The elusive FinFisher spyware, which is used widely in covert surveillance campaigns, especially by oppressive nations against political opposition, could soon be cracked, researchers believe.
The spyware has been around since 2010 but seldom have security researchers been able to dissect it completely or to extract the C&C servers, thanks to advanced anti-disassembly and virtualisation features introduced by FinFisher's creators to make it more difficult to analyse.
The reason behind the spyware being so advanced is that its creators have earned millions over the years by selling it to oppressive governments who could afford it. The resulting bounty was then used to confer the spyware with the latest anti-analysis measures, thereby frustrating security researchers looking to extract its code.
In the meantime, the spyware has been used to perform a range of covert operations, including live surveillance using webcams and microphones, keylogging, and exfiltration of files. The spyware also found its way into devices through manual installations with physical access to devices, spearphishing e-mails and messages, and watering hole tactics where websites were compromised to infect thousands of people who visited them.
However, researchers at ESET now believe that they can finally crack the spyware which has evaded researchers for the better part of the last decade.
'The company behind FinFisher has built a multimillion-dollar business around this spyware – so it comes as no surprise that they put a much bigger effort into hiding and obfuscation than most common cyber-criminals. Our aim is to help our peers analyse FinFisher and thus protect internet users from this threat,' said Filip Kafka, a malware analyst at ESET.
'With their huge resources, there is no doubt FinFisher will receive even better anti-analysis features. However, I expect their additional measures to cost more to implement while being easier to crack for us the next time around,' he added.
In a guide the researchers released to help other malware analysts overcome FinFisher's advanced anti-disassembly and virtualisation features, the researchers wrote that FinFisher's creators used a particular anti-disassembly trick whereby they hid an execution flow by replacing one unconditional jump with two complementary jumps which targeted the same location, thereby distracting analysts.
While this technique is frequently used in other malware as well, what makes FinFisher unique is that it uses this trick after every single instruction, thereby creating a unique maze almost impossible to analyse.
To find a way around this trick, the researchers isolated each conditional jump and separately analysed them. Using a software named IDA Pro, they created graphs for each jump and studied them to separate unconditional jumps from complementary jumps. Once the anti-disassembly trick is taken care of, the researchers move on to effectively analyse the virtual machine, thereby bringing themselves closer to the real payload. You may read a detailed description of the operation here.
It remains to be seen if the researchers will be able to effectively extract FinFisher's code or track down its C&C servers in the near future. But the first real step has been taken, and this should help researchers across the world in decoding the powerful spyware that has evaded them for years.
