But if that were the case, the court could still order sampling of the emails at issue, or it could permit plaintiffs to conduct discovery on the costs and burdens of providing the emails, or plaintiffs might have to share some of the costs.

Retrieving 500 DVD’s of Archived Data with the Use of a Robotic Arm is NOT Unduly Burdensome

Retrieving 500 DVD’s of Archived Data with the Use of a Robotic Arm is NOT Unduly Burdensome

Starbucks Corp. v. ADT Security Services, Inc., 2009 U.S. Dist. LEXIS 120941 (W.D. Wash. Apr. 30, 2009)

The controversy involved ESI stored on a Plasmon archiving system which producer argued was so cumbersome that the data contained within it was not reasonably accessible because of undue burden or cost under Rule 26(b)(2)(B). The system was described as similar to an optical jukebox, containing 500 double-sided DVDs accessed by a robotic arm. The limitations of the system caused producer to replace the Plasmon system with a new system, but data on the Plasmon system had not been migrated.

Producer’s expert testified that production of the requested emails could potentially involve the access of all of the 500 DVDs in the system. Only one custodian’s email could be recovered at a time, preventing access by producer’s employees of archived emails while the searches were in progress. Attempts to access more than one user’s emails at a time caused the system to freeze, requiring a cumbersome reboot. As only 8 emails per hour could be restored, the total restoration of 25,000 emails (assuming 11 hours per day) would take 284 days. Restoration for 5 custodians could therefore take up to 5 years. Outside vendors could not perform the restoration as many of the DVDs could be only be read by proprietary equipment owned by producer, and producer would be without access to the information during the restoration process. The expert estimated the cost of retrieval at about $834,000, significantly higher than producer’s original $88,000 estimate.

Read more

E-discovery of Sound Files, I Don’t Like the Sound of That.

11 November, 2012 Miscellaneous
E-discovery of Sound Files, I Don’t Like the Sound of That.

Borwick v. T-Mobile West Corp., Civil No. 11-cv-01683-LTB-MEH, 2012 U.S. Dist. LEXIS 128968 (D. Colo. Sept. 11, 2012)


Plaintiff, a telephone customer service representative, contended that she was discriminated and fired due to her pregnancy. Defendant alleged that Plaintiff was terminated because she would inappropriately hang up on customers during service calls.  Defendant had originally recorded calls using “i360” software, but transferred the calls to .wav files, and destroyed the original files pursuant to its document destruction policy after one year.  The lawsuit was pending during that period.


Plaintiff’s discovery request was for “copies of all recordings,” but she did not request the calls in native format.  When she subsequently determined that the calls were originally made using the i360 software, the originals had already been discarded.


Plaintiff contended that the original recordings were important “because there are discrepancies in the documentation of the phone calls which demonstrate unexplained time “gaps” that could prove the Plaintiff did not intentionally hang up on customers.”  In addition, because the .wav files could be easily altered, plaintiff implied that defendant had altered the files to benefit its case.


Defendant raised plaintiff’s failure to confer pursuant to local rules, thereby raising the issue in an untimely manner, as well as failure to request the files in native format, and lack of prior objection to the .wav format. Defendant also contended that the .wav files were exact copies of the original i360 files.


The court found for defendant, finding that there was no evidence of alteration of the .wav files, and that plaintiff had failed to ask for native files.  The court further found that the destruction of the i360 files was pursuant to defendant’s document destruction policy, and found that the destruction fit within the Rule 37(e) “safe harbor”, or destruction due to a “routine, good-faith operation of an electronic information system.”  Although best practices would have been to preserve the original files, failure to do so was not sanctionable.