« previous next »
Pages: [1]   Go Down

Author Topic: Does Avast! Internet Security detect Finfisher?  (Read 11006 times)

0 Members and 1 Guest are viewing this topic.

aaronj0072

  • Guest
Does Avast! Internet Security detect Finfisher?
« on: May 01, 2013, 04:08:31 PM »
With the news today on this spyware working its way into Firefox, can anyone tell us if we're protected from this?  Thanks
Logged

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37532
  • Not a avast user
Re: Does Avast! Internet Security detect Finfisher?
« Reply #1 on: May 01, 2013, 04:25:23 PM »
since it is not New, i would imagine avast lab knows all about it   ;)
leave the scurity worry to avast....as there is nothing else you can do
Logged

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33902
  • malware fighter
Re: Does Avast! Internet Security detect Finfisher?
« Reply #2 on: May 01, 2013, 04:31:56 PM »
Yes, avast! detects this spyware as Win32:FinSpy-B [Trj] coming with the firefox executable firefox.exe
You are being protected...

FinFisher manual removal
1. Stop the related process in task manager to force this system to exit
dotnetchk.exe
2. Discover the subsequent registry values in registry editor and take away them one by one (First back up the registry and save this back up)
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\???FinFisher??? = ???C:\progra~1\common~1\cmx1\start.exe???
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CBDCB339-21C1-4834-9572-51ECC329ABD7}
HKEY_LOCAL_MACHINE\SOFTWARE\FinFisher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\2FABB6478E3EAB84C98C6D8AB6155523
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM SID]\Components\858132C493B23D11E8D0000CF486730D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\[RANDOM SID]\Products\933BCDBC1C124384592715CE3C92BA7D
HKEY_USERS\[RANDOM SID]\Software\Microsoft\Installer\Features\933BCDBC1C124384592715CE3C92BA7D
HKEY_USERS\[RANDOM SID]\Software\Microsoft\Installer\Products\933BCDBC1C124384592715CE3C92BA7D
HKEY_USERS\[RANDOM SID]\Software\Microsoft\Installer\UpgradeCodes\2FABB6478E3EAB84C98C6D8AB6155523
3.
%UserProfile%\\Local Settings\\Temp\\cmx1\\FinFisherR_SCREEN.DATETIME.[RANDOM DATE AND TIME].png
%UserProfile%\\Local Settings\\Application Data\\Protexis\\UserSettings.xml %UserProfile%\\Local Settings\\Temp\\CFGD.tmp
%UserProfile%\\Local Settings\\Temp\\cmx1\\FinFisherR_KEY.klog.html %UserProfile%\\Local Settings\\Temp\\VSDB.tmp\\DotNetFX\\dotnetchk.exe %UserProfile%\\Local Settings\\Temp\\VSDB.tmp\\install.log
%UserProfile%\\Start Menu\\Programs\\FinFisher.lnk
C:\\Documents and Settings\\All Users\\Application Data\\Protexis\\DL\\[RANDOM NAME].dlf C:\\Documents and Settings\\All Users\\Application Data\\Protexis\\State\\[RANDOM NAME].dls
%CommonProgramFiles%\\cmx1\\FinFisher.ico
%CommonProgramFiles%\\cmx1\\cmx1.dat %CommonProgramFiles%\\cmx1\\setup_dot_net_checker.msi
%Windir%\\Installer\\[RANDOM NAME].msi

Notice that av solutions may detects this as  Win32/Belesak.D and avast detects this as Win32:FinSpy-B [Trj]
But some may not detect likewise Government trojans (in Skype) as like with other security companies, av companiers will actively cooperate with law enforcement agencies to not detect Government Trojans...so they might have agreed not to flag  official government backdoors....

polonus

P.S. On FinSpy's proliferation: https://citizenlab.org/2013/03/you-only-click-twice-finfishers-global-proliferation-2/
link article authors: Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri, and John Scott-Railton.
« Last Edit: May 01, 2013, 06:19:26 PM by polonus »
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

aaronj0072

  • Guest
Re: Does Avast! Internet Security detect Finfisher?
« Reply #3 on: May 01, 2013, 05:49:50 PM »
Thank you!
Logged

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33902
  • malware fighter
Re: Does Avast! Internet Security detect Finfisher?
« Reply #4 on: May 01, 2013, 06:27:23 PM »
Here about when FinFisher went mobile: http://munkschool.utoronto.ca/canadacentre/research/the-smartphone-who-loved-me-finfisher-goes-mobile/
link article author: MORGAN MARQUIS-BOIRE
FinFisher was also detected being out here: -https://qhotels.gov.qa/
And whether the software was (illegally) exported out of the U.K. or was being re-engineered isn't that important for the discussion here.
At least it seemed  Mozilla has reopened the discussion about this spyware again,

polonus

Another list of IP addresses:
112.78.143.26 (Indonesia)
121.215.253.151 (Australia)
78.100.57.165 (Qatar)
213.55.99.74 (Ethiopia)
94.112.255.116 (Czech Republic)
213.168.28.91 (Estonia)
54.248.2.220 (USA)
202.179.31.227 (Mongolia)
80.95.253.44 (Czech Republic)
81.198.83.44 (Latvia)
86.97.255.50 (Dubai, UAE)

Interesting blocklist for these and other IPs: http://sokosensei.wordpress.com/2012/08/15/updated-list-of-ips-that-you-should-block/
Example see: http://www.threatexpert.com/report.aspx?md5=af77b9bba26100ea133c55385c50afe9


pol
« Last Edit: May 01, 2013, 06:51:26 PM by polonus »
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »