Does Avast! Internet Security detect Finfisher?

With the news today on this spyware working its way into Firefox, can anyone tell us if we’re protected from this? Thanks

since it is not New, i would imagine avast lab knows all about it :wink:
leave the scurity worry to avast…as there is nothing else you can do

Yes, avast! detects this spyware as Win32:FinSpy-B [Trj] coming with the firefox executable firefox.exe
You are being protected…

FinFisher manual removal

  1. Stop the related process in task manager to force this system to exit
    dotnetchk.exe
  2. Discover the subsequent registry values in registry editor and take away them one by one (First back up the registry and save this back up)
    KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run???FinFisher??? = ???C:\progra~1\common~1\cmx1\start.exe???
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{CBDCB339-21C1-4834-9572-51ECC329ABD7}
    HKEY_LOCAL_MACHINE\SOFTWARE\FinFisher
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\2FABB6478E3EAB84C98C6D8AB6155523
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData[RANDOM SID]\Components\858132C493B23D11E8D0000CF486730D
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData[RANDOM SID]\Products\933BCDBC1C124384592715CE3C92BA7D
    HKEY_USERS[RANDOM SID]\Software\Microsoft\Installer\Features\933BCDBC1C124384592715CE3C92BA7D
    HKEY_USERS[RANDOM SID]\Software\Microsoft\Installer\Products\933BCDBC1C124384592715CE3C92BA7D
    HKEY_USERS[RANDOM SID]\Software\Microsoft\Installer\UpgradeCodes\2FABB6478E3EAB84C98C6D8AB6155523

%UserProfile%\Local Settings\Temp\cmx1\FinFisherR_SCREEN.DATETIME.[RANDOM DATE AND TIME].png
%UserProfile%\Local Settings\Application Data\Protexis\UserSettings.xml %UserProfile%\Local Settings\Temp\CFGD.tmp
%UserProfile%\Local Settings\Temp\cmx1\FinFisherR_KEY.klog.html %UserProfile%\Local Settings\Temp\VSDB.tmp\DotNetFX\dotnetchk.exe %UserProfile%\Local Settings\Temp\VSDB.tmp\install.log
%UserProfile%\Start Menu\Programs\FinFisher.lnk
C:\Documents and Settings\All Users\Application Data\Protexis\DL\[RANDOM NAME].dlf C:\Documents and Settings\All Users\Application Data\Protexis\State\[RANDOM NAME].dls
%CommonProgramFiles%\cmx1\FinFisher.ico
%CommonProgramFiles%\cmx1\cmx1.dat %CommonProgramFiles%\cmx1\setup_dot_net_checker.msi
%Windir%\Installer\[RANDOM NAME].msi

Notice that av solutions may detects this as Win32/Belesak.D and avast detects this as Win32:FinSpy-B [Trj]
But some may not detect likewise Government trojans (in Skype) as like with other security companies, av companiers will actively cooperate with law enforcement agencies to not detect Government Trojans…so they might have agreed not to flag official government backdoors…

polonus

P.S. On FinSpy’s proliferation: https://citizenlab.org/2013/03/you-only-click-twice-finfishers-global-proliferation-2/
link article authors: Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri, and John Scott-Railton.

Thank you!

Here about when FinFisher went mobile: http://munkschool.utoronto.ca/canadacentre/research/the-smartphone-who-loved-me-finfisher-goes-mobile/
link article author: MORGAN MARQUIS-BOIRE
FinFisher was also detected being out here: -https://qhotels.gov.qa/
And whether the software was (illegally) exported out of the U.K. or was being re-engineered isn’t that important for the discussion here.
At least it seemed Mozilla has reopened the discussion about this spyware again,

polonus

Another list of IP addresses:
112.78.143.26 (Indonesia)
121.215.253.151 (Australia)
78.100.57.165 (Qatar)
213.55.99.74 (Ethiopia)
94.112.255.116 (Czech Republic)
213.168.28.91 (Estonia)
54.248.2.220 (USA)
202.179.31.227 (Mongolia)
80.95.253.44 (Czech Republic)
81.198.83.44 (Latvia)
86.97.255.50 (Dubai, UAE)

Interesting blocklist for these and other IPs: http://sokosensei.wordpress.com/2012/08/15/updated-list-of-ips-that-you-should-block/
Example see: http://www.threatexpert.com/report.aspx?md5=af77b9bba26100ea133c55385c50afe9

pol