Microsoft has announced that its Windows Defender Advanced Threat Protection (ATP) is good enough to pick up on malware created by FinFisher. FinFisher, also known as FinSpy, is a lawful piece of software created by the Germany-based company, FinFisher GmbH. It’s only sold to governments and is used by various law enforcement agencies for distributing malware aimed at various targets. As one would expect, it’s far more targeted, customized, and better-written than your typical malware software.
Microsoft writes that FinFisher makes plentiful use of junk instructions, spaghetti code (code lacking structure), multiple virtual machines, layered levels of anti-debug and defensive measures, and a variety of other tricks. This is code deliberately designed to prevent you from figuring out that it’s running, and MS used its in-depth examination of FinFisher to design solutions into Windows 10 ATP. The writeup provided is an excellent examination of the malware’s behavior from first encounter through to installation. The software also is designed to detect when it’s running in a sandbox or VM for analysis. Microsoft writes:
The loader first dynamically rebuilds a simple import address table (IAT), resolving all the API needed from Kernel32 and NtDll libraries. It then continues executing in a spawned new thread that checks if there are additional undesired modules inside its own virtual address space (for example, modules injected by certain security solutions). It eventually kills all threads that belong to these undesired modules…
[T]he loader builds a complete IAT by reading four imported libraries from disk (ntdll.dll, kernel32.dll, advapi32.dll, and version.dll) and remapping them in memory. This technique makes use of debuggers and software breakpoints useless. During this stage, the loader may also call a certain API using native system calls, which is another way to bypass breakpoints on API and security solutions using hooks.
It remains to be seen if FinFisher will be able to work around the work that Microsoft has done here. The entire problem is an example of how PC and IoT security are forever playing catch up with black hats. It may take security company weeks or months to seal security flaws or add critical detection capabilities to modern software. Then it’s Team Black’s move again, except there’s no direct notification when they “finish” a move. We don’t yet know whether Microsoft’s solution is flexible enough to catch evolutionary iterations that might slip its dragnet.
And, of course, this level of protection is only available to business and enterprises — ATP isn’t baked into conventional Windows products. It’s not even clear how new or up-to-date FinFisher is, reports on the malware date from back in 2015. If the product is still being rapidly updated, a current dissection may be useful. If not, it may be of more academic interest than a cutting-edge guide to modern practices.
If you’d told me 10 years ago that come 2018, Microsoft would openly discuss how its antivirus software was good enough to catch malware deployed by law enforcement agencies, I would’ve thought you were kidding. Such are the times we live in.
How Does Windows Use Multiple CPU Cores?
We take multi-core awareness for granted these days, but how do the CPU and operating system communicate with each other in the first place?
Apple: ‘It’s Up to Microsoft’ to Get Windows Running on New ARM Macs
According to Apple, the question of supporting Windows on the M1 is entirely in Microsoft's court.
Microsoft Adds 64-bit x86 Emulation to Windows on ARM
Microsoft announced today that the expected support for 64-bit x86 emulation on Windows on ARM devices has arrived, provided you are running Build 21277. You'll need to be part of Microsoft's Windows Insider program to test the build.
Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs
Intel, AMD, and Qualcomm are working to make Pluton part of their upcoming designs, which should make PCs more difficult to hack, but it also bakes Microsoft technology into your hardware.