FinSpy

Twenty five countries are using the FinSpy surveillance software package (also called FinFisher) to spy on their own citizens:

The list of countries with servers running FinSpy is now Australia, Bahrain, Bangladesh, Britain, Brunei, Canada, the Czech Republic, Estonia, Ethiopia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, the United Arab Emirates, the United States and Vietnam.

It’s sold by the British company Gamma Group.

Older news.

EDITED TO ADD (3/20): The report.

EDITED TO ADD (4/12): Some more links.

Tags: ,

Posted on March 19, 2013 at 1:34 PM23 Comments

Comments

Tom K March 19, 2013 2:03 PM

Thanks for the link, Bruce. If I wasn’t already on some government watchdog list, I am now that I’ve poked around the Gamma Group’s website. But I’m in good company, it seems.

Craig March 19, 2013 2:18 PM

Tom K, I’m sure just reading “Schneier on Security” is enough to get someone to open a file on you…

Jfk March 19, 2013 2:24 PM

I don’t think that for all countries that are in the list, the government is spying on their own citizens using this software. This just says that the servers are located in those countries.

Michael Brady March 19, 2013 3:01 PM

“FinSpy is spyware sold by the Gamma Group, a British company that says it sells monitoring software to governments solely for criminal investigations.” – the Gamma Group

“Let us not forget … that everything Adolph Hitler did in Germany was ‘legal,’ and that everything the Freedom Fighters in Hungary did was ‘illegal.’” – Martin Luther King Jr

Jeff H March 19, 2013 4:53 PM

“most frequently used “against pedophiles, terrorists, organized crime, kidnapping and human trafficking.””

I do like how they roll out the buzzwords at every available opportunity.

I’m not sure attempts at a ban on sales to repressive regimes (they didn’t say whether the US & the UK counted…) will help though. Far better to get this stuff labelled as malware and improve detection of that – or will we be told next that there’s such a thing as legitimate spyware?

Dirk Praet March 19, 2013 6:39 PM

The message being that ordinary people indulging in such activities can and will go to jail, but that it is perfectly ok to do so if you manage to sell even one copy to a government organisation. I wonder what legislation/regulation is actually overseeing the products and services Gamma Group, HBGary and the like are offering.

nobnop March 20, 2013 4:12 AM

@Jeff H: Good idea to classify such software as malware – but I don’t think that the anti-malware industry will do so. Whitelisting might be a better protection approach, but it’s not an easy task…

rrr March 20, 2013 5:58 AM

http://projects.wsj.com/surveillance-catalog/

You probably want to read this if you haven’t already

The Surveillance CatalogWhere governments get their tools

Documents obtained by The Wall Street Journal open a rare window into a new global market for the off-the-shelf surveillance technology that has arisen in the decade since the terrorist attacks of Sept. 11, 2001.

The techniques described in the trove of 200-plus marketing documents include hacking tools that enable governments to break into people’s computers and cellphones, and “massive intercept” gear that can gather all Internet communications in a country.

The documents—the highlights of which are cataloged and searchable here—were obtained from attendees of a secretive surveillance conference held near Washington, D.C., last month. Read more about the documents and see a list of agencies attending several such conferences (updated Feb. 7, 2012).
Above, a still image from a marketing video by FinFisher touting the brand’s surveillance technology. Click “play” to learn more about what these documents reveal.

The documents fall into five general categories: hacking, intercept, data analysis, web scraping and anonymity. Below, explore highlights related to each type of surveillance, and search among selected documents.

Dirk Praet March 20, 2013 9:08 AM

@ i hate triangles!

And would that contract be to host services of their own or to spy on everybody else who’s using AWS ?

Autolykos March 20, 2013 9:37 AM

@nobnop: Kaspersky has repeatedly declared that they will fight state-sponsored surveillance tools just like all other malware, back when the German spytoy, dubbed “Bundestrojaner” was ripped apart by the CCC (hard to tell whether the blatant violation of diverse laws or the exceptionally shoddy craftsmanship was more embarrassing). I don’t know for sure how serious Kaspersky takes their claim, since I’ve never heard them publish any results from reverse-engineering this (or similar) government spyware.

Simon March 20, 2013 10:04 AM

Kaspersky’s TDSSKiller didn’t help eliminate a trojan virus, couldn’t even run it since the damage was already done and control of the machine was lost. It was a brand new Dell on an enterprise network with updated Symantec everywhere in a large corporation with well-staffed IT dept. IT was 3 months before Symantec even issued an advisory. The drive had to be removed. I have Kaspersky on this machine and get updates all the time. I expect it would probably catch and protect from a third of the threats. Fortunately those it wouldn’t snag are less common. But this? Good luck. When something is specifically tested in a lab to blow through the latest COTS stuff, forget it.

ScottJ March 20, 2013 1:07 PM

Any thoughts on how well the free/open-source ClamXAV detects FinSpy and similar quasi-state-sponsored threats?

Different Jeff H March 21, 2013 3:29 PM

Here’s a sample of FinSpy on Virus Total that gives you an idea of who detects it and what they call it (two months ago when the sample was scanned.)

https://www.virustotal.com/en/file/81531ce5a248aead7cda76dd300f303dafe6f1b7a4c953ca4d7a9a27b5cd6cdf/analysis/

Symantec, Avast, F-Secure and others label it as FinSpy.

Here’s an Android variant:

https://www.virustotal.com/en/file/72a522d0d3dcd0dc026b02ab9535e87a9f5664bc5587fd33bb4a48094bce0537/analysis/

999999998 March 21, 2013 9:34 PM

Decompiled:
Issue 1: The CNC server is saved as a variable
from code:
wwm 168
rght, wxd.iir.gms:assd
s ttl

So it waits for a 168 second of network idle, send a packet to the server at a specific port and deletes the packet from the host machine.

Issue 2: In an older version the CNC server can delete the program remotely but it will also self delete if it loses the ability to send packets. you could cheat it if you disconnect from the network and reset the system clock. A different version did not have this.

Issue 3: at least 4 programmers made the backbone. One of them is not a native English speaker, probably learned to code in eastern Europe.

Issue 4: Anti-virus will catch the older versions but it can be adjusted to come in through java, adobe updates or email attachments

Guv Software Sucks March 22, 2013 4:00 AM

Big warning here. If it’s like Novopay in good ol’ NZ, anything might happen.

Michael Holt July 27, 2015 10:37 AM

I am a former IT computer specialist and federal cyber security whistle blower the us government has denied civil and federal rights.

In 2006 and 2009 I discovered Huge Internet Browser security-related function problems. All government computer systems and civilians basic “Cut, Copy, Paste and Delete” could be used by Websites without the “Users or Client Server knowing or ability to trace.

I can provide proof of major cyber security cover up on going now.

The introduction of the CISA bill is meant to cover up what governments have been doing to civilians all over the world.

In my Merit Systems Protection Board Case SF-0752-11-0427-i-1.
transcript Judge Amy Dunning grants Federal Whistle Blower Protection and job reinstatement which wasn’t ever done.

The VA Administration also admitted I discovered a “Huge Cyber security threat and excerpts responsibility for it nationally.

To date four Senators have stated they would help by email and letter to include Homeland Security Senate representative.

Please help me tell my story before the Cyber Information Sharing Agreement is passed.

It’s unbelievable that we’re told to stand up for truth but when done it cost you everything. What happen to ethics and how can my voice be heard? I am a former us army disabled veteran who served his country for 27 years. Also created 27 national improvement implemented before and after wrongful termination.

Senator Murray, Senator Wyden, Senator McCaskill, Senator Merkley

But, to date no one has ever called. I have only watched everyone read my information and work on covering up the illegal gathering, collection, use of intellectual data.

I merely wish to clear my name and get my life back. Isn’t my life worth something. If not mine, others kids who will grow up not truly knowing the freedoms soldiers lost their lives for? What about our grand kid’s, will they even have a chance?

I challenge anyone who reads this to take a stand and research what I’ve stated. I will never stop trying to have the government straighten my life out. President Obama, Biden and Holder have to date not replied.

Treason, 9.9 trillion missing from federal reserve last year….. Not one person going to jail?……binary digits, stored in Congress cloud accounts, tax free.

Target, Chase, Hospitals, White House. Hacked? Prisim, Xkeyscore diagrams show the us government controls and monitors everything.

Please help by merely asking why the us government has denied or enforced what I told them. For the last nine years the government been using the Internet as a backup door into everyone’s computer systems around the world.

My number is 971 506 4438.

The US Government would like to kill my files and I off. So please understand the risk I am taking by sending this to you.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.