CSOs warned to watch for FinFisher spyware

Computers that appear to be running the commercially available FinFisher spyware sold to law enforcement and governments have been found in almost a dozen countries on five continents, a security researcher said on Wednesday.

Because of his discovery, Rapid7 researcher Claudio Guarnier warned that corporate IT should monitor systems for signs of communication with command and control servers running FinFisher, made by U.K.-based Gamma Group.

Rapid7 has published the IP addresses and communication "fingerprint" of the command and control servers it has discovered. The information can be used in intrusion detection systems.

"If you can identify those networks actually communicating with those IPs, it most likely means some of the people on those networks are being spied on in some way," Guarnieri said.

[See also from Antone Gonsalves: Virtual analysis misses a third of malware]

FinFisher is able to record Skype and other voice over IP communications, log keystrokes and turn on a computer's webcam and microphone. The spyware, which can also steal files from a hard disk, is built to bypass dozens of antivirus systems.

Spyware that appeared to be FinFisher was first discovered last month in Bahrain. The malware was targeted at activists within the Persian Gulf kingdom. Gamma later told Bloomberg that it never sold the product to Bahrain and was investigating whether a demonstration copy had been stolen from the company.

After obtaining samples of the Bahrain malware, Guarnier was able to isolate a peculiar way computers communicate with the software. The researcher found that the Bahrain server answered HTTP requests with the message "Hallo Steffi."

With the discovery of the fingerprint, Guarnier and his Rapid7 team started searching the Internet and found 12 C&C servers in 10 countries: the U.S., Indonesia, Australia, Qatar, Ethiopia, Czech Republic, Estonia, Mongolia, Latvia and Dubai.

Whether governments or police are using the servers cannot be determined by the information gathered by Rapid7. The security company also cannot say for sure that the computers are running FinFisher. "But it's a very big clue," Guarnier said of his findings.

"We think that they are most likely connected to the [FinFisher] infrastructure and are being run by different people across the globe," he said.

Gamma told Bloomberg that it sells FinFisher according to export regulations of the U.K., U.S. and Germany. Nevertheless, once the spyware is released on the Internet, samples will likely end up in the hands of cybercriminals who could build their own versions.

"Now that FinFisher is in the public domain, every government the world over should assume that those who intend to seek and destroy or steal and manipulate will be studying the mechanics of how this application was designed and will undoubtedly develop more of its kind," Dennis Portney, president of Security Forensics, told CSO Online.

The malware is also expected to be particularly difficult to detect. "With the stealth nature of these types of spyware, it is hard to estimate the number or scope of their infection or deployment," Xuxian Jiang, an assistant professor and computer science researcher at North Carolina State University, said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts