Microsoft’s Windows Defender ATP Catches Law Enforcement Spyware

Microsoft’s Windows Defender ATP Catches Law Enforcement Spyware

Microsoft has announced that its Windows Defender Advanced Threat Protection (ATP) is good enough to pick up on malware created by FinFisher. FinFisher, also known as FinSpy, is a lawful piece of software created by the Germany-based company, FinFisher GmbH. It’s only sold to governments and is used by various law enforcement agencies for distributing malware aimed at various targets. As one would expect, it’s far more targeted, customized, and better-written than your typical malware software.

Microsoft writes that FinFisher makes plentiful use of junk instructions, spaghetti code (code lacking structure), multiple virtual machines, layered levels of anti-debug and defensive measures, and a variety of other tricks. This is code deliberately designed to prevent you from figuring out that it’s running, and MS used its in-depth examination of FinFisher to design solutions into Windows 10 ATP. The writeup provided is an excellent examination of the malware’s behavior from first encounter through to installation. The software also is designed to detect when it’s running in a sandbox or VM for analysis. Microsoft writes:

The loader first dynamically rebuilds a simple import address table (IAT), resolving all the API needed from Kernel32 and NtDll libraries. It then continues executing in a spawned new thread that checks if there are additional undesired modules inside its own virtual address space (for example, modules injected by certain security solutions). It eventually kills all threads that belong to these undesired modules…[T]he loader builds a complete IAT by reading four imported libraries from disk (ntdll.dll, kernel32.dll, advapi32.dll, and version.dll) and remapping them in memory. This technique makes use of debuggers and software breakpoints useless. During this stage, the loader may also call a certain API using native system calls, which is another way to bypass breakpoints on API and security solutions using hooks.
The loader first dynamically rebuilds a simple import address table (IAT), resolving all the API needed from Kernel32 and NtDll libraries. It then continues executing in a spawned new thread that checks if there are additional undesired modules inside its own virtual address space (for example, modules injected by certain security solutions). It eventually kills all threads that belong to these undesired modules…[T]he loader builds a complete IAT by reading four imported libraries from disk (ntdll.dll, kernel32.dll, advapi32.dll, and version.dll) and remapping them in memory. This technique makes use of debuggers and software breakpoints useless. During this stage, the loader may also call a certain API using native system calls, which is another way to bypass breakpoints on API and security solutions using hooks.

The loader first dynamically rebuilds a simple import address table (IAT), resolving all the API needed from Kernel32 and NtDll libraries. It then continues executing in a spawned new thread that checks if there are additional undesired modules inside its own virtual address space (for example, modules injected by certain security solutions). It eventually kills all threads that belong to these undesired modules…

[T]he loader builds a complete IAT by reading four imported libraries from disk (ntdll.dll, kernel32.dll, advapi32.dll, and version.dll) and remapping them in memory. This technique makes use of debuggers and software breakpoints useless. During this stage, the loader may also call a certain API using native system calls, which is another way to bypass breakpoints on API and security solutions using hooks.

It remains to be seen if FinFisher will be able to work around the work that Microsoft has done here. The entire problem is an example of how PC and IoT security are forever playing catch up with black hats. It may take security company weeks or months to seal security flaws or add critical detection capabilities to modern software. Then it’s Team Black’s move again, except there’s no direct notification when they “finish” a move. We don’t yet know whether Microsoft’s solution is flexible enough to catch evolutionary iterations that might slip its dragnet.

And, of course, this level of protection is only available to business and enterprises — ATP isn’t baked into conventional Windows products. It’s not even clear how new or up-to-date FinFisher is, reports on the malware date from back in 2015. If the product is still being rapidly updated, a current dissection may be useful. If not, it may be of more academic interest than a cutting-edge guide to modern practices.

If you’d told me 10 years ago that come 2018, Microsoft would openly discuss how its antivirus software was good enough to catch malware deployed by law enforcement agencies, I would’ve thought you were kidding. Such are the times we live in.

Continue reading

Xbox Series X Launch Is Microsoft’s Biggest Ever, Causes ISP Traffic Spike
Xbox Series X Launch Is Microsoft’s Biggest Ever, Causes ISP Traffic Spike

Microsoft claims the Xbox Series X is its most successful debut in history and specifically calls out the Xbox Series S for bringing new players into the fold.

Apple: ‘It’s Up to Microsoft’ to Get Windows Running on New ARM Macs
Apple: ‘It’s Up to Microsoft’ to Get Windows Running on New ARM Macs

According to Apple, the question of supporting Windows on the M1 is entirely in Microsoft's court.

Microsoft’s FPS Boost Will Massively Speed Up Older Xbox Titles
Microsoft’s FPS Boost Will Massively Speed Up Older Xbox Titles

Microsoft is introducing a new framerate-boosting feature in specific games. Five titles are covered by FPS Boost now, with more to come this spring.

Windows 10X, Microsoft’s Chromebook Competitor, Supposedly Coming Later This Year
Windows 10X, Microsoft’s Chromebook Competitor, Supposedly Coming Later This Year

Windows 10X will reportedly ship on systems in H2 2021. Originally intended to compete as a high-end OS variant for premium devices, Windows 10X is now intended for educational markets, where Chromebooks have recently made huge strides.