Saturday, September 1, 2012

'Legal' Spyware Abuse In World Dictatorships.
And Elsewhere? ->The FinFisher Spyware

--

While I catch my breath from the Java scandals and we wait for me to finish my yearly Mac malware review...

This was too good to pass up:

Google engineer finds British spyware on PCs and smartphones
FinSpy turning up in dictatorships across the world
By Iain Thomson in San Francisco • 31st August 2012 23:30 GMT • The Register
Two security researchers have found new evidence that legitimate spyware sold by British firm Gamma International appears to be being used by some of the most repressive regimes in the world. 
Google security engineer Morgan Marquis-Boire and Berkeley student Bill Marczak were investigating spyware found in email attachments to several Bahraini activists. In their analysis they identified the spyware infecting not only PCs but a broad range of smartphones, including iOS, Android, RIM, Symbian, and Windows Phone 7 handsets...
Parallel research by computer investigators at Rapid7 found command and control software servers for the FinSpy code running in Indonesia, Australia, Qatar, Ethiopia, the Czech Republic, Estonia, Mongolia, Latvia, and the United Arab Emirates, with another server in the US running on Amazon's EC2 cloud systems. Less than 24 hours after the research was published, the team noted that several of these servers were shut down.
The gritty code details can be found here:

August 29, 2012 • The Citizen Lab
iOS 
It was developed for Arm7, built against iOS SDK 5.1 on OSX 10.7.3 and it appears that it will run on iPhone 4, 4S, iPad 1, 2, 3, and iPod touch 3, 4 on iOS 4.0 and up... 
This application appears to provide functionality for call logging...
And here:

Analysis of the FinFisher Lawful Interception Malware
Posted by Claudio Guarnieri, Aug 8, 2012 6:31:35 AM • Security Street, RAPID7
It's all over the news once again: lawful interception malware discovered in the wild being used by government organizations for intelligence and surveillance activities. We saw it last year when the Chaos Computer Club unveiled a trojan being used by the federal government in Germany, WikiLeaks released a collection of related documents in the Spy Files, we read about an alleged offer from Gamma Group to provide the toolkit FinFisher to the Egyptian government, and we are reading once again now with the same one being delivered to human rights activists in Bahrain along with some spearphishing attacks. 
We all are very aware of a rising market of Western companies developing and selling malware for the use of government organizations all around the world, but whenever one of these products is found in other geographical areas, the potential political and ethical implications tend to generate interest...
Uh oh.

The method of infecting devices/computers with this 'legal' spyware is not clear. Theoretically, it has to be physically installed onto the devices, either by hand or over a network by someone with administrative access. But it has been used via a Trojan horse.

We've seen FinFisher before on the OS X platform. In the past, FinFisher infected OS X machines via a security hole in the iTunes updater that allowed FinFisher to fake itself as a Trojan horse iTunes Update. That security hole existed for YEARS in iTunes before Apple patched it at the end of 2011. Not Apple's finest security hour.

I've written about 'legal' spyware previously. The one application dedicated to detecting and removing spyware on the Mac platform is MacScan. Unfortunately, MacScan does NOT at this point in time, detect FinFisher. I suspect this will be corrected ASAP, because I will be pestering them. ;-) The MacScan/SecureMac folks have a spyware list and discussion available HERE. I'm no big fan of MacScan as it requires repeated scans in order to catch everything on your system. But for detecting spyware, this is THE application. They provide a free demo version. The program is easy to use.

Some other anti-malware apps are also capable of finding and removing spyware. Check the developer's website for details. I know that Intego's OS X and iOS anti-malware apps scan for and remove related spyware. Because of this iOS spyware revelation, I'm going to begin testing Intego's VirusBarrier iOS for review. Apparently, Intego's VirusBarrier for iOS has not yet been optimized to detect actual spyware FOR iOS. I'll be chatting with Intego about this situation, now that we know about the abuse of the FinFisher spyware.

No doubt there will be further revelations about the abuse of FinFisher and other 'legal' spyware applications. I'll post when something directly relevant to all OS X and iOS users appears.

C U soon with the other half of my 2012 malware summary. Fur shur. No doubt. Not kidding. Count on it. Be seeing you.

--

No comments:

Post a Comment