FinFisher TEST

[CloneRanger]

As a follow up to http://www.wilderssecurity.com/showt...ight=finfisher

After months of trying to get hold of this .GOV etc nasty, Thanks to a Very nice person i was finally able to

0f8249a2593f38c6bf54b6f366c0cac6.sys & c488a8aaef0df577efdf1b501611ec20.exe

0f8249a2593f38c6bf54b6f366c0cac6.sys = driverw.sys

c488a8aaef0df577efdf1b501611ec20.exe displays itself as Firefox.exe



I didn't bother disabling Avira, as i havn't updated it for ages. Not that i wasn't happy with V.9, it's just that i don't feel the daily updating bandwith is worth it, due to my other solutions in place. I then enabled ShadowDefender & ran the .EXE



Allowed it, & also a Driver to install !



Allowed it



Allowed those too.

Nothing happened for about a minute or so, & then my desktop Completely dissapeared i was able to load Task Manager, but unble to Restart via it. In the time i was prepared to wait anyway, around another minute. Seems likes it's Very buggy to me, at least on my XP/SP2 How suspicious would someones desktop dissapearing, even Without my Apps/Alerts in place !

I did a Hard restart & everything was to normal

So once again it all goes to prove that, NO matter who wants to "try" & attack/infiltrate etc your comp, including 3 Letter et agencies, unless you allow it to happen, it can't

[wat0114]

Thanks for sharing, CloneRanger!

Quote:

Originally Posted by CloneRanger

So once again it all goes to prove that, NO matter who wants to "try" & attack/infiltrate etc your comp, including 3 Letter et agencies, unless you allow it to happen, it can't

Yep, that's basically what it boils down to

[chronomatic]

Quote:

Originally Posted by CloneRanger

So once again it all goes to prove that, NO matter who wants to "try" & attack/infiltrate etc your comp, including 3 Letter et agencies, unless you allow it to happen, it can't

Not really that simple. There's always 0-days that they can use to target you. Nothing you can do to stop that (except for memory hardening techniques which are never 100%). This is especially true for the browser since that will be the #1 attack surface on a desktop machine.

[ComputerSaysNo]

Thanks for the info! Did Avira pick anything up?

[CloneRanger]

I've seen a few other tests with FinFisher, & a lot more indepth than mine i have to admit. But i don't recall seeing Any mention of c488a8aaef0df577efdf1b501611ec20.exe displaying itself as Firefox ? Also i'm wondering if this is how some people got fooled into running it, by thinking it was a FF update ?

*

Quote:

Originally Posted by wat0114

Thanks for sharing,

Pleasure

Quote:

Originally Posted by chronomatic

There's always 0-days that they can use to target you. Nothing you can do to stop that

Not if it's a file/s that's designed to be installed/run, they would get blocked in various ways, which FinFisher did. The browser & memory is another matter though, you're right about that. Browser code injection would be blocked by ProcessGuard & Zemana. As all JavaScript is denied nearly all the time by Noscript, plus i have no Java, so those vectors would fail too. Keylogging & Screen capture etc would be blocked by Zemana & WSA. MITM attacks due to DNS diversions would be flagged by WSA. I appreciate nothing is 100%, that's why i like to test "supposedly" really dodgy things like FinFisher Many people must have been fooled by it, but if they had defences in place like & others have, they would have been alerted & it would have failed.

Quote:

Originally Posted by ComputerSaysNo

Thanks for the info!

Pleasure

Quote:

Did Avira pick anything up?

No, but as the Defs haven't been updated for a Long time, i didn't expect it to.

[kjempen]

Quote:

Originally Posted by ComputerSaysNo

... Did Avira pick anything up?

driverw.sys (MD5: 0f8249a2593f38c6bf54b6f366c0cac6) detected by Avira as "TR/Rootkit.Gen" (current VT stats: 33/42)
Firefox.exe (MD5: c488a8aaef0df577efdf1b501611ec20) detected by Avira as "TR/Crypt.ZPACK.Gen" (current VT stats: 28/42)

[CloneRanger]

I've just received some more FF samples, so i hope to be testing them soon too. I'll post when i do

*

@ kjempen

Thanks for the info

Very surprised that after many months of these being available to AV etc vendors, that the score isn't 100% on both files Once again it proves how behind a lot of them still are in DEF's, & have been for years

[wat0114]

Quote:

Originally Posted by chronomatic

Not really that simple. There's always 0-days that they can use to target you. Nothing you can do to stop that (except for memory hardening techniques which are never 100%). This is especially true for the browser since that will be the #1 attack surface on a desktop machine.

Unless I'm mistaken, doesn't a payload still have to execute for even a memory attack to succeed? Stopping the script that might be the impetus for the payload can be done, quite nicely, it seems, using Firefox w/NS. Obviously someone with physical access is pretty much game over, but for all other common scenarios, I don't see a problem preventing them. I haven't even mentioned outbound firewall control which could stop the downloading of the payload to the victim's machine.

[Breakfastofchumps]

@kjempen

Can you give me the link to those VT results please?

[Meriadoc]

#finfisher

Do a search at VT for finfisher

[CloneRanger]

@ Breakfastofchumps

Yeah, Meriadoc is right, VT is a good source for those But below you'll see some more.

*

A further test with 5 more samples, kindly provided by the same person

I also discovered the following Extremely useful,

Quote:

Dedicated to analysing Gamma products

Last month a number of FinSpy samples were found and later analysed by CitizenLab (see https://citizenlab.org/2012/07/from-...-kit-exposed/). The details provided in the CitizenLab post are quite high-level; the aim of this blog is to dig deep into FinSpy and provide detailed analysis.

The samples from the CitizenLab post can be easily found on the internet by Googling the hashes. I found the following files:

* 2ec6814e4bad0cb03db6e241aabdc5e59661fb580bd870bdb50a39f1748b1d14
* 39b325bd19e0fe6e3e0fca355c2afddfe19cdd14ebda7a5fc96491fc66e0faba
* 49000fc53412bfda157417e2335410cf69ac26b66b0818a3be7eff589669d040
* cc3b65a0f559fa5e6bf4e60eef3bffe8d568a93dbb850f78bdd3560f38218b5c
* e48bfeab2aca1741e6da62f8b8fc9e39078db574881691a464effe797222e632

After searching VirusTotal for the hashes listed above, I was relieved to see that the AV industry appeared to be on top of this threat, with around 30 of the 40 or so AVs detecting the files as malicious. Little did I know how poor an effort all but two AVs had actually done.

*

It’s worth noting that the seed value (0x5F1ECA67) is used in all of the samples I listed earlier. As such, I was able to use this script to deobfuscate all of the payloads from each sample. The hashes for the payloads are as follows:

* 2bbc8f46a6efc6c824e55dc3ec18e2cf4a6d594b3d4f6fa54b95a4521e0a503e (disguised as FlashUtil.exe, Adobe Flash Installer/Uninstaller)
* a99fca440934ea43ec71cecb8f2aa1a60c0350eef939450c17eb94fecf8453ee (disguised as Opera.exe, Opera Internet Browser)
* a9da850395755704d33ff8c4c5f469dfcbcec9f373a5cf5b0b3290dff2a5c43f (disguised as Opera.exe, Opera Internet Browser)
* 9011cc655228333dd35b2e8fe079861325ef511a32e45819bcc7dff13f9d2440 (disguised as autoruns.exe, Autostart program viewer)
* a436042896aa7af9a16af04a5e568db4b8c5ddf7ccb013af402ac9e4930da693 (disguised as Opera.exe, Opera Internet Browser)

https://finfcuker.wordpress.com/2012...finspyanalysis

which then helped me to correctly rename the files to their appropriate .EXE's As there 3 different versions of Opera.exe, i added numbers to distinguish them.

Before i shutdown Avira, i opened the folder with the samples in, & Avira identified ALL 5 samples.

Attachment 234637

As these are releases from earlier in the year, it's good to see my non updated with DEF's AV, detected them ALL even then

Interestingly, WSA did NOT detect ANY of them whilst doing that, but did Alert/Prompt/Block on execution attempt, on All EXCEPT autoruns.exe ? whilst Offline.

Attachment 234638

When Online it Did Alert etc !

Anyway, my modus operandi isn't to show if AV's etc detects etc, but if my other Apps etc do. I showed the AV detects etc just out of interest.

As predicted ProcessGuard immediately jumped in as before, & always, & successfully Blocked/Alerted/Prompted me to ALL 5 attempted executions So i didn't bother running them this time to see what "might" happen, as that was enough to Prove they can't install on my comp. Plus as shown earlier, & in previous tests, other Apps etc would also help prevent infections etc.

[CloneRanger]

Had a bit more time today, so i decided to actually run one of the samples.



I first disabled Avira & WSA, & ran it. Then after confirming that both ProcessGuard & Zemana Blocked/Alerted/Promted me to a combination of the following,

.Exe - Code injection into Explorer - .Sys - Start up on boot.

i disabled PG & Zem & ran it once more. As before several minutes elapsed, during which time my comp became almost frozen, before XnView launched & displayed this



It's supposed to trick "certain" people into believing the file they ran was a genuine BMP & that's all. To save bandwith on here, i've converted it to a PNG.

After about 5 minutes of nothing else happening, i rebooted back to normal. If i hadn't been in Shadow mode, & not had the other Apps in place, the .SYS etc would have done it's dirty deeds, but no luck for it here

[SweX]

Yupp all of them look like malware to me , if malware could walk

[CloneRanger]

@ SweX

Yeah, you wouldn't fall for it

*

It's a pity those nasties require a reboot in order to fully operate etc, as i Really wanted to see how WSA & Zemana & my system settings dealt with them, or not ! I have sent the samples to someone else, so Hopefully they will be able to elaborate further If anyone else would like to test any of them against, Especially the 2 above Apps, or more, PM me

[Breakfastofchumps]

Thanks for sharing you're findings Cloneranger.

[wat0114]

Well done CloneRanger, and thanks!

[Dark Shadow]

Nice work CloneRanger,I appreciate someone with big brass for testing some nasties.Thanks for the mug shots as well.

[chronomatic]

Quote:

Originally Posted by CloneRanger

Not if it's a file/s that's designed to be installed/run, they would get blocked in various ways, which FinFisher did.

Yes, if it is merely a trojan and requires the user to install it through error or carelessness, then you're right. Stopping it is easy.

Quote:

The browser & memory is another matter though, you're right about that. Browser code injection would be blocked by ProcessGuard & Zemana.

It depends on whether you run the browser in a limited account. If the browser has full kernel level access, then such a 0-day would give an attacker instant pwnage of the entire box. From a limited account it would be harder, though not impossible (depending on the exploit and how it works).

As for ProcessGuard and Zemana, I have no idea how they work. But I do know that HIPS like systems need to be *in* the kernel to be effective. If they are not running at Ring 0, they can be bypassed rather easily. However, even if they are running at Ring 0, they can *still* be bypassed depending on the code path (and exploit) the attacker has (and depending on how well the HIPS rules are setup).

Basically my point is, once you find an exploit in the kernel code (and if the attacker can reach it effectively) it is game over. I don't care what mitigations you have in place. All of those mitigations themselves run at the kernel level (or higher) thus there is nothing preventing the attacker from bypassing them. The only way to stop this is:

1) Have the coders write perfect code (which is impossible)

2) Use a microkernel (good luck finding one that is functional enough for every day use).

I am not saying HIPS like systems aren't good. They are. They can make an attacker's life much more difficult (and stop most exploits) but they are not 100% foolproof.

[CloneRanger]

@ Breakfastofchumps & wat0114 & Dark Shadow

Thanks for the thanks I only wish it had been more revealing !

@ chronomatic

Yeah i generally agree with you But so far Nothing has got past my system etc, unless i've allowed it. Plus my last line of defence is SD, which has up until now, proved to be Totally effective

Regards

[aigle]

CIS 5

[aigle]

more ...

[aigle]

CIS 6 beta full proactive paranoid mode, max pop ups




[ATTACH]235165[/ATTACH

[aigle]

OA free v 6 ( I forgot to disable cloud ).

[aigle]

more ...

[Noob]

Wow good to know that OA recommended blocking instead of leaving the users take the decision completely.