Wikileaks outs latest FinFisher 'government spyware' that anti-virus can't spot

Berates Germany for allowing makers to operate

Wikileaks has released what it claims are previously unknown fourth-generation versions of the controversial 'government' FinFisher spyware, lambasting the German Government for allowing it to be sold to "some of the most abusive regimes in the world."

In a media announcement fronted with statements from Ecuadorian embassy refugee and editor in chief Julian Assange himself, Wikileaks offered the files for a number of the spyware's components, including Relay 4.3, Proxy 2.1, and Master 2.1, and zips containing 'weaponised' executables for the Windows FinSpy client used to monitor events such as a Skype conversation.

The organisation said its motivation for releasing the files was to "challenge the secrecy and the lack of accountability of the surveillance industry," a reference to the fact that this malware is legally used by a wide variety of governments, including repressive ones.

"FinFisher continues to operate brazenly from Germany selling weaponised surveillance malware to some of the most abusive regimes in the world," wrote Assange.

"The Merkel government pretends to be concerned about privacy, but its actions speak otherwise. Why does the Merkel government continue to protect FinFisher? This full data release will help the technical community build tools to protect people from FinFisher including by tracking down its command and control centers."

Releasing files of malware looks more like a publicity stunt than a major help to the security industry, although it's unlikely that many or even any of them would have detected it. That said, even if they now do, the makers of FinFisher can simply produce a new iteration if they haven't already done so.

Also released by Wikileaks is a bundle of mostly old and known documents, including cheap-looking Videos, dull brochures and support details. However, one eye-catching one is a spreadsheet from April 2014 laid out like a perverse antivirus test where almost every single product fails on almost every single count. For these anti-testers, a failure happens when a program detects FinFisher.

This stands to underline how easy it now is to get past more or less any antivirus program going as long as the malware is new enough or the antivirus older. It is in fairness a tough job for security firms. FinFisher isn't like conventional malware in that it is directed against tiny numbers of people spread across the globe. Spotting malware this rare is a task.

Information taken from the cache also suggested that FinFisher had been used by 64 customers, with 171 licenses issued. That doesn't sound like a lot but this is a very very expensive piece of software and a license gives a lot of use. Wikileaks reckons that it has generated revenue of at up to $100 million and counting.

Governments it said had used it - identified through support requests - included Slovakia, Mongolia, Qatar, South Africa, Bahrain, Pakistan, Estonia, Vietnam, Belgium, Nigeria, Netherlands, PCS Security in Singapore, Bangladesh, Hungary, Italy, Bosnia & Herzegovina, and even Australia's NSW state Police, Wikileaks said.

Wikileaks describes Gamma International as being a German company but it's not entirely clear that it's that simple. The holding company, Lench IT solutions, has a UK subsidiary (where the company started), Gamma International Ltd, but also a German equivalent, Gamma International GmbH. Mysterious.

What we do know is that FinFisher is hugely popular. Too popular. It has also upset companies such as Mozilla which in 2013 sent the firm a cease and desist letter after discovering that the spyware was impersonating Firefox in order to infect targets.

Join the CSO newsletter!

Error: Please check your email address.

Tags skypesecurity

More about MozillaSkype

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E. Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place