Microsoft released their final analysis report which shows that Office / Windows Defender detecting FinFisher. Security experts explained that the detection of the latest variant of FinFisher was ‘complex’ and required to build new strategies to detect the obfuscated code.
FinFisher sold to everyone which pays for it
FinFisher is sold to law-enforcement agencies around the world and its maker, European firm Gamma Group, has been criticized for selling it to repressive regimes, basically everyone who pays for it gets it.
Last year, researchers at FireEye discovered FinFisher being distributed in Word documents loaded with an attack for an Office zero-day targeting Russian-speaking victims.
Spaghetti code harder to detect
One problem was that FinFisher used several emulation tricks and spaghetti code to obfuscate this real behavior they want to confuse disassembly programs. 6 stages until the malware payload has been executed must be defeated in order to reveal his real purpose.
Defense mechanism against FinFisher
Microsoft detailed article shows which programs and techniques are effective against FinFisher however, it’s also stated that the research could help others to find better ways to detect it – you can bet on it that the developers are going to improve their malware constantly because there getting lots of money from the government and other organizations.
- Office 365 Advanced Threat Protection
- Windows Defender Advanced Threat Protection
- In additional Windows Defender ATP now also is capable of detecting different attack techniques used by FinFisher, such as memory injection or dll injection.
Windows Defender is as powerful as all other AV products and constantly (same like all other AV products) regularly gets it’s signature and program updates and new features. In my opinion it’s a good advice to let it activated and running in the background, ensure you review the options and set them per your needs.
Is Windows Defender powerful enough?
I think the FinFisher example here speaks for itself, Microsoft did a good job, they also released their research for others and I’m sure everyone is already working on better techniques to detect such malware. I think for the normal user Windows Defender is good enough it does the same job like other AV products. The real world tests on my end proofing that WD is in combination with a good firewall and some Group Policy changes powerful enough to compete against the current online threats.