FinFisher spyware found running on computers all over the world
Corporate IT should monitor systems for signs of communication with command and control servers running FinFisher
By Antone Gonsalves | CSO | Published: 11:40, 09 August 2012
Computers that appear to be running the commercially available FinFisher spyware sold to law enforcement and governments have been found in almost a dozen countries on five continents, a security researcher said on Wednesday.
Because of his discovery, Rapid7 researcher Claudio Guarnier warned that corporate IT should monitor systems for signs of communication with command and control servers running FinFisher, made by UK-based Gamma Group.
Rapid7 has published the IP addresses and communication "fingerprint" of the command and control servers it has discovered. The information can be used in intrusion detection systems.
Related Articles on Techworld
"If you can identify those networks actually communicating with those IPs, it most likely means some of the people on those networks are being spied on in some way," Guarnieri said.
FinFisher is able to record Skype and other voice over IP communications, log keystrokes and turn on a computer's webcam and microphone. The spyware, which can also steal files from a hard disk, is built to bypass dozens of antivirus systems.
Spyware that appeared to be FinFisher was first discovered last month in Bahrain. The malware was targeted at activists within the Persian Gulf kingdom but Gamma has denied that it never sold the product to Bahrain and is investigating whether a demonstration copy had been stolen from the company.
After obtaining samples of the Bahrain malware, Guarnier was able to isolate a peculiar way computers communicate with the software. The researcher found that the Bahrain server answered HTTP requests with the message "Hallo Steffi."
With the discovery of the fingerprint, Guarnier and his Rapid7 team started searching the Internet and found 12 C&C servers in 10 countries: the US, Indonesia, Australia, Qatar, Ethiopia, Czech Republic, Estonia, Mongolia, Latvia and Dubai.
Whether governments or police are using the servers cannot be determined by the information gathered by Rapid7. The security company also cannot say for sure that the computers are running FinFisher. "But it's a very big clue," Guarnier said of his findings.
"We think that they are most likely connected to the [FinFisher] infrastructure and are being run by different people across the globe," he said.
Gamma told Bloomberg that it sells FinFisher according to export regulations of the UK, US and Germany. Nevertheless, once the spyware is released on the Internet, samples will likely end up in the hands of cybercriminals who could build their own versions.
"Now that FinFisher is in the public domain, every government the world over should assume that those who intend to seek and destroy or steal and manipulate will be studying the mechanics of how this application was designed and will undoubtedly develop more of its kind," said Dennis Portney, president of Security Forensics.
The malware is also expected to be particularly difficult to detect. "With the stealth nature of these types of spyware, it is hard to estimate the number or scope of their infection or deployment," Xuxian Jiang, an assistant professor and computer science researcher at North Carolina State University, said.