Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Networking

    Researchers Lift Lid on Government-Distributed Cyber-Spy Trojans

    By
    Robert Lemos
    -
    August 9, 2012
    Share
    Facebook
    Twitter
    Linkedin

      A recent study of cyber-spying malware discovered by Middle Eastern pro-democracy activists has found that it is a commercially developed Trojan apparently purchased and distributed by government authorities to keep watch on dissident citizens.

      Late in July, pro-democracy activists, security researchers and journalists from Bloomberg News collaborated to uncover details about a mysterious piece of malware known as FinFisher, which proved to be spyware made by U.K. company Gamma International and sold to government clients.

      Working from executables encountered by pro-democracy activists, computer scientists and researchers at the University of Toronto’s Citizen Lab reverse engineered part of the software and found telltales signs that linked it to the U.K. firm.

      Others took up the investigations and discovered that the use of FinFisher went far beyond spying on Bahraini activists. On Aug. 8, a researcher from security firm Rapid7 published his own analysis of the software, finding that servers in 10 countries, including the United States, Australia and Indonesia, showed signs of hosting the software needed to manage systems compromised with the espionage Trojan.

      Rapid7 security researcher Claudio Guarnieri used a system created by HD Moore, the firm’s chief security officer, to call up historical scans of large swaths of the Internet and search them. By searching on a specific string in the servers’ responses, Guarnieri found 11 additional servers in 10 countries that showed signs of being central servers for espionage networks.

      “We basically got lucky, because running that project, it was collecting the same data that we needed to fingerprint the servers,” said Guarnieri. “We just looked for the pattern that we identified.”

      Rapid7 found servers in Australia, the Czech Republic, Estonia, Ethiopia, Indonesia, Latvia, Mongolia, Qatar, the United Arab Emirates, and the United States. In its analysis, the company emphasized that the location of the server does not mean that particular nation was involved. Almost all the servers were located on the networks of commercial Internet hosting providers.

      The analysis would not have been possible except for two factors: As part of an ongoing project, Rapid 7 has begun scanning the Internet and the developers of FinFisher made a significant error: When a server running the command-and-control software encountered an unauthorized request, it would send back the unique response-“Hallo Steffi”-to the source of the request.

      Since Rapid7’s scanning system, known as Critical.io, recorded the responses to its port scans, it contained a historical record of the existence of the FinFisher servers on the Internet, even after the computers were patched to eliminate the unique string.

      By the time the Guarnieri ran the scan, the live servers on the Internet no longer responded in the same way. Without a historical archive, the extent of the espionage networks would not have been known.

      “After publishing the article, we actively saw those guys (the controllers) disabling the response we used for fingerprinting,” he said. “I’m not really confident that we will be able to find any more servers.”

      Little is known about the FinFisher spyware except for a list of features leaked by Privacy International and others, including that it bypasses antivirus systems, performs full Skype monitoring, live surveillance through webcams and microphones, and silent extraction of files. FinFisher can infect Windows, Mac and Linux systems. The company’s own description of the software is less complete.

      “The Remote Monitoring and Deployment Solutions are used to access target systems to give full access to stored information with the ability to take control of target systems’ functions to the point of capturing encrypted data and communications,” states the company site.

      The list of features is similar to many Trojans developed and used by criminals and sold openly on the Internet.

      The software samples analyzed by researchers were captured from targeted email messages sent by unknown attackers who attempted to infect the systems of Bahrain pro-democracy activists. Instead the activists forwarded the e-mails to contacts at Bloomberg, who contacted security researchers, including those at CitizenLabs.

      The captured samples matched signatures retrieved from an apparent demo version of the software found on the Internet, which communicates with Gamma International’s servers.

      Avatar
      Robert Lemos
      Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's written for Ars Technica, CNET, eWEEK, MIT Technology Review, Threatpost and ZDNet. He won the prestigious Sigma Delta Chi award from the Society of Professional Journalists in 2003 for his coverage of the Blaster worm and its impact, and the SANS Institute's Top Cybersecurity Journalists in 2010 and 2014.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×