FinFisher TEST

Discussion in 'malware problems & news' started by CloneRanger, Sep 14, 2012.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    As a follow up to https://www.wilderssecurity.com/showthread.php?t=331324&highlight=finfisher

    After months of trying to get hold of this .GOV etc nasty, Thanks to a Very nice person i was finally able to :thumb:

    0f8249a2593f38c6bf54b6f366c0cac6.sys & c488a8aaef0df577efdf1b501611ec20.exe

    0f8249a2593f38c6bf54b6f366c0cac6.sys = driverw.sys

    c488a8aaef0df577efdf1b501611ec20.exe displays itself as Firefox.exe

    ff.gif

    I didn't bother disabling Avira, as i havn't updated it for ages. Not that i wasn't happy with V.9, it's just that i don't feel the daily updating bandwith is worth it, due to my other solutions in place. I then enabled ShadowDefender & ran the .EXE

    pg1.gif

    Allowed it, & also a Driver to install !

    wsa1.gif

    Allowed it

    zem1.gif zem2.gif

    Allowed those too.

    Nothing happened for about a minute or so, & then my desktop Completely dissapeared :eek: i was able to load Task Manager, but unble to Restart via it. In the time i was prepared to wait anyway, around another minute. Seems likes it's Very buggy to me, at least on my XP/SP2 :p How suspicious would someones desktop dissapearing, even Without my Apps/Alerts in place !

    I did a Hard restart & everything was to normal :)

    So once again it all goes to prove that, NO matter who wants to "try" & attack/infiltrate etc your comp, including 3 Letter et agencies, unless you allow it to happen, it can't :D
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Thanks for sharing, CloneRanger!

    Yep, that's basically what it boils down to :)
     
  3. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Not really that simple. There's always 0-days that they can use to target you. Nothing you can do to stop that (except for memory hardening techniques which are never 100%). This is especially true for the browser since that will be the #1 attack surface on a desktop machine.
     
  4. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,415
    Thanks for the info! Did Avira pick anything up?
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I've seen a few other tests with FinFisher, & a lot more indepth than mine i have to admit. But i don't recall seeing Any mention of c488a8aaef0df577efdf1b501611ec20.exe displaying itself as Firefox ? Also i'm wondering if this is how some people got fooled into running it, by thinking it was a FF update ?

    *

    Pleasure :thumb:

    Not if it's a file/s that's designed to be installed/run, they would get blocked in various ways, which FinFisher did. The browser & memory is another matter though, you're right about that. Browser code injection would be blocked by ProcessGuard & Zemana. As all JavaScript is denied nearly all the time by Noscript, plus i have no Java, so those vectors would fail too. Keylogging & Screen capture etc would be blocked by Zemana & WSA. MITM attacks due to DNS diversions would be flagged by WSA. I appreciate nothing is 100%, that's why i like to test "supposedly" really dodgy things like FinFisher :D Many people must have been fooled by it, but if they had defences in place like & others have, they would have been alerted & it would have failed.

    Pleasure :thumb:

    No, but as the Defs haven't been updated for a Long time, i didn't expect it to.
     
  6. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    driverw.sys (MD5: 0f8249a2593f38c6bf54b6f366c0cac6) detected by Avira as "TR/Rootkit.Gen" (current VT stats: 33/42)
    Firefox.exe (MD5: c488a8aaef0df577efdf1b501611ec20) detected by Avira as "TR/Crypt.ZPACK.Gen" (current VT stats: 28/42)
     
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I've just received some more FF samples, so i hope to be testing them soon too. I'll post when i do ;)

    *

    @ kjempen

    Thanks for the info :thumb:

    Very surprised that after many months of these being available to AV etc vendors, that the score isn't 100% on both files :eek: Once again it proves how behind a lot of them still are in DEF's, & have been for years :thumbd:
     
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Unless I'm mistaken, doesn't a payload still have to execute for even a memory attack to succeed? Stopping the script that might be the impetus for the payload can be done, quite nicely, it seems, using Firefox w/NS. Obviously someone with physical access is pretty much game over, but for all other common scenarios, I don't see a problem preventing them. I haven't even mentioned outbound firewall control which could stop the downloading of the payload to the victim's machine.
     
  9. ZeroDay

    ZeroDay Registered Member

    Joined:
    Jul 9, 2011
    Posts:
    693
    Location:
    Hogwarts.
    @kjempen

    Can you give me the link to those VT results please?
     
  10. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    #finfisher

    Do a search at VT for finfisher :)
     
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Breakfastofchumps

    Yeah, Meriadoc is right, VT is a good source for those But below you'll see some more.

    *

    A further test with 5 more samples, kindly provided by the same person :thumb:

    I also discovered the following Extremely useful,

    which then helped me to correctly rename the files to their appropriate .EXE's :) As there 3 different versions of Opera.exe, i added numbers to distinguish them.

    Before i shutdown Avira, i opened the folder with the samples in, & Avira identified ALL 5 samples.

    View attachment 234637

    As these are releases from earlier in the year, it's good to see my non updated with DEF's AV, detected them ALL even then :thumb:

    Interestingly, WSA did NOT detect ANY of them whilst doing that, but did Alert/Prompt/Block on execution attempt, on All EXCEPT autoruns.exe ? whilst Offline.

    View attachment 234638

    When Online it Did Alert etc !

    Anyway, my modus operandi isn't to show if AV's etc detects etc, but if my other Apps etc do. I showed the AV detects etc just out of interest.

    As predicted ProcessGuard immediately jumped in as before, & always, & successfully Blocked/Alerted/Prompted me to ALL 5 attempted executions :D So i didn't bother running them this time to see what "might" happen, as that was enough to Prove they can't install on my comp. Plus as shown earlier, & in previous tests, other Apps etc would also help prevent infections etc.
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Had a bit more time today, so i decided to actually run one of the samples.

    FlUt.png

    I first disabled Avira & WSA, & ran it. Then after confirming that both ProcessGuard & Zemana Blocked/Alerted/Promted me to a combination of the following,

    .Exe - Code injection into Explorer - .Sys - Start up on boot.

    i disabled PG & Zem & ran it once more. As before several minutes elapsed, during which time my comp became almost frozen, before XnView launched & displayed this

    FlashUtil.png

    It's supposed to trick "certain" people into believing the file they ran was a genuine BMP & that's all. To save bandwith on here, i've converted it to a PNG.

    After about 5 minutes of nothing else happening, i rebooted back to normal. If i hadn't been in Shadow mode, & not had the other Apps in place, the .SYS etc would have done it's dirty deeds, but no luck for it here :D
     
  13. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Yupp all of them look like malware to me :D , if malware could walk :p
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ SweX

    Yeah, you wouldn't fall for it :D

    *

    It's a pity those nasties require a reboot in order to fully operate etc, as i Really wanted to see how WSA & Zemana & my system settings dealt with them, or not ! I have sent the samples to someone else, so Hopefully they will be able to elaborate further If anyone else would like to test any of them against, Especially the 2 above Apps, or more, PM me ;)
     
  15. ZeroDay

    ZeroDay Registered Member

    Joined:
    Jul 9, 2011
    Posts:
    693
    Location:
    Hogwarts.
    Thanks for sharing you're findings Cloneranger.
     
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Well done CloneRanger, and thanks!
     
  17. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Nice work CloneRanger,I appreciate someone with big brass for testing some nasties.Thanks for the mug shots as well.:p
     
  18. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Yes, if it is merely a trojan and requires the user to install it through error or carelessness, then you're right. Stopping it is easy.

    It depends on whether you run the browser in a limited account. If the browser has full kernel level access, then such a 0-day would give an attacker instant pwnage of the entire box. From a limited account it would be harder, though not impossible (depending on the exploit and how it works).

    As for ProcessGuard and Zemana, I have no idea how they work. But I do know that HIPS like systems need to be *in* the kernel to be effective. If they are not running at Ring 0, they can be bypassed rather easily. However, even if they are running at Ring 0, they can *still* be bypassed depending on the code path (and exploit) the attacker has (and depending on how well the HIPS rules are setup).

    Basically my point is, once you find an exploit in the kernel code (and if the attacker can reach it effectively) it is game over. I don't care what mitigations you have in place. All of those mitigations themselves run at the kernel level (or higher) thus there is nothing preventing the attacker from bypassing them. The only way to stop this is:

    1) Have the coders write perfect code (which is impossible)

    2) Use a microkernel (good luck finding one that is functional enough for every day use).

    I am not saying HIPS like systems aren't good. They are. They can make an attacker's life much more difficult (and stop most exploits) but they are not 100% foolproof.
     
  19. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Breakfastofchumps & wat0114 & Dark Shadow

    Thanks for the thanks :) I only wish it had been more revealing !

    @ chronomatic

    Yeah i generally agree with you ;) But so far Nothing has got past my system etc, unless i've allowed it. Plus my last line of defence is SD, which has up until now, proved to be Totally effective :)

    Regards
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    CIS 5

    1.jpg
    2.jpg
    3.jpg
    4.jpg
    5.jpg
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    more ...

    6.jpg
    7.jpg
    8.jpg
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    CIS 6 beta full proactive paranoid mode, max pop ups:thumbd:

    1.jpg
    2.jpg
    3.jpg
    4.jpg
     

    Attached Files:

    • 4.jpg
      4.jpg
      File size:
      40.3 KB
      Views:
      779
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    OA free v 6 ( I forgot to disable cloud ).

    a.jpg
    b.jpg
    zx.JPG
    d.jpg
    e.jpg
     
    Last edited: Oct 20, 2012
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    more ...

    6.jpg
    7.jpg
     
  25. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Wow good to know that OA recommended blocking instead of leaving the users take the decision completely. :D
     
Thread Status:
Not open for further replies.