My Authors
Read all threads
Finfisher/Finspy is malware made by Gamma, an Anglo-German cyber-arms dealer, and sold to the world's most despicable dictators and torturers. Microsoft Security has just published an extensive, fascinating analysis of its self-defense measures.…

There are two big threats to malware: first, that it will be decompiled so that the vulnerabilities that it expoits can be patched, and second, that this decompilation process will yield fingerprints that allow security tools to reliable detect the malware's presence.

Malware authors put a lot of care into writing routines to frustrate analysis, and Finfisher goes above and beyond in detecting whether it is under examination and protecting itself from scrutiny.

It starts with "spaghetti code" - breaking instructions into tiny fragments that jump one to the other, out of order, salted with junk instructions that do nothing.

All of this code gets executed to load up a virtual machine with its own opcodes.

The VM loads a bunch of subprograms that check for debuggers and sandboxes - indicators that the malware is running on a security analyst's workbench, rather than a target's system.

Then the system loads a bunch of fake bitmap images, throws away some of their headers, reassembles them, and decrypts data hidden in the resulting image.

Next comes ANOTHER virtual machine with its own, different opcodes, which decrypts and loads more software.

This is the installer, which loads up a bunch of DLLs, and begins installation of the malware itself, which starts injecting code into the user's programs.

The injector also has countermeasures to defeat common detection methods.

There's another round of obfuscation, and then various modules - customized based on the target - start loading.

It's a very clever piece of puzzlemaking, and an even more clever piece of detective work to solve it.

It's also a fascinating glimpse into the bizarre problem of software figuring out whether it's running on a real computer or inside a researcher's VM.

This may be the key to how Marcus "Malwaretech" Hutchins saved the world from Wannacry ransomware.

Hutchins was examining Wannacry when he noticed that it was hardcoded to try to reach a nonexistent domain, … He registered that doman and stood up a webserver there and every copy of Wannacry in the world went dormant.

No one knows exactly what happened there, but it's likely that Wannacry's method for figuring out if it was in the Matrix or not was to try to contact a nonexistent website.…

If the website answered, it would assume it was running in a researcher's test system and it would cease to function - so when Hutchins put up his webserver, every Wannacry instance on Earth decided it was under scrutiny and ceased all activity.

Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Cory Doctorow #BLM

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!