With the news today on this spyware working its way into Firefox, can anyone tell us if we’re protected from this? Thanks
since it is not New, i would imagine avast lab knows all about it
leave the scurity worry to avast…as there is nothing else you can do
Yes, avast! detects this spyware as Win32:FinSpy-B [Trj] coming with the firefox executable firefox.exe
You are being protected…
FinFisher manual removal
- Stop the related process in task manager to force this system to exit
dotnetchk.exe - Discover the subsequent registry values in registry editor and take away them one by one (First back up the registry and save this back up)
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run???FinFisher??? = ???C:\progra~1\common~1\cmx1\start.exe???
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{CBDCB339-21C1-4834-9572-51ECC329ABD7}
HKEY_LOCAL_MACHINE\SOFTWARE\FinFisher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\2FABB6478E3EAB84C98C6D8AB6155523
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData[RANDOM SID]\Components\858132C493B23D11E8D0000CF486730D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData[RANDOM SID]\Products\933BCDBC1C124384592715CE3C92BA7D
HKEY_USERS[RANDOM SID]\Software\Microsoft\Installer\Features\933BCDBC1C124384592715CE3C92BA7D
HKEY_USERS[RANDOM SID]\Software\Microsoft\Installer\Products\933BCDBC1C124384592715CE3C92BA7D
HKEY_USERS[RANDOM SID]\Software\Microsoft\Installer\UpgradeCodes\2FABB6478E3EAB84C98C6D8AB6155523
%UserProfile%\Local Settings\Temp\cmx1\FinFisherR_SCREEN.DATETIME.[RANDOM DATE AND TIME].png
%UserProfile%\Local Settings\Application Data\Protexis\UserSettings.xml %UserProfile%\Local Settings\Temp\CFGD.tmp
%UserProfile%\Local Settings\Temp\cmx1\FinFisherR_KEY.klog.html %UserProfile%\Local Settings\Temp\VSDB.tmp\DotNetFX\dotnetchk.exe %UserProfile%\Local Settings\Temp\VSDB.tmp\install.log
%UserProfile%\Start Menu\Programs\FinFisher.lnk
C:\Documents and Settings\All Users\Application Data\Protexis\DL\[RANDOM NAME].dlf C:\Documents and Settings\All Users\Application Data\Protexis\State\[RANDOM NAME].dls
%CommonProgramFiles%\cmx1\FinFisher.ico
%CommonProgramFiles%\cmx1\cmx1.dat %CommonProgramFiles%\cmx1\setup_dot_net_checker.msi
%Windir%\Installer\[RANDOM NAME].msi
Notice that av solutions may detects this as Win32/Belesak.D and avast detects this as Win32:FinSpy-B [Trj]
But some may not detect likewise Government trojans (in Skype) as like with other security companies, av companiers will actively cooperate with law enforcement agencies to not detect Government Trojans…so they might have agreed not to flag official government backdoors…
polonus
P.S. On FinSpy’s proliferation: https://citizenlab.org/2013/03/you-only-click-twice-finfishers-global-proliferation-2/
link article authors: Morgan Marquis-Boire, Bill Marczak, Claudio Guarnieri, and John Scott-Railton.
Thank you!
Here about when FinFisher went mobile: http://munkschool.utoronto.ca/canadacentre/research/the-smartphone-who-loved-me-finfisher-goes-mobile/
link article author: MORGAN MARQUIS-BOIRE
FinFisher was also detected being out here: -https://qhotels.gov.qa/
And whether the software was (illegally) exported out of the U.K. or was being re-engineered isn’t that important for the discussion here.
At least it seemed Mozilla has reopened the discussion about this spyware again,
polonus
Another list of IP addresses:
112.78.143.26 (Indonesia)
121.215.253.151 (Australia)
78.100.57.165 (Qatar)
213.55.99.74 (Ethiopia)
94.112.255.116 (Czech Republic)
213.168.28.91 (Estonia)
54.248.2.220 (USA)
202.179.31.227 (Mongolia)
80.95.253.44 (Czech Republic)
81.198.83.44 (Latvia)
86.97.255.50 (Dubai, UAE)
Interesting blocklist for these and other IPs: http://sokosensei.wordpress.com/2012/08/15/updated-list-of-ips-that-you-should-block/
Example see: http://www.threatexpert.com/report.aspx?md5=af77b9bba26100ea133c55385c50afe9
pol