Originally written in October 2014.
Wikileaks revealed FinFisher, a program used by governemnts to spy on journalists. Although it is claimed on the page that the malware is “previously unreleased”, we know that antivirus (AV) companies knew about it for almost 4 years, because someone uploaded it to VirusTotal close to 5 years ago:
Evading antivirus signatures, like those used on VirusTotal, is trivial. We will try to modify/obfuscate FinFisher so that it is neither detected by antiviruses on VirusTotal nor by two standalone products including Symantec Norton Antivirus 2014 and BitDefender. We want to test against standalone products because they may have more advanced detection strategies not employed by VirusTotal. These two antiviruses both   got awards on PCMagazine, so we are not cheating with easy targets.
Finally, we’ll go through some of the more advanced detection strategies …