FinSpy

Twenty five countries are using the FinSpy surveillance software package (also called FinFisher) to spy on their own citizens:

The list of countries with servers running FinSpy is now Australia, Bahrain, Bangladesh, Britain, Brunei, Canada, the Czech Republic, Estonia, Ethiopia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, the United Arab Emirates, the United States and Vietnam.

It's sold by the British company Gamma Group.

Older news.

EDITED TO ADD (3/20): The report.

EDITED TO ADD (4/12): Some more links.

Posted on March 19, 2013 at 1:34 PM • 22 Comments

Comments

Tom KMarch 19, 2013 2:03 PM

Thanks for the link, Bruce. If I wasn't already on some government watchdog list, I am now that I've poked around the Gamma Group's website. But I'm in good company, it seems.

CraigMarch 19, 2013 2:18 PM

Tom K, I'm sure just reading "Schneier on Security" is enough to get someone to open a file on you...

JfkMarch 19, 2013 2:24 PM

I don't think that for all countries that are in the list, the government is spying on their own citizens using this software. This just says that the servers are located in those countries.

Michael BradyMarch 19, 2013 3:01 PM

"FinSpy is spyware sold by the Gamma Group, a British company that says it sells monitoring software to governments solely for criminal investigations." - the Gamma Group

“Let us not forget ... that everything Adolph Hitler did in Germany was ‘legal,’ and that everything the Freedom Fighters in Hungary did was ‘illegal.’” - Martin Luther King Jr

Jeff HMarch 19, 2013 4:53 PM

"most frequently used "against pedophiles, terrorists, organized crime, kidnapping and human trafficking.""

I do like how they roll out the buzzwords at every available opportunity.

I'm not sure attempts at a ban on sales to repressive regimes (they didn't say whether the US & the UK counted...) will help though. Far better to get this stuff labelled as malware and improve detection of that - or will we be told next that there's such a thing as legitimate spyware?

Dirk PraetMarch 19, 2013 6:39 PM

The message being that ordinary people indulging in such activities can and will go to jail, but that it is perfectly ok to do so if you manage to sell even one copy to a government organisation. I wonder what legislation/regulation is actually overseeing the products and services Gamma Group, HBGary and the like are offering.

nobnopMarch 20, 2013 4:12 AM

@Jeff H: Good idea to classify such software as malware - but I don't think that the anti-malware industry will do so. Whitelisting might be a better protection approach, but it's not an easy task...

rrrMarch 20, 2013 5:58 AM

http://projects.wsj.com/surveillance-catalog/

You probably want to read this if you haven't already

The Surveillance CatalogWhere governments get their tools

Documents obtained by The Wall Street Journal open a rare window into a new global market for the off-the-shelf surveillance technology that has arisen in the decade since the terrorist attacks of Sept. 11, 2001.

The techniques described in the trove of 200-plus marketing documents include hacking tools that enable governments to break into people’s computers and cellphones, and "massive intercept" gear that can gather all Internet communications in a country.

The documents—the highlights of which are cataloged and searchable here—were obtained from attendees of a secretive surveillance conference held near Washington, D.C., last month. Read more about the documents and see a list of agencies attending several such conferences (updated Feb. 7, 2012).
Above, a still image from a marketing video by FinFisher touting the brand's surveillance technology. Click "play" to learn more about what these documents reveal.

The documents fall into five general categories: hacking, intercept, data analysis, web scraping and anonymity. Below, explore highlights related to each type of surveillance, and search among selected documents.

Dirk PraetMarch 20, 2013 9:08 AM

@ i hate triangles!

And would that contract be to host services of their own or to spy on everybody else who's using AWS ?

AutolykosMarch 20, 2013 9:37 AM

@nobnop: Kaspersky has repeatedly declared that they will fight state-sponsored surveillance tools just like all other malware, back when the German spytoy, dubbed "Bundestrojaner" was ripped apart by the CCC (hard to tell whether the blatant violation of diverse laws or the exceptionally shoddy craftsmanship was more embarrassing). I don't know for sure how serious Kaspersky takes their claim, since I've never heard them publish any results from reverse-engineering this (or similar) government spyware.

SimonMarch 20, 2013 10:04 AM

Kaspersky's TDSSKiller didn't help eliminate a trojan virus, couldn't even run it since the damage was already done and control of the machine was lost. It was a brand new Dell on an enterprise network with updated Symantec everywhere in a large corporation with well-staffed IT dept. IT was 3 months before Symantec even issued an advisory. The drive had to be removed. I have Kaspersky on this machine and get updates all the time. I expect it would probably catch and protect from a third of the threats. Fortunately those it wouldn't snag are less common. But this? Good luck. When something is specifically tested in a lab to blow through the latest COTS stuff, forget it.

ScottJMarch 20, 2013 1:07 PM

Any thoughts on how well the free/open-source ClamXAV detects FinSpy and similar quasi-state-sponsored threats?

999999998March 21, 2013 9:34 PM

Decompiled:
Issue 1: The CNC server is saved as a variable
from code:
wwm 168
rght, wxd.iir.gms:assd
s ttl

So it waits for a 168 second of network idle, send a packet to the server at a specific port and deletes the packet from the host machine.

Issue 2: In an older version the CNC server can delete the program remotely but it will also self delete if it loses the ability to send packets. you could cheat it if you disconnect from the network and reset the system clock. A different version did not have this.

Issue 3: at least 4 programmers made the backbone. One of them is not a native English speaker, probably learned to code in eastern Europe.

Issue 4: Anti-virus will catch the older versions but it can be adjusted to come in through java, adobe updates or email attachments

Guv Software SucksMarch 22, 2013 4:00 AM

Big warning here. If it's like Novopay in good ol' NZ, anything might happen.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..