Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

How do I detect FinFisher?

more options

Please don't respond with a link to the cease and desist article. I've already read it. It's old news to me, and it tells me nothing about my concerns.

I'd really like to know how to figure out whether my computer is compromised. Firefox is my most-often-used web browser: am I infected right now? How long could it have gone on? Can I even trust any dialog messages saying that my browser is due for an update? Is there any AV software that can detect it?

Chosen solution

hello, as it's explained in https://blog.mozilla.org/blog/2013/04/30/protecting-our-brand-from-a-global-spyware-provider/ this spyware has nothing to do with your usage of firefox. it probably comes with a similar filename/logo/describtion to trick users into allowing it access through firewalls etc.

however from your description it appears that when you execute firefox.exe you get the normal browser window, so all should be good. the current version is firefox 20.0.1 - you should always perform updates that are offered to you when you go to firefox > help > about firefox.

Read this answer in context 👍 3

All Replies (5)

more options

Chosen Solution

hello, as it's explained in https://blog.mozilla.org/blog/2013/04/30/protecting-our-brand-from-a-global-spyware-provider/ this spyware has nothing to do with your usage of firefox. it probably comes with a similar filename/logo/describtion to trick users into allowing it access through firewalls etc.

however from your description it appears that when you execute firefox.exe you get the normal browser window, so all should be good. the current version is firefox 20.0.1 - you should always perform updates that are offered to you when you go to firefox > help > about firefox.

more options

OK, you have read that "cease and desist" blog posting.

Did you read the 117 page PDF report on this page? This page is hyperlinked in that Mozilla blog "cease and desist" article.
https://citizenlab.org/2013/04/for-their-eyes-only-2/
"For Their Eyes Only: The Commercialization of Digital Spying."

Page 10 of that report says that this Malware was/is delivered via malicious email attachments. Attached images with a "hidden" executable which installs that malicious garbage.

But since this malware also affects the MBR (Master Boot Record) [page 15 of that report], I suspect a multi-pronged "fix" is going to need to be developed to cure infected PC's.


IMO, you should address your questions toward your Security Suite vendor and ask if their program is capable of finding and/or removing it. Or wait a few days and see "who" comes up with a full fix or a "detection program".


Far beyond a Mozilla Firefox support issue. Mozilla is as much as "victim", as anyone who inadvertently installed that malicious program.

more options

Hello MatsumotoMania,

I think the-edmeister's reply it's the most comprehensive and documented answer to your question

But since this malware also affects the MBR (Master Boot Record) [page 15 of that report], I suspect a multi-pronged "fix" is going to need to be developed to cure infected PC's.

IMO, you should address your questions toward your Security Suite vendor and ask if their program is capable of finding and/or removing it. Or wait a few days and see "who" comes up with a full fix or a "detection program".

Far beyond a Mozilla Firefox support issue. Mozilla is as much as "victim", as anyone who inadvertently installed that malicious program.

thank you the-edmeister

more options

Quoting from page 9 of that PDF report -

 The emails generally suggested that the attachments contained political content of interest to pro-democracy activists and dissidents. In order to disguise the nature of the attachments a malicious usage of the “righttoleftoverride” (RLO) character was employed. The RLO character (U+202e in unicode) controls the positioning of characters in text containing characters flowing from right to left, such as Arabic or Hebrew. The malware appears on a victim’s desktop as “exe.Rajab1.jpg” (for example), along with the default Windows icon for a picture file without thumbnail. But, when the UTF-8 based filename is displayed in ANSI, the name is displayed as “gpj.1bajaR.exe”. Believing that they are opening a harmless “.jpg”, victims are instead tricked into running an executable “.exe” file.Upon execution these files install a multi-featured trojan on the victim’s computer. ...

I wonder if any computer user who is not using a Right-to-Left language would even be affected or "infect-able"?

more options

Whoops. I guess there was still material yet to read.

I'm sorry to sound panicked. It was just a feeling of powerlessness on my part because this shady surveillance contractor has a reputation of complete invisibility.

Still, thanks for helping me out; I don't feel so creeped out any more.