Researchers Lift Lid on Government-Distributed Cyber-Spy Trojans

After pro-democracy activists in Bahrain were hit by email attacks that would have installed spyware, a spreading investigation reveals more details about corporate-made Trojans sold to governments.

A recent study of cyber-spying malware discovered by Middle Eastern pro-democracy activists has found that it is a commercially developed Trojan apparently purchased and distributed by government authorities to keep watch on dissident citizens.

Late in July, pro-democracy activists, security researchers and journalists from Bloomberg News collaborated to uncover details about a mysterious piece of malware known as FinFisher, which proved to be spyware made by U.K. company Gamma International and sold to government clients.

Working from executables encountered by pro-democracy activists, computer scientists and researchers at the University of Toronto's Citizen Lab reverse engineered part of the software and found telltales signs that linked it to the U.K. firm.

Others took up the investigations and discovered that the use of FinFisher went far beyond spying on Bahraini activists. On Aug. 8, a researcher from security firm Rapid7 published his own analysis of the software, finding that servers in 10 countries, including the United States, Australia and Indonesia, showed signs of hosting the software needed to manage systems compromised with the espionage Trojan.

Rapid7 security researcher Claudio Guarnieri used a system created by HD Moore, the firm's chief security officer, to call up historical scans of large swaths of the Internet and search them. By searching on a specific string in the servers' responses, Guarnieri found 11 additional servers in 10 countries that showed signs of being central servers for espionage networks.

"We basically got lucky, because running that project, it was collecting the same data that we needed to fingerprint the servers," said Guarnieri. "We just looked for the pattern that we identified."

Rapid7 found servers in Australia, the Czech Republic, Estonia, Ethiopia, Indonesia, Latvia, Mongolia, Qatar, the United Arab Emirates, and the United States. In its analysis, the company emphasized that the location of the server does not mean that particular nation was involved. Almost all the servers were located on the networks of commercial Internet hosting providers.

The analysis would not have been possible except for two factors: As part of an ongoing project, Rapid 7 has begun scanning the Internet and the developers of FinFisher made a significant error: When a server running the command-and-control software encountered an unauthorized request, it would send back the unique response-"Hallo Steffi"-to the source of the request.

Since Rapid7's scanning system, known as Critical.io, recorded the responses to its port scans, it contained a historical record of the existence of the FinFisher servers on the Internet, even after the computers were patched to eliminate the unique string.

By the time the Guarnieri ran the scan, the live servers on the Internet no longer responded in the same way. Without a historical archive, the extent of the espionage networks would not have been known.

"After publishing the article, we actively saw those guys (the controllers) disabling the response we used for fingerprinting," he said. "I'm not really confident that we will be able to find any more servers."

Little is known about the FinFisher spyware except for a list of features leaked by Privacy International and others, including that it bypasses antivirus systems, performs full Skype monitoring, live surveillance through webcams and microphones, and silent extraction of files. FinFisher can infect Windows, Mac and Linux systems. The company's own description of the software is less complete.

"The Remote Monitoring and Deployment Solutions are used to access target systems to give full access to stored information with the ability to take control of target systems' functions to the point of capturing encrypted data and communications," states the company site.

The list of features is similar to many Trojans developed and used by criminals and sold openly on the Internet.

The software samples analyzed by researchers were captured from targeted email messages sent by unknown attackers who attempted to infect the systems of Bahrain pro-democracy activists. Instead the activists forwarded the e-mails to contacts at Bloomberg, who contacted security researchers, including those at CitizenLabs.

The captured samples matched signatures retrieved from an apparent demo version of the software found on the Internet, which communicates with Gamma International's servers.