Microsoft has announced that its Windows Defender Advanced Threat Protection (ATP) is good enough to pick up on malware created by FinFisher. FinFisher, also known as FinSpy, is a lawful piece of software created by the Germany-based company, FinFisher GmbH. It’s only sold to governments and is used by various law enforcement agencies for distributing malware aimed at various targets. As one would expect, it’s far more targeted, customized, and better-written than your typical malware software.
Microsoft writes that FinFisher makes plentiful use of junk instructions, spaghetti code (code lacking structure), multiple virtual machines, layered levels of anti-debug and defensive measures, and a variety of other tricks. This is code deliberately designed to prevent you from figuring out that it’s running, and MS used its in-depth examination of FinFisher to design solutions into Windows 10 ATP. The writeup provided is an excellent examination of the malware’s behavior from first encounter through to installation. The software also is designed to detect when it’s running in a sandbox or VM for analysis. Microsoft writes :
The loader first dynamically rebuilds a simple import address table (IAT), resolving all the API needed from Kernel32 and NtDll libraries. It then continues executing in a spawned new thread that checks if there are additional undesired modules inside its own virtual address space (for example, modules injected by certain security solutions). It eventually kills all threads that belong to these undesired modules…
[T]he loader builds a complete IAT by reading four imported libraries from disk (ntdll.dll, kernel32.dll, advapi32.dll, and version.dll) and remapping them in memory. This technique makes use of debuggers and software breakpoints useless. During this stage, the loader may also call a certain API using native system calls, which is another way to bypass breakpoints on API and security solutions using hooks.
It remains to be seen if FinFisher will be able to work around the work that Microsoft has done here. The entire problem is an example of how PC and IoT security are forever playing catch up with black hats. It may take security company weeks or months to seal security flaws or add critical detection capabilities to modern software. Then it’s Team Black’s move again, except there’s no direct notification when they “finish” a move. We don’t yet know whether Microsoft’s solution is flexible enough to catch evolutionary iterations that might slip its dragnet.
And, of course, this level of protection is only available to business and enterprises — ATP isn’t baked into conventional Windows products. It’s not even clear how new or up-to-date FinFisher is, reports on the malware date from back in 2015. If the product is still being rapidly updated, a current dissection may be useful. If not, it may be of more academic interest than a cutting-edge guide to modern practices.
If you’d told me 10 years ago that come 2018, Microsoft would openly discuss how its antivirus software was good enough to catch malware deployed by law enforcement agencies, I would’ve thought you were kidding. Such are the times we live in.