More on FinSpy/FinFisher

FinFisher (also called FinSpy) is a commercially sold spyware package that is used by governments world-wide, including the U.S. There’s a new report that has a bunch of new information:

Our new findings include:

  • We have identified FinFisher Command & Control servers in 11 new Countries. Hungary, Turkey, Romania, Panama, Lithuania, Macedonia, South Africa, Pakistan, Nigeria, Bulgaria, Austria.
  • Taken together with our previous research, we can now assert that FinFisher Command & Control servers are currently active, or have been present, in 36 countries.
  • We have also identified a FinSpy sample that appears to be specifically targeting Malay language speakers, masquerading as a document discussing Malaysia’s upcoming 2013 General Elections.
  • We identify instances where FinSpy makes use of Mozilla’s Trademark and Code. The latest Malay-language sample masquerades as Mozilla Firefox in both file properties and in manifest. This behavior is similar to samples discussed in some of our previous reports, including a demo copy of the product, and samples targeting Bahraini activists.

Mozilla has sent them a cease and desist letter for using their name and code.

News story.

Here’s my previous post on the spyware.

Tags: ,

Posted on May 2, 2013 at 6:50 AM14 Comments

Comments

ravn May 2, 2013 8:17 AM

Also, the German Federal Criminal Police has just ordered this software for EUR 150.000, before their own evaluation project has concluded whether it can be used legally.

mz May 2, 2013 8:32 AM

Given the illegal use of Mozilla’s name, perhaps the government should shut down FinFisher under DMCA. That would be poetic justice. I guess we shouldn’t hold our breathes though, eh?

brian oblivion May 2, 2013 1:28 PM

I dont know how the cretins at Finspy sleep at night knowing their software is being used to round up and torture doctors in Bahrain who committed the captial crime of providing medical care to injured protesters.

And now Malaysia is using it to crush dissent. They should call this FinDie because thats what happens to victims of this spyware

Michael May 2, 2013 2:11 PM

I second what Brian said. The developers of FinSpy are no different from other malware distributing cretins, and God knows how many people were tortured and killed as a result of their actions. The jury’s still out on whether companies should even employ people with a record for malicious hacking, let alone the kind of stuff Gamma’s involved in.

Autolykos May 2, 2013 4:24 PM

@yet another anon: Here’s hoping the Chaos Computer Club will rip it to shreds just like the last Bundestrojaner. But they probably won’t even need to, as even the official advertisement may be enough to conclude it fails at the same criteria as the last one (exceeding the BKA’s privileges, while being worthless/inadmissible in court).

Brian May 2, 2013 5:43 PM

@Michael and brian oblivion:

Mainly just playing devil’s advocate, but I suspect they sleep the same way the makes of guns and similar tools do, by placing the blame for use on the user rather than the tool maker. These stories always seem to report from the perspective of the spyware in question being inherently evil…as if it was not possible for police in a democratic country to use it to track down criminals after obtaining a valid warrant.

That said, while I don’t think making software like this or using it in certain instances is automatically wrong (any more than the police having guns is automatically wrong)…I DO think it’s wrong to sell it to people who you know are going to use it for bad things. I also think it should be illegal, and I’d have no problem with a ban on selling anything even remotely questionable to countries that engage in systematic human right’s violations. Selling a tool that can be used for evil is different than selling a tool to someone you KNOW is going to do something wrong with it.

Dirk Praet May 2, 2013 7:20 PM

Now, now, children. Software doesn’t kill people, people kill people. Surely the honourable men at Gamma International can’t possibly be held accountable for the way legitimate governments deploy their fine products to maintain law and order across the land.

moo May 2, 2013 8:52 PM

@Dirk:
Despite the sarcasm, I think you’re actually right. Moral labels like “good” and “evil” only make sense when applied to actors, actions, intentions or outcomes. The software is none of these things.

Using the software to track down political dissidents might be an evil action, and the people using it that way might be evil actors. Selling the software to governments who would obviously use it for evil, would be an evil action. Doctors getting punished for giving medical care to protesters (OR TO ANYONE) is an evil outcome.

I’m not prepared to say that writing the software was an evil action, even if it has “mostly evil” uses. Like any weapon, its the user who deploys it who bears the moral consequences of its use. If a weapon is left lying around and injures someone in an accident, whoever left it lying around should be held responsible. We don’t blame gun-makers when some little kid accidentally shoots himself with a parent’s gun that was left lying around.

Maybe a better analogy: Bittorrent or TOR wouldn’t be evil even if nearly all of their users were using them for “evil” purposes e.g. trading child porn.

Nick P May 2, 2013 9:58 PM

Adding to Dirk and moo’s comments, these pieces of software are indeed morally neutral. The reason is that they’re merely tools. People can use tools to good or bad ends, which is itself subjective. The real concern here is restricting the availability and usage of a given product. That’s where treaties, export bans, regulations, auditing, law enforcement, etc. come into play.

It’s just hard to see the US government in particular trying hard to ban any of this. If anything, they like the stuff so much the demand produces plenty of new supply. Profit motive of suppliers and redistributers ensures the goods eventually make it to the evils. That’s life.

anony May 3, 2013 3:32 AM

Let’s remember, of course, that Gamma International is directly marketing to oppressive governments with the knowledge of what their software will be used for.

The software may not be evil, but the company most certainly is. Why is anonymous wasting time doing things like DDoSing FBI’s public facing web page when there are worse criminals in public view?

Dirk Praet May 3, 2013 8:00 AM

@ Nick P

That’s where treaties, export bans, regulations, auditing, law enforcement, etc. come into play.

So far, the official response of Gamma has always been that they fully comply with all of these. Which of course is a joke. Most of this regulation is as easy to bypass as laundring money or evading taxes is because of the many loopholes that were (deliberately) left/built in. I just loved the way Bluecoat recently managed to reflect on a Dubai channel partner a 2.8 million dollar fine for exporting to Syria.

@ moo

Bittorrent or TOR wouldn’t be evil even if nearly all of their users were using them for “evil” purposes e.g. trading child porn.

There’s a subtle nuance, though. Many P2P users and the folks behind it (eg. Kim DotCom, Gottfrid Svartholm) do tend to get fined, persecuted and jailed. Anti-piracy legislation is being pushed all over the world. Getting caught with kiddy pr0n will set you up for some extended time in prison. Always. Likewise, many governments and corporations (try to) block Tor traffic and exit nodes.

The chances of companies like Gamma getting the full force of DMCA or similar legislation leveraged against them in this particular case are about as likely as the overnight conversion of the Pope to Islam. At best, they risk some temporary public outcry after which all returns to business as usual. Same goes for the people behind them. I have no idea what Aaron Barr of HBGary Federal is doing these days, but I doubt it has anything to do with flipping burgers. And as for the governments using/abusing said products, they simply invoke “national security” to shield off anyone pointing the finger at them.

@ anony

Why is anonymous wasting time doing things like DDoSing FBI’s public facing web page when there are worse criminals in public view?

Because they still have a lot of growing up to do. They are not nearly as organised and focused as certain (alledgedly) Chinese outfits are. With many of the initial folks involved in jail, on the run or seduced to the dark side of the Force, it would seem that over the last year they have pretty much degenerated into an anti-Israel lobby only, shooting at anything that moves and no longer able to pull of any decent, coordinated type of attack against high-profile targets. I don’t even bother to follow their public Twitter accounts any longer.

Jonathan Wilson May 4, 2013 11:02 AM

Not only are these scumbags using Mozilla trademarks without permission (in a way that is exactly what trademark law expressly prohibits) but there are reports that the software is using FSF copyrighted GPL/LGPL code without permission too.

I will be watching closely to see just what these entities do in terms of legal action and what the outcome is. (and unlike some other laws which are full of loopholes, its gonna be pretty hard for them to convince a judge that distributing spyware that looks like a legitimate web browser is somehow not a trademark violation)

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.