ESET’s guide makes it possible to peek into FinFisher 0 95

FinFisher, also known as FinSpy, has a history of being used in surveillance campaigns, both against legitimate targets and against political opposition in countries with oppressive regimes. Despite that, the latest thorough analyses dealt with samples from as long ago as 2010. Since then, the FinFisher spyware received strong anti-analysis measures; apparently, this is also the reason why the more recent reports about FinFisher don’t go into much technical detail. In one of the reports, a reputable security company even admitted that due to strong obfuscation, it was not possible to extract the C&C servers.

Having discovered a wave of surveillance campaigns in several countries in summer 2017, ESET researchers dug deep into the samples of FinFisher. To be able to start a thorough analysis of how these recent samples work, they first had to break through all FinFisher’s protective layers.

To help malware analysts and security researchers overcome FinFisher’s advanced anti-disassembly obfuscation and virtualization features, ESET researchers have framed some clever tricks into a whitepaper, “ESET’s guide to deobfuscating and devirtualizing FinFisher”.

“The company behind FinFisher has built a multimillion-dollar business around this spyware – so it comes as no surprise that they put a much bigger effort into hiding and obfuscation than most common cybercriminals. Our aim is to help our peers analyze FinFisher and thus protect internet users from this threat,” comments Filip Kafka, ESET malware analyst who leads the analysis of FinFisher.

Filip Kafka expects the FinFisher creators to improve their protections to make FinFisher hard to analyze again. “With their huge resources, there is no doubt FinFisher will receive even better anti-analysis features. However, I expect their additional measures to cost more to implement while being easier to crack for us the next time around,” comments Filip Kafka.

ESET’s analysis into FinFisher is ongoing. In the first stage, ESET researchers focused on the infection vector used in the mentioned campaigns. They strongly believe internet service providers have played the key role in infecting the victims with FinFisher. Filip Kafka’s presentations of these findings along with a brief overview of FinFisher’s anti-analysis capabilities raised a lot of interest at the Virus Bulletin Conference as well as the AVAR conference.

Previous ArticleNext Article

ESET’s top 5 tips for safe online shopping this festive season 0 287

safe online shopping

Holiday shopping is so quick and easy to do online, no traffic to get to the store, no waiting in queues or travelling to one specific shop just to find out – oh no, they’re out of stock of the one item you went there for.

We want to make sure your holiday shopping experience is quick, easy and most of all safe. Here are our top 5 tips for safe shopping this festive season:

  1. Don’t have the same passwords for all online shopping sites, have strong passwords and for extra security, change them before the holiday shopping commences.
  2. Only shop on trusted sites and directly from vendors.
  3. Don’t click on links from emails, instead go straight to the site on your browser.
  4.  When shopping online use a secure internet connection such as your home WiFi and make sure the necessary firewalls are in place – Avoid online payments via public WiFi.
  5. This coupled with a strong antivirus and/or anti-spyware software for scanning email, applications, and data that resides on your computer, you can rest assured that only you will catch or detect any form of intrusion in good time.

To find out how ESET can help secure your online shopping experience visit our website or contact us at sales@esetafrica.com

 

Breached site notifications tested by Firefox 0 224

Firefox is testing an in-browser notification to alert users when they are visiting a site that has experienced a data breach.

This project is in collaboration with  “Have I Been Pwned” the popular site that allows users to check their email to find out if their credentials have been stolen by hackers.

“Firefox is just looking at which sites have been been breached and we’re discussing other ways of using the data in the future,” Security researcher and creator of Have I Been Pwned Troy Hunt “They’ve got a broad reach and surfacing this info via Firefox is a great way to get more exposure around data breaches.”

Troy Hunt Tweet

While the ‘Breach Alerts’ feature will issue a warning about a website, it won’t actually prevent users from visiting it, only alert them. The extension currently includes an input field that users can use to subscribe an email address in order to receive an alert when they may be affected by a future breach. This feature has received some criticism as it collects users email data which poses an opportunity for a data breach of their own.

It has not yet been announced when the alerts will be baked into a standard Firefox release. Once the feature is rolled out en masse, however, it is poised to act as a constant reminder of hacks suffered by particular websites. Given their frequent occurrence, security breaches aren’t easy to keep track of, which is also where Firefox intends to come in.

In the latest in a long list of hacked websites, image-hosting website Imgur confirmed last week that the email addresses and passwords of 1.7 million user accounts had been stolen back in 2014.