Microsoft’s Windows Defender ATP Catches Law Enforcement Spyware

Microsoft’s Windows Defender ATP Catches Law Enforcement Spyware

Microsoft has announced that its Windows Defender Advanced Threat Protection (ATP) is good enough to pick up on malware created by FinFisher. FinFisher, also known as FinSpy, is a lawful piece of software created by the Germany-based company, FinFisher GmbH. It’s only sold to governments and is used by various law enforcement agencies for distributing malware aimed at various targets. As one would expect, it’s far more targeted, customized, and better-written than your typical malware software.

Microsoft writes that FinFisher makes plentiful use of junk instructions, spaghetti code (code lacking structure), multiple virtual machines, layered levels of anti-debug and defensive measures, and a variety of other tricks. This is code deliberately designed to prevent you from figuring out that it’s running, and MS used its in-depth examination of FinFisher to design solutions into Windows 10 ATP. The writeup provided is an excellent examination of the malware’s behavior from first encounter through to installation. The software also is designed to detect when it’s running in a sandbox or VM for analysis. Microsoft writes:

The loader first dynamically rebuilds a simple import address table (IAT), resolving all the API needed from Kernel32 and NtDll libraries. It then continues executing in a spawned new thread that checks if there are additional undesired modules inside its own virtual address space (for example, modules injected by certain security solutions). It eventually kills all threads that belong to these undesired modules…[T]he loader builds a complete IAT by reading four imported libraries from disk (ntdll.dll, kernel32.dll, advapi32.dll, and version.dll) and remapping them in memory. This technique makes use of debuggers and software breakpoints useless. During this stage, the loader may also call a certain API using native system calls, which is another way to bypass breakpoints on API and security solutions using hooks.
The loader first dynamically rebuilds a simple import address table (IAT), resolving all the API needed from Kernel32 and NtDll libraries. It then continues executing in a spawned new thread that checks if there are additional undesired modules inside its own virtual address space (for example, modules injected by certain security solutions). It eventually kills all threads that belong to these undesired modules…[T]he loader builds a complete IAT by reading four imported libraries from disk (ntdll.dll, kernel32.dll, advapi32.dll, and version.dll) and remapping them in memory. This technique makes use of debuggers and software breakpoints useless. During this stage, the loader may also call a certain API using native system calls, which is another way to bypass breakpoints on API and security solutions using hooks.

The loader first dynamically rebuilds a simple import address table (IAT), resolving all the API needed from Kernel32 and NtDll libraries. It then continues executing in a spawned new thread that checks if there are additional undesired modules inside its own virtual address space (for example, modules injected by certain security solutions). It eventually kills all threads that belong to these undesired modules…

[T]he loader builds a complete IAT by reading four imported libraries from disk (ntdll.dll, kernel32.dll, advapi32.dll, and version.dll) and remapping them in memory. This technique makes use of debuggers and software breakpoints useless. During this stage, the loader may also call a certain API using native system calls, which is another way to bypass breakpoints on API and security solutions using hooks.

It remains to be seen if FinFisher will be able to work around the work that Microsoft has done here. The entire problem is an example of how PC and IoT security are forever playing catch up with black hats. It may take security company weeks or months to seal security flaws or add critical detection capabilities to modern software. Then it’s Team Black’s move again, except there’s no direct notification when they “finish” a move. We don’t yet know whether Microsoft’s solution is flexible enough to catch evolutionary iterations that might slip its dragnet.

And, of course, this level of protection is only available to business and enterprises — ATP isn’t baked into conventional Windows products. It’s not even clear how new or up-to-date FinFisher is, reports on the malware date from back in 2015. If the product is still being rapidly updated, a current dissection may be useful. If not, it may be of more academic interest than a cutting-edge guide to modern practices.

If you’d told me 10 years ago that come 2018, Microsoft would openly discuss how its antivirus software was good enough to catch malware deployed by law enforcement agencies, I would’ve thought you were kidding. Such are the times we live in.

Continue reading

Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs
Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs

Intel, AMD, and Qualcomm are working to make Pluton part of their upcoming designs, which should make PCs more difficult to hack, but it also bakes Microsoft technology into your hardware.

Apple: ‘It’s Up to Microsoft’ to Get Windows Running on New ARM Macs
Apple: ‘It’s Up to Microsoft’ to Get Windows Running on New ARM Macs

According to Apple, the question of supporting Windows on the M1 is entirely in Microsoft's court.

How Does Windows Use Multiple CPU Cores?
How Does Windows Use Multiple CPU Cores?

We take multi-core awareness for granted these days, but how do the CPU and operating system communicate with each other in the first place?

Minecraft With Ray Tracing Now Available for All Windows 10 Players
Minecraft With Ray Tracing Now Available for All Windows 10 Players

You don't usually think of Minecraft as a realistic game, but the developers have been hard at work adding RTX ray tracing to the game for the last eight months. It's finally out of beta today, and it really works with the blocky look of Minecraft.