Microsoft Exposes FinFisher Gov Spyware – Says Windows Defender ATP Can Now Detect the Notorious Spyware


In a recent blog post, Microsoft has revealed how the company had to devise special methods to crack open FinFisher, the notorious spyware that is sold to governments, intelligence agencies, and criminals alike. Since FinFisher is one of the most sophisticated and complex pieces of malware, it not only evades most of the antivirus engines but also manages to persist on its target devices.

The malware's anti-analysis protection - that includes multiple layers of virtual machines - makes it extremely difficult for researchers and AV makers to spot it or even analyze it for detection.

Halo: The Master Chief Collection May be Getting Microtransactions as an “Additive Feature”

"FinFisher is not afraid of using all kinds of tricks, ranging from junk instructions and 'spaghetti code' to multiple layers of virtual machines and several known and lesser-known anti-debug and defensive measures," Microsoft wrote. It added that while security analysts can usually defeat these tricks during malware investigations, "FinFisher is in a different category of malware" almost like a complicated puzzle.

The intricate anti-analysis methods reveal how much effort the FinFisher authors exerted to keep the malware hidden and difficult to analyze.

However, these efforts by security researchers enable malware protectors like the Windows Defender Advanced Threat Protection (ATP) to catch similar techniques and behaviors. The company added that Windows Defender ATP can now raise alerts for FinFisher in different stages of the attack kill chain.

Microsoft boasted that Windows 10 S devices are "naturally" protected against this spyware because of the strong code integrity policies that don’t allow unknown unsigned binaries to run. Those on Windows 10, Microsoft said, can configure similar code integrity policies using Windows Defender Application Control. The company added that Office 365, Windows Defender ATP, and its operating systems are now able to detect FinFisher's malicious behavior.

Microsoft has now publicly shared some of this analysis to add into the already published material that could help the industry deal with the techniques and tricks employed by the sophisticated spyware makers like Gamma International - the notorious British-German firm previously behind FinFisher surveillance tool. "We believe that an industry-wide collaboration and information-sharing is important in defending customers against this complex piece of malware," the company said.

- For technical details and analysis, head over to Microsoft.