Government use of private tech companies to spy on citizens

[Ed Jewett]

Apple iTunes "Flaw" Allowed Government Spying for 3 Years

November 25th, 2011Via: Telegraph:
An unpatched security flaw in Apple's iTunes software allowed intelligence agencies and police to hack into users' computers for more than three years, it's claimed.
A British company called Gamma International marketed hacking software to governments that exploited the vulnerability via a bogus update to iTunes, Apple's media player, which is installed on more than 250 million machines worldwide.
The hacking software, FinFisher, is used to spy on intelligence targets' computers. It is known to be used by British agencies and earlier this year records were discovered in abandoned offices of that showed it had been offered to Egypt's feared secret police.
Apple was informed about the relevant flaw in iTunes in 2008, according to Brian Krebs, a security writer, but did not patch the software until earlier this month, a delay of more than three years.
"A prominent security researcher warned Apple about this dangerous vulnerability in mid-2008, yet the company waited more than 1,200 days to fix the flaw," he said in a blog post.
"The disclosure raises questions about whether and when Apple knew about the Trojan offering, and its timing in choosing to sew up the security hole in this ubiquitous software title."
Posted in Coincidence?, Covert Operations, Dictatorship, Surveillance, Technology

[Magda Hassan]

Inside the shadow world of commercialised spook spyware

'We'll penetrate commsats, undersea cables, Skype ...'By Duncan Campbell Get more from this authorPosted in Developer, 1st December 2011 10:52 GMTExclusive Western and Chinese high-tech companies are competing aggressively to sell, install and manage intrusive and dangerous internet surveillance and communications control equipment for the world's most brutal regimes, a six-month investigation has found.
During 2011, investigators from Privacy International, a London-based NGO, infiltrated a circuit of closed international surveillance equipment marketing conferences, obtaining private briefings and technical product specifications from contract-hungry sales executives. The group will publish its data and document haul on the net today, in conjunction with other campaigners.
The scale and audacity of the proposals in many of the companies' documents and hand-out DVDs is breathtaking. They describe and offer for unrestricted sale technologies which were in existence a decade ago, but which were held in utmost secrecy by major intelligence agencies such as the US National Security Agency (NSA) and Britain's GCHQ.
Over 150 international companies now trading in this sector have been identified during the research. The majority of them did not exist or were not offering electronic surveillance products, even in the early noughties.
Companies exhibiting at the shows now openly offer to target and break specific international commercial communications satellites, including Thuraya (covering the Middle East), Iridium satellite phones, and Marlink's VSAT. Commercial satellite intercept was previously the almost exclusive turf of GCHQ and NSA's Echelon satellite interception network.
Other companies offer routinely to install malware on phones and PCs, to break SSL encryption on web connections and A5 crypto on mobile phones, or to break into high-capacity optical fibre networks.
Glimmerglass Networks Inc from Silicon Valley presented in Washington last month on "optical cyber solutions". These include splicing into optical fibres at "submarine cable landing stations", "international gateways" and POP or peering points. The techniques used for these operations were developed secretly by the NSA in the 1990s, and have hitherto been a closely guarded secret.
Pushing their "Intelligent Optical System" surveillance system last month, Glimmerglass claimed that its customer intelligence agencies "gain rapid access, not just to signals, but to individual wavelengths on those signals. An LEA [Law Enforcement Agency] operator can quickly and easily select any signal from hundreds, send that signal to a de-multiplexer for access to one of the many wavelengths inside, and then distribute the desired wavelengths as needed. The IOS can make perfect photonic copies of optical signals for simultaneous distribution to grooming equipment and probes for comprehensive analysis".
Their show included "probes and sniffers" that started with "photonic copies" and ended up with huge personal network displays, including personal connectivity analysis from web logs, webmail and Facebook.
To monitor all of everyone's communications traffic, the company has claimed, "you need to do much of it optically ... You can pick some off cell phones. But the top of the [intelligence gathering] funnel is coming through optically ... you need to manage that."
Glimmerglass was formed in 2000. In the same year, long before 9/11 and on the opposite bank of San Francisco Bay, AT&T engineers working for NSA were installing optical fibre taps inside a major San Francisco city internet exchange, tapping into US west coast peering points and switches for the global internet.
In European and US shows over the last six months, Hacking Team of Milan and Gamma International, a controversial British company, have offered customers including police and intelligence agencies explicit hacking attacks including "stealth spyware for infecting and monitoring computers and smartphones" and lectures on "applied hacking techniques used by government agencies".
Next week at the latest ISSWorld show in Kuala Lumpur, Hacking Team will be pushing its "Remote Control System 7 the ultimate cyber-intelligence solution for covertly monitoring computers and smartphones". They have also provided "in-depth, live demonstration(s) of infection vectors and attack techniques".
RCS7 is claimed to be "invisible to most protection systems", "resistant to system restoration technologies" and "proven" to be able to intercept mail and web traffic including Skype and PGP.
In Britain in January, at a government invitation-only Farnborough show, Security and Policing 2012, organised by the Home Office's Centre for Applied Science and Technology (CAST), Gamma Group are billed as presenting their "unique" "FinFisher IT Intrusion products", which they claim "contain the most comprehensive online research and infection functionality found in any other solution [sic]".
FinFisher also claim that their "superior training at Gamma's IT Intrusion Training Institute" differentiates Gamma International as the leading company in the field of cyber surveillance and counter surveillance. In fact, the company appears to be operating from a tiny trading estate warehouse in Andover (Google Earth document).

A little warehouse in Hampshire... Investigators have pinpointed the location of FinFisher's HQ (Google Earth document).

Since the PI investigation was planned a year ago, equipment, plans and manufacturers' braggadocio about the power of their kit has have been recovered by Arab insurgents who have toppled governments in Cairo, Tripoli and elsewhere. More revelations are expected as the Arab Spring progresses.
After the collapse of the Mubarak regime in Egypt in April, insurgents broke into the State Security Investigations (SSI) branch. Among the batons and torture equipment recovered was a €250,000 proposal from Finfisher to install its "Finspy" hacker kit.


Mubarak regime offered 'full control' of computers of 'targeted elements'

After being offered a free trial, SSI investigators reported in seized Arabic documents (PDF)that the software "could get into email accounts of Hotmail, Gmail and Yahoo", as well as allowing "full control" of the computers of "targeted elements". SSI also reported "success in breaking through personal accounts on Skype network, which is considered the most secure method of communication used by members of the elements of the harmful activity because it is encrypted".
Gamma International has claimed to the press that it "has not supplied any of its Finfisher suite of products or related training to the Egyptian government". It has refused to comment on the documents recovered in Cairo.

'How many dictatorships did they think I was representing?' PI investigator Eric King

In France last month, PI lead investigator Eric King netted the offer of an expenses-paid trip to Beijing to visit China Top Communications (CTC), a government-owned company whose overt product range includes China's version of GPS and military communications hardware.
Privately, CTC claims to be "devoted to high-tech special equipments for security agency, interior department, police, and military" and to employ 400 engineers. If he came to Beijing, King was told, he would receive private demonstrations of Wind Catcher, a mobile phone surveillance system and Internet Watcher, which automatically attacks web security systems.
The Beijing company claimed that Wind Catcher can decrypt the A5.1 cypher used in all GSM mobile phones in 0.3 of a second, covering 11 or more channels at once, with a success rate of 90 per cent. Working in conjunction with direction-finding systems, CTC claims that phone users can be located and their conversations monitored over a 1km radius, even in a city centre.
CTC's Internet Watcher claims to be able to provide real time decryption of https web connections in order to attack the privacy of Gmail and Hotmail users.
"The shock of the Chinese offer was not what they were trying to sell me," King told The Register. "It was the fact that they were only one of several dozen companies all making the same claims and pushing their own brand of repressive technologies. How many dictatorships did they think I was representing?"
Privacy International will be relaunching their Big Brother Incorporated project, intended to highlight the menace of the new surveillance companies that are trying to profit from the previously dark and secret arts of hackers and signals intelligence agencies alike.
One target will be the 2012 Farnborough show, which the government claims "gives companies a platform to show the global policing and security community their equipment and capability".
"Why is the government allowing space to people like Gamma Group, whose equipment helps destroy human rights abroad?" King asked.
"They should have learned from what happened in Egypt and Libya that equipment like that is just as lethal to life and liberty as looking down the barrel of a gun."
The investigators

Privacy International investigator Eric King worked for a year with the legal action charity Reprieve international human rights organisation while still a law undergraduate at LSE. He enlarged his focus on privacy after graduating.
King and his PI colleagues came up with the idea of penetrating the new global surveillance industry during a 2010 visit to the Googleplex. Although the Tech Talk fellow privacy activists then gave to Google was amiable, they decided they were fed up "banging heads" with the giant new net companies.
They realised that focusing on the relative intransigence of Facebook and Google on personal privacy was distracting the more important focus on the use of the same and more advanced technologies for social and political repression, as the discoveries of the Arab Spring soon revealed.
The PI team asked the assorted search engine luminaries if they actually knew what governments could do and were doing with their tapping, intercepting, locating and processing capabilities and how that was being linked in some states to deliberate and intended harm.
"Even Google couldn't give the answer to that question." ®

http://www.theregister.co.uk/2011/12/01/...page2.html

[Magda Hassan]

From Bahrain With Love: FinFisher's Spy Kit Exposed?

July 25, 2012
Download PDF

Introduction

Click here to read the Bloomberg News article.
The FinFisher Suite is described by its distributors, Gamma International UK Ltd., as "Governmental IT Intrusion and Remote Monitoring Solutions." [SUP]1[/SUP] The toolset first gained notoriety after it was revealed that the Egyptian Government's state security apparatus had been involved in negotiations with Gamma International UK Ltd. over the purchase of the software. Promotional materials have been leaked that describe the tools as providing a wide range of intrusion and monitoring capabilities.[SUP]2[/SUP] Despite this, however, the toolset itself has not been publicly analyzed.
This post contains analysis of several pieces of malware obtained by Vernon Silver of Bloomberg News that were sent to Bahraini pro-democracy activists in April and May of this year. The purpose of this work is identification and classification of the malware to better understand the actors behind the attacks and the risk to victims. In order to accomplish this, we undertook several different approaches during the investigation.
As well as directly examining the samples through static and dynamic analysis, we infected a virtual machine (VM) with the malware. We monitored the filesystem, network, and running operating system of the infected VM.
This analysis suggests the use of "Finspy", part of the commercial intrusion kit, Finfisher, distributed by Gamma International.

Delivery

This section describes how the malware was delivered to potential victims using e-mails with malicious attachments.
In early May, we were alerted that Bahraini activists were targeted with apparently malicious e-mails. The emails ostensibly pertained to the ongoing turmoil in Bahrain, and encouraged recipients to open a series of suspicious attachments. The screenshot below is indicative of typical message content:


The attachments to the e-mails we have been able to analyze were typically .rar files, which we found to contain malware. Note that the apparent sender has an e-mail address that indicates that it was being sent by "Melissa Chan," who is a real correspondent for Aljazeera English. We suspect that the e-mail address is not her real address.[SUP]3[/SUP] The following samples were examined:
324783fbc33ec117f971cca77ef7ceaf7ce229a74edd6e2b3bd0effd9ed10dcc *الفعاليات.rar
c5b39d98c85b21f8ac1bedd91f0b6510ea255411cf19c726545c1d0a23035914 _gpj.ArrestedXSuspects.rar
c5b37bb3620d4e7635c261e5810d628fc50e4ab06b843d78105a12cfbbea40d7 KingXhamadXonXofficialXvisitXtoX.rar
80fb86e265d44fbabac942f7b26c973944d2ace8a8268c094c3527b83169b3cc MeetingXAgenda.rar
f846301e7f190ee3bb2d3821971cc2456617edc2060b07729415c45633a5a751 Rajab.rar
These contained executables masquerading as picture files or documents:
49000fc53412bfda157417e2335410cf69ac26b66b0818a3be7eff589669d040 dialoge.exe
cc3b65a0f559fa5e6bf4e60eef3bffe8d568a93dbb850f78bdd3560f38218b5c *gpj.1bajaR.exe
39b325bd19e0fe6e3e0fca355c2afddfe19cdd14ebda7a5fc96491fc66e0faba *gpj.1egami.exe
e48bfeab2aca1741e6da62f8b8fc9e39078db574881691a464effe797222e632 *gpj.bajaR.exe
2ec6814e4bad0cb03db6e241aabdc5e59661fb580bd870bdb50a39f1748b1d14 *gpj.stcepsuS detserrA.exe
c29052dc6ee8257ec6c74618b6175abd6eb4400412c99ff34763ff6e20bab864 News about the existence of a new dialogue between AlWefaq & Govt..doc

The emails generally suggested that the attachments contained political content of interest to pro-democracy activists and dissidents. In order to disguise the nature of the attachments a malicious usage of the "righttoleftoverride" (RLO) character was employed. The RLO character (U+202e in unicode) controls the positioning of characters in text containing characters flowing from right to left, such as Arabic or Hebrew. The malware appears on a victim's desktop as "exe.Rajab1.jpg" (for example), along with the default Windows icon for a picture file without thumbnail. But, when the UTF-8 based filename is displayed in ANSI, the name is displayed as "gpj.1bajaR.exe". Believing that they are opening a harmless ".jpg", victims are instead tricked into running an executable ".exe" file.[SUP]4[/SUP]


Upon execution these files install a multi-featured trojan on the victim's computer. This malware provides the attacker with clandestine remote access to the victim's machine as well as comprehensive data harvesting and exfiltration capabilities.

Installation

This section describes how the malware infects the target machine.
The malware displays a picture as expected. This differs from sample to sample. The sample "Arrested Suspects.jpg" ("gpj.stcepsuS detserrA.exe") displays:


It additionally creates a directory (which appears to vary from sample to sample):
C:\Documents and Settings\XPMUser\Local Settings\Temp\TMP51B7AFEF

It copies itself there (in this case the malware appears as "Arrested Suspects.jpg") where it is renamed:
C:\Documents and Settings\XPMUser\Local Settings\Temp\TMP51B7AFEF\Arrested Suspects.jpg" => C:\Documents and Settings\XPMUser\Local Settings\Temp\TMP51B7AFEF\tmpD.tmp

Then it drops the following files:
C:\DOCUME~1\%USER%\LOCALS~1\Temp\delete.bat
C:\DOCUME~1\%USER%\LOCALS~1\Temp\driverw.sys

It creates the folder (the name of which varies from host to host):
C:\Documents and Settings\%USER%\Application Data\Microsoft\Installer\{5DA45CC9-D840-47CC-9F86-FD2E9A718A41}

This process is observable on the filesystem timeline of the infected host (click image to enlarge):

"driverw.sys" is loaded and then "delete.bat" is run which deletes the original payload and itself. It then infects existing operating system processes, connects to the command and control server, and begins data harvesting and exfiltration.
Examining the memory image of a machine infected with the malware shows that a technique for infecting processes known as "process hollowing" is used. For example, the memory segment below from the "winlogon.exe" process is marked as executable and writeable:


Here the malware starts a new instance of a legitimate process such as "winlogon.exe" and before the process's first thread begins, the malware de-allocates the memory containing the legitimate code and injects malicious code in its place. Dumping and examining this memory segment reveals the following strings in the infected process:


Note the string:
y:\lsvn_branches\finspyv4.01\finspyv2\src\libs\libgmp\mpn-tdiv_qr.c

This file seems to correspond to a file in the GNU Multi-Precision arithmetic library:
http://gmplib.org:8000/gmp/file/b5ca1621.../tdiv_qr.c
The process "svchost.exe" was also found to be infected in a similar manner:


Further examination of the memory dump also reveals the following:


This path appears to reference the functionality that the malware uses to modify the boot sequence to enable persistence:
y:\lsvn_branches\finspyv4.01\finspyv2\src\target\bootkit_x32driver\objfre_w2k_x86\i386\bootkit_x32driver.pdb

A pre-infection vs post-infection comparison of the infected VM shows that the Master Boot Record (MBR) was modified by code injected by the malware.
The strings found in memory "finspyv4.01" and "finspyv2" are particularly interesting. The FinSpy tool is part of the FinFisher intrusion and monitoring toolkit.[SUP]5[/SUP]

Obfuscation and Evasion

This section describes how the malware is designed to resist analysis and evade identification.
The malware employs a myriad of techniques designed to evade detection and frustrate analysis. While investigation into this area is far from complete, we discuss several discovered methods as examples of the lengths taken by the developers to avoid identification.
A virtualised packer is used. This type of obfuscation is used by those that have "strong motives to prevent their malware from being analyzed".[SUP]6[/SUP]
This converts the native x86 instructions of the malware into another custom language chosen from one of 11 code templates. At run-time, this is interpreted by an obfuscated interpreter customized for that particular language. This virtualised packer was not recognised and appears to be bespoke.
Several anti-debugging techniques are used. This section of code crashes the popular debugger, OllyDbg.
.text:00401683 finit
.text:00401686 fld ds:tbyte_40168E
.text:0040168C jmp short locret_401698

.text:0040168E tbyte_40168E dt 9.2233720368547758075e18

.text:00401698 locret_401698:
.text:00401698 retn

This float value causes OllyDbg to crash when trying to display its value. A more detailed explanation of this can be found here.
To defeat DbgBreakPoint based debuggers, the malware finds the address of DbgBreakPoint, makes the page EXECUTE_READWRITE and writes a NOP on the entry point of DbgBreakPoint.
The malware checks via PEB to detect whether or not it is being debugged, and if it is it returns a random address.
The malware calls ZwSetInformationThread with ThreadInformationClass set to 0×11, which causes the thread to be detached from the debugger.
The malware calls ZwQueryInformationProcess with ThreadInformationClass set to 0x(ProcessDebugPort) and 0x1e (ProcessDebugObjectHandle) to detect the presence of a debugger. If a debugger is detected it jumps to a random address. ZwQueryInformationProcess is also called to check the DEP status on the current process, and it disables it if it's found to be enabled.
The malware deploys a granular solution for Antivirus software, tailored to the AV present on the infected machine. The malware calls ZwQuerySystemInformation to get ProcessInformation and ModuleInformation. The malware then walks the list of processes and modules looking for installed AV software. Our analysis indicates that the malware appears to have different code to Open/Create process and inject for each AV solution. For some Anti-Virus software this even appears to be version dependent. The function "ZwQuerySystemInformation" is also hooked by the malware, a technique frequently used to allow process hiding:

Data Harvesting and Encryption

This section describes how the malware collects and encrypts data from the infected machine.
Our analysis showed that the malware collects a wide range of data from an infected victim. The data is stored locally in a hidden directory, and is disguised with encryption prior to exfiltration. On the reference victim host, the directory was:
"C:\Windows\Installer\{49FD463C-18F1-63C4-8F12-49F518F127}."
We conducted forensic examination of the files created in this directory and identified a wide range of data collected. Files in this directory were found to be screenshots, keylogger data, audio from Skype calls, passwords and more. For the sake of brevity we include a limited set of examples here.
The malware attempts to locate the configuration and password store files for a variety browsers and chat clients as seen below (click image to enlarge):


We observed the creation of the file "t111o00000000.dat" in the data harvesting directory, as shown in the filesystem timeline below:
Thu Jun 14 2012 12:31:34 52719 mac. r/rr-xr-xr-x 0 0 26395-128-5 C:/WINDOWS/Installer/{49FD463C-18F1-63C4-8F12-49F518F127}/09e493e2-05f9-4899-b661-c52f3554c644
Thu Jun 14 2012 12:32:18 285691 …b r/rrwxrwxrwx 0 0 26397-128-4 C:/WINDOWS/Installer/{49FD463C-18F1-63C4-8F12-49F518F127}/t111o00000000.dat
Thu Jun 14 2012 12:55:12 285691 mac. r/rrwxrwxrwx 0 0 26397-128-4 C:/WINDOWS/Installer/{49FD463C-18F1-63C4-8F12-49F518F127}/t111o00000000.dat
4096 ..c. -/rr-xr-xr-x 0 0 26447-128-4

The infected process "winlogon.exe" was observed writing this file via Process Monitor (click image to enlarge):


Examination of this file reveals that it is a screenshot of the desktop (click image to enlarge):


Many other modules providing specific exfiltration capabilities were observed. Generally, the exfiltration modules write files to disk using the following naming convention: XXY1TTTTTTTT.dat. XX is a two-digit hexadecimal module number, Y is a single-digit hexadecimal submodule number, and TTTTTTTT is a hexadecimal representation of a unix timestamp (less 1.3 billion) associated with the file creation time.
Encryption
The malware uses encryption in an attempt to disguise harvested data in the .dat files intended for exfiltration. Data written to the files is encrypted using AES-256-CBC (with no padding). The 32-byte key consists of 8 readings from memory address 0x7ffe0014: a special address in Windows that contains the low-order-4-bytes of the number of hundred-nanoseconds since 1 January 1601. The IV consists of 4 additional readings.
The AES key structure is highly predictable, as the quantum for updating the system clock(HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\LastClockRate) is set to 0x2625A hundred-nanoseconds by default, and the clock readings that comprise the key and IV are taken in a tight loop:
…
0x406EA4: 8D45C0 LEA EAX,[EBP-0x40]
0x406EA7: 50 PUSH EAX
0x406EA8: FF150C10AF01 CALL DWORD PTR [0x1AF100C]
0x406EAE: 8B4DE8 MOV ECX,DWORD PTR [EBP-0x18]
0x406EB1: 8B45C0 MOV EAX,DWORD PTR [EBP-0x40]
0x406EB4: 8345E804 ADD DWORD PTR [EBP-0x18],0×4
0x406EB8: 6A01 PUSH 0×1
0x406EBA: 89040F MOV DWORD PTR [EDI+ECX],EAX
0x406EBD: FF152810AF01 CALL DWORD PTR [0x1AF1028]
0x406EC3: 817DE800010000 CMP DWORD PTR [EBP-0x18],0×100
0x406ECA: 72D8 JB 0x406EA4
0x406ECC: 80277F AND BYTE PTR [EDI],0x7F
…

The following AES keys were among those found to be used to encrypt records in .dat files. The first contains the same 4 bytes repeated, whereas in the second key, the difference between all consecutive 4-byte blocks (with byte order swapped) is 0x2625A.
70 31 bd cc 70 31 bd cc 70 31 bd cc 70 31 bd cc 70 31 bd cc 70 31 bd cc 70 31
bd cc 70 31 bd cc
26 e9 23 60 80 4b 26 60 da ad 28 60 34 10 2b 60 8e 72 2d 60 e8 d4 2f 60 42 37
32 60 9c 99 34 60


In all, 64 clock readings are taken. The readings are encrypted using an RSA public key found in memory (whose modulus begins with A25A944E) and written to the .dat file before any other encrypted data. No padding is used in the encryption, yielding exactly 256 encrypted bytes. After the encrypted timestamp values, the file contains a number of records encrypted with AES, delimited by EAE9E8FF.
In reality, these records are only partially encrypted: if the record's length is not a multiple of 16 bytes (the AES block size), then the remainder of the bytes are written to the file unencrypted. For example, after typing "FinSpy" on the keyboard, the keylogger module produced the following (trailing plaintext highlighted):


The predictability of the AES encryption keys allowed us to decrypt and view these partially-encrypted records in full plaintext. The nature of the records depends on the particular module and submodule. For example, submodule Y == 5 of the Skype exfiltration module (XX == 14), contains a csv representation of the user's contact list:
Record # 0 Length: 243 bytes:
ó
@þÿ̳Ð
@
¤b¯Opþ192.168.131.67JRecordingEcsv 0þ-0800UTC DST.1þ2012-07-18 18:00:21.:þ1970-01-01 00:16:00Abhwatch1
Record # 1 Length: 96 bytes:
`USERNAME,FULLNAME,COUNTRY,AUTHORIZED,BLOCKED
Record # 2 Length: 90 bytes:
Zecho123,Echo / Sound Test Service,,YES,NO
Record # 3 Length: 95 bytes:
^bhwatch2,Bahrain Watch,United States,YES,NO


Submodule Y == 3 records file transfers. After a Skype file transfer concludes, the following file is created: %USERPROFILE%\Local Settings\Temp\smtXX.tmp. This file appears to contain the sent / received file. As soon as smtXX.tmp is finished being written to disk, a file (1431XXXXXXXX.dat) is written, roughly the same size as smtXX.tmp. After sending a picture (of birdshot shotgun shell casings used by Bahrain's police) to an infected Skype client, the file 1431028D41FD.dat was observed being written to disk. Decrypting it revealed the following:
Record # 0 Length: 441 bytes:
¹
@þÿ̳Ð
@
¤b¯Opþ192.168.131.67Abhwatch1Bbhwatch2″CBahrain WatchIreceivedrC:\Documents and Settings\XPMUser\My Documents\gameborev3.jpgJRecording 0þ-0800UTC DST.1þ2012-07-20 12:18:21.:þ2012-07-20 12:18:21
Record # 1 Length: 78247 bytes:
[Note: Record #1 contained the contents of the .jpg file, preceded by hex A731010090051400, and followed by hex 0A0A0A0A.]


Additionally, submodule Y == 1 records Skype chat messages, and submodule Y == 2 records audio from all participants in a Skype call. The call recording functionality appears to be provided by hooking DirectSoundCaptureCreate:

Command and Control

This section describes the communications behavior of the malware.
When we examined the malware samples we found that they connect to a server at IP address 77.69.140.194


WHOIS data[SUP]7[/SUP] reveals that this address is owned by Batelco, the principal telecommunications company of Bahrain:
inetnum: 77.69.128.0 77.69.159.255
netname: ADSL
descr: Batelco ADSL service
country: bh

For a period of close to 10 minutes, traffic was observed between the infected victim and the command and control host in Bahrain.
A summary of the traffic by port and conversation size (click image to enlarge):


The infected VM talks to the remote host on the following five TCP ports:
22
53
80
443
4111

Based on observation of an infected machine we were able to determine that the majority of data is exfiltrated to the remote host via ports 443 and 4111.
192.168.131.65:1213 -> 77.69.140.194:443 1270075 bytes
192.168.131.65:4111 -> 77.69.149.194:4111 4766223 bytes

Conclusions about Malware Identification

Our analysis yields indicators about the identity of the malware we have analyzed: (1) debug strings found the in memory of infected processes appear to identify the product and (2) the samples have similarities with malware that communicates with domains belonging to Gamma International.
Debug Strings found in memory
As we previously noted, infected processes were found containing strings that include "finspyv4.01" and "finspyv2" (click image to enlarge):
y:\lsvn_branches\finspyv4.01\finspyv2\src\libs\libgmp\mpn-tdiv_qr.c
y:\lsvn_branches\finspyv4.01\finspyv2\src\libs\libgmp\mpn-mul_fft.c
y:\lsvn_branches\finspyv4.01\finspyv2\src\target\bootkit_x32driver\objfre_w2k_x86\i386\bootkit_x32driver.pdb

Publicly available descriptions of the FinSpy tool collected by Privacy International among others and posted on Wikileaks[SUP]8[/SUP] make the a series of claims about functionality:

• Bypassing of 40 regularly tested Antivirus Systems
  
• Covert Communication with Headquarters
  
• Full Skype Monitoring (Calls, Chats, File Transfers, Video, Contact List)
  
• Recording of common communication like Email, Chats and Voice-over-IP
  
• Live Surveillance through Webcam and Microphone
  
• Country Tracing of Target
  
• Silent Extracting of Files from Hard-Disk
  
• Process-based Key-logger for faster analysis
  
• Live Remote Forensics on Target System
  
• Advanced Filters to record only important information
  
• Supports most common Operating Systems (Windows, Mac OSX and Linux)
  

Shared behavior with a sample that communicates with Gamma
The virtual machine used by the packer has very special sequences in order to execute the virtualised code, for example:
66 C7 07 9D 61 mov word ptr [edi], 619Dh
C6 47 02 68 mov byte ptr [edi+2], 68h
89 57 03 mov [edi+3], edx
C7 47 07 68 00 00 00 mov dword ptr [edi+7], 68h
89 47 08 mov [edi+8], eax
C6 47 0C C3 mov byte ptr [edi+0Ch], 0C3h

Based on this we created a signature from the Bahrani malware, which we shared with another security researcher who identified a sample that shared similar virtualised obfuscation. That sample is:
md5: c488a8aaef0df577efdf1b501611ec20
sha1: 5ea6ae50063da8354e8500d02d0621f643827346
sha256: 81531ce5a248aead7cda76dd300f303dafe6f1b7a4c953ca4d7a9a27b5cd6cdf


The sample connects to the following domains:
tiger.gamma-international.de
ff-demo.blogdns.org


The domain tiger.gamma-international.de has the following Whois information[SUP]9[/SUP]:
Domain: gamma-international.de
Name: Martin Muench
Organisation: Gamma International GmbH
Address: Baierbrunner Str. 15
PostalCode: 81379
City: Munich
CountryCode: DE
Phone: +49-89-2420918-0
Fax: +49-89-2420918-1
Email: info@gamma-international.de
Changed: 2011-04-04T11:24:20+02:00


Martin Muench is a representative of Gamma International, a company that sells "advanced technical surveillance and monitoring solutions". One of the services they provide isFinFisher: IT Intrusion, including the FinSpy tool. This labelling indicates that the matching sample we were provided may be a demo copy a FinFisher product per the domain ff-demo.blogdns.org.
We have linked a set of novel virtualised code obfuscation techniques in our Bahraini samples to another binary that communicates with Gamma International IP addresses. Taken alongside the explicit use of the name "FinSpy" in debug strings found in infected processes, we suspect that the malware is the FinSpy remote intrusion tool. This evidence appears to be consistent with the theory that the dissidents in Bahrain who received these e-mails were targeted with the FinSpy tool, configured to exfiltrate their harvested information to servers in Bahraini IP space. If this is not the case, we invite Gamma International to explain.

Recommendations

The samples from email attachments have been shared with selected individuals within the security community, and we strongly urge antivirus companies and security researchers to continue where we have left off.
Be wary of opening unsolicited attachments received via email, skype or any other communications mechanism. If you believe that you are being targeted it pays to be especially cautious when downloading files over the Internet, even from links that are purportedly sent by friends.

Acknowledgements

Malware analysis by Morgan Marquis-Boire and Bill Marczak. Assistance from Seth Hardy and Harry Tuttle gratefully received.
Special thanks to John Scott-Railton.
Thanks to Marcia Hofmann and the Electronic Frontier Foundation (EFF).
We would also like to acknowledge Privacy International for their continued work and graciously provided background information on Gamma International.

Footnotes

[SUP]1[/SUP] http://www.finfisher.com/
[SUP]2[/SUP] http://owni.eu/2011/12/15/finfisher-for-.../#SpyFiles
[SUP]3[/SUP] http://blogs.aljazeera.com/profile/melissa-chan
[SUP]4[/SUP] This technique was used in the recent Madi malware attacks.
[SUP]5[/SUP] http://www.finfisher.com/
[SUP]6[/SUP] Unpacking Virtualised Obfuscators by Rolf Rolles http://static.usenix.org/event/woot09/te...rolles.pdf
[SUP]7[/SUP] http://whois.domaintools.com/77.69.140.194
[SUP]8[/SUP] E.g. http://wikileaks.org/spyfiles/files/0/28...FinSpy.pdf
[SUP]9[/SUP] http://whois.domaintools.com/gamma-international.de
Media coverage
The Wall Street Journal

Post written by Morgan Marquis-Boire
Tagged: Bahrain, Malware, Surveillance, [URL="https://citizenlab.org/tag/uk/"]UK
https://citizenlab.org/2012/07/from-bahr...t-exposed/[/URL]

[Magda Hassan]

Cyber Attacks On Activists Traced To FinFisher Spyware Of Gamma

By Vernon Silver - Jul 25, 2012 10:08 PM ET

It's one of the world's best-known and elusive cyber weapons: FinFisher, a spyware sold by U.K.- based Gamma Group, which can secretly take remote control of a computer, copying files, intercepting Skype calls and logging every keystroke.
For the past year, human rights advocates and virus hunters have scrutinized FinFisher, seeking to uncover potential abuses. They got a glimpse of its reach when a FinFisher sales pitch to Egyptian state security was uncovered after that country's February 2011 revolution. In December, anti-secrecy website WikiLeaks published Gamma promotional videos showing how police could plant FinFisher on a target's computer.

Enlarge image
Husain Abdulla, a U.S. citizen who is director of Americans for Democracy and Human Rights in Bahrain, is considering lawsuits and a complaint to the U.S. State Department about the border-crossing hack. Source: Husain Abdulla via Bloomberg


Enlarge image
Morgan Marquis-Boire, a security researcher at Citizen Lab, analyzed the infected e-mails for this story. Photographer: Jacob Kepler/Bloomberg


Enlarge image
Marczak found evidence that traces malicious software e-mailed to Bahraini activists back to FinFisher, a spyware sold by U.K.-based Gamma Group. Photographer: David Paul Morris/Bloomberg



"We know it exists, but we've never seen it -- you can imagine a rare diamond," says Mikko Hypponen, chief research officer at Helsinki-based data security company F-Secure Oyj. (FSC1V) He posted the Egypt documents online last year and said if a copy of the software itself were found, he'd write anti-virus protection against it.
Now he may get his wish.
Researchers believe they've identified copies of FinFisher, based on an examination of malicious software e-mailed to Bahraini activists, they say. Their research, which is being published today by the University of Toronto Munk School of Global Affairs' Citizen Lab, is based on five different e-mails obtained by Bloomberg News from people targeted by the malware.

Global Reach

Pro-democracy activists received the malware in Washington,London and Manama, the capital of Bahrain, the Persian Gulf kingdom that has been gripped by tension since a crackdown on protests last year.
The findings illustrate how the largely unregulated trade in offensive hacking tools is transforming surveillance, making it more intrusive as it reaches across borders and peers into peoples' digital devices. From anywhere on the globe, the software can penetrate the most private spaces, turning on computer web cameras and reading documents as they are being typed.
"Selling software that allows for the taking over of computers without rule of law can lead to abuse," says Courtney Radsch, senior program manager for freedom of expression at Washington-based Freedom House, which promotes human rights.
Gamma executive Martin J. Muench declined immediate comment pending research after being e-mailed a Web link to the Citizen Lab report and questions related to its findings. Muench, who leads the FinFisher product portfolio, is the managing director of the group's Munich-based Gamma International GmbH. Gamma Group also markets FinFisher through Andover, England-based Gamma International UK Ltd.
Muench said in a July 23 e-mail that the company can't comment on any individual customers and that Gamma complies with the export regulations of the U.K., U.S. and Germany.

Monitoring Criminals

Muench, 30, said in that e-mail that FinFisher is a tool for monitoring criminals, and that to reduce the risk of abuse of its products the company only sells FinFisher to governments.
The recipients of the Bahrain-related e-mails -- who include a naturalized U.S. citizen who owns gas stations in Alabama, a London-based human rights activist and a British-born economist in Bahrain -- each say they don't know of any law enforcement investigations or charges against them.
Two of the recipients said they were suspicious of the e- mails and didn't click on the attachments, while the third said he tried and failed to download an attachment to his Blackberry.
The analysis of their e-mails showed the malware they received acts as a Trojan, a type of software named after the legendary wooden horse that Greek warriors used to sneak into Troy before sacking the ancient city. It takes screen shots, intercepts voice-over-Internet calls and transmits a record of every keystroke to a computer in Manama.

Stolen Password

Observation of a researcher's purposely-infected laptop in Washington also showed the Trojan stole a password for an e-mail account, which was then accessed without permission.
The malware itself practically came with a product label for a brand of FinFisher called FinSpy, which is marketed for spying on computers: On the infected laptop, the computer code the malicious program installed bore multiple instances of the word "FinSpy," an examination of the computer's memory showed.
The technical evidence of a match came from the work of Morgan Marquis-Boire, a security researcher at Citizen Lab, who analyzed the infected e-mails for this story. He's publishing the detailed report of the findings in a paper today through Citizen Lab, athttp://citizenlab.org/2012/07/from-bahrain-with- love-finfishers-spy-kit-exposed.

Digital DNA

Marquis-Boire extracted a signature from the activists' samples -- a sort of digital DNA. He then gave the signature to other researchers to see if they could find a matching sample they might have collected in the course of their work.
The needle-in-a-haystack search came up with a match: a program that bore the hallmarks of a demonstration copy of FinFisher.
The evidence that the new sample they found was FinFisher itself was persuasive, Marquis-Boire said, because the presumed demo connected back to two websites, one with "ff-demo" in the name and the other with "gamma-international" in the name. The latter website, in turn, was registered to Martin Muench at Gamma International in Munich, online registration data show.
Bahrain has no policy of targeting political activists through surveillance technology, Luma Bashmi, a spokeswoman for the government's Information Affairs Authority, said in an e- mailed statement.
"Such allegations are taken very seriously and if there is any evidence that there is any misconduct in use of such technology, each case will be investigated immediately according to the laws and regulations of the Kingdom of Bahrain," she said.

Cyber-Arms Bazaar

FinFisher is just one of many increasingly available weapons for sale in the global cyber-arms bazaar.
The hacking techniques go beyond traditional surveillance of phone calls, e-mails and text messages, which governments conduct by tapping into communications networks that pass through their territory. Reports in the past year of repressive regimes using Western gear for domestic surveillance led the U.S. and European Union to impose restrictions on sales to some countries, such as Syria.
Technologies such as FinFisher mark the next step in a digital arms race, and are provided by other companies, such as Milan-based HackingTeam, whose programs, once installed, transmit an infected computer's activities. They are the retail cousins of state-made cyber weapons such as the Stuxnet computer worm, which damaged centrifuges in an Iranian nuclear plant and was jointly developed by the U.S. and Israel, according to the New York Times.

Surveillance Breakthrough

The discovery and tracking of such spyware shows how even the tiniest nations obtain cyber small arms and deploy them at home and across borders.
"We're moving to a new place with surveillance," says John Scott-Railton, a doctoral student at the University of California Los Angeles' Luskin School of Public Affairs who has helped track Trojans in Libya and Syria, where he says pro- regime hackers cobbled together malware attacks from free or inexpensive products available online. He also coordinated research for this study, passing the first malware samples from Bloomberg to Marquis-Boire.
The Bahraini case is a breakthrough because it shows the use of a more sophisticated, invasive hacking tool available for purchase by nations that might not be able to develop their own cyber weapons, Scott-Railton says. "The time for active penetration by states at a widely deployable scale has come," he says.

Hacker Turned Executive

Founded in 1990, Gamma Group relies on hacker-turned- executive Muench to market such capabilities to clients around the world. Just over six feet tall, Muench is a rock star of the global interception-technology conference circuit, listed in agendas only by his initials, MJM.
Wearing a trim black suit and skinny black tie, he attended the ISS World trade show, known in the industry as the Wiretapper's Ball, in Kuala Lumpur, Malaysia, in December. One of his talks was titled "Offensive IT Intelligence Information- Gathering Portfolio -- An Operational Overview."
FinFisher has such mystique that an intelligence worker who helps manage a Southeast Asian country's cybersecurity said Muench's presence at the show was the main reason he took extra precautions to detect hacker threats lurking in the wireless networks at the venue. The operative, who said he has attended a demonstration of the product, insisted that his name not be published because of his intelligence work.

Remotely Controlled

FinFisher promotional materials provide a general view into its capabilities, without naming the countries where it's sold.
"When FinSpy is installed on a computer system it can be remotely controlled and accessed as soon as it is connected to the internet/network, no matter where in the world the Target System is based," a Gamma brochure published by WikiLeaks says.
In response to questions about FinFisher's deployment, privately held Gamma issued a statement Jan. 27 that quoted Muench saying, "Most people understand that we can't divulge details about our clients, the products they buy or how they use them -- we don't want to tip off the criminals!"
The statement addressed the documents found in Cairo, which priced the system at 388,604 euros ($470,000), including maintenance. Gamma said no sale was made, and the trial version shown during its pitch never targeted unwitting computer users.
"Gamma presented the product FinSpy showing its operational capabilities with a Gamma-supplied special target notebook for demonstration purposes only," the statement said.
In the case of Bahrain, the malware did reach real targets, and led to an analysis of the software.

Suspicious E-mails

In Manama, Ala'a Shehabi, the U.K.-born economist, noticed she and other activists were receiving suspicious e-mails that purported to have news on topics including torture and prisoners. She forwarded them to Bloomberg.
Tests showed that the attached photos and documents would secretly install a program taking over their computers if clicked on and opened.
The analysis by Marquis-Boire exposed how the malicious program went through elaborate processes of hiding itself, running through a checklist of anti-virus programs to see if any were on the computer, and establishing a connection with the server in Manama to which it would send its data.
A dreadlocked New Zealander based in San Francisco, Marquis-Boire has plastered his laptop with a bumper sticker that says, "My other computer is your computer." (He did the research separately from his job as a security engineer at Google Inc., which wasn't involved in this project.)

Virtual Machine

The other half of the analysis involved watching the malware as it went about spying.
Bill Marczak, a computer science doctoral candidate at the University of California Berkeley, also received four samples from Shehabi. He installed the samples on a "virtual machine" on his laptop and monitored the Trojan's behavior. Marczak, who spent his high school years in Bahrain, is a founding member of Bahrain Watch, a group that advocates for more transparent governance in the kingdom.
Marczak established the link to Bahrain by tracing the Trojan's transmissions back to an Internet address in Manama. After receiving the fifth sample from Bloomberg News, Marczak found it led to the same online address.
Other information also pointed to FinFisher. Some details from FinFisher product specification documents obtained by Bloomberg News matched details of what Marczak found as he watched files stream out of his laptop.

Skype Data

According to the product specifications, when FinFisher filches Skype data, it transports the information back to the system's operators in files prefaced with the number 14 and ending with a series of characters representing the time the file was created.
When Marczak made a Skype call on his infected machine in California, he watched the Trojan grab the data -- and send it to Bahrain in files that, indeed, began with 14 and ended with a timestamp.
The apparent use of FinFisher against Bahraini activists underscores the need for broader Western export controls of surveillance technology, says Eric King, the head of research at London-based Privacy International.
The group's lawyers informed U.K. regulators in a July 12 letter that it plans to sue the government for failing to enforce laws already on the books that give it the power to block exports that can be used to violate human rights.

Repression Risk

"Plainly there is a very real risk, if not an inevitability, that surveillance equipment, such as the FinFisher products, has been, and continues to be, exported to countries where it is highly likely to be used for internal repression and breaches of human rights," the letter to the U.K. secretary of state for business innovation and skills said.
The Department for Business is considering Privacy International's letter and will respond, a spokesman said. The U.K. government has proposed that arms-related export controls followed by most Western nations be expanded to add certain surveillance technology, and is pursuing this with other countries, the department said in a statement.
Tensions have simmered in Bahrain since the government cracked down on mass protests last year involving opponents of Sunni Muslim rule over the Shiite majority. At least 35 people died in the violence between Feb. 14 and April 15, 2011, including four police officers and a soldier, according to the Bahrain Independent Commission of Inquiry, which investigated the unrest and found instances of torture. Low-level protests continue in the island nation of 1.2 million people, home to the U.S. Navy's Fifth Fleet.

Infection Attempts

Three Bahraini dissidents who said they received the malware-laden mailings were in Washington, London and Manama when the malware attempted to infect their computers in April and May. The first e-mails they received, sent in April, were titled "Existence of a new dialogue - Al-Wefaq & Government authority" and, in Arabic, "Events this week."
E-mails sent in May had the subject lines "Torture reports on Nabeel Rajab," a reference to a jailed opposition leader; "King Hamad Planning," a reference to the Bahraini king's trip to London for Queen Elizabeth II's diamond jubilee; and "Breaking News from Bahrain -- 5 Suspects Arrested."
Husain Abdulla, a U.S. citizen who is director of Americans for Democracy and Human Rights in Bahrain, said he tried to download the "Existence of a new dialogue" attachment on his Blackberry while walking from a Washington Metro station to meetings at a Congressional office building.
Abdulla, 34, the Mobile, Alabama-based owner of gas stations, now is considering lawsuits and a complaint to the U.S. State Department about the border-crossing hack.

Seeking Protection

"I'm going to take any legal venue I can to protect myself," Abdulla says.
Shehabi, 31, whose e-mails were the first to be analyzed for the study, is a British-born Bahraini activist and an economics lecturer with a PhD from Imperial College London. She received the e-mails in Bahrain.
"This was an attempt at violating my privacy in a country that does not believe in privacy rights," she says. "The U.K. company is responsible for selling infiltration tools to a government they know will use them to repress pro-democracy activists."
London-based Bahraini activist Shehab Hashem, 29, says he received three of the e-mails after he travelled to Sweden and Switzerland to draw attention to human rights violations in Bahrain. Two of those were identical to e-mails Shehabi received. The other, which he provided to Bloomberg News, was the fifth sample in the study.
"I thought it was just spam," he says. "I never thought that someone would be interested in hacking into my computer."
In Finland, Hypponen said before the publication of today's report that he and other malware hunters would enjoy dissecting a FinFisher sample.
"There's lots of chitchat amongst the security people about how it might work, but it's mostly just speculation. Nobody knows for real," he said.
Identifying FinFisher could turn the tables. "It's hard for them to sell a tool to secretly infect computers if anti- virus programs can detect it," he said.
http://www.bloomberg.com/news/2012-07-25...gamma.html

[Magda Hassan]

Servers in Canada linked to FinFisher spyware program

U of T lab says German-made espionage program traced to 25 countries

The Canadian Press

Posted: Mar 13, 2013 5:29 PM ET

Last Updated: Mar 13, 2013 5:26 PM ET

Read 28 comments28
[TABLE]
[TR]
[TD][TABLE]
[TR]
[TD="class: gig-button-td"]

[/TD]
[TD][/TD]
[/TR]
[/TABLE]

[/TD]
[/TR]
[/TABLE]



University of Toronto researchers have discovered a new group of servers in several countries, including Canada, linked to an elusive espionage campaign.
The research by the Citizen Lab, based at the University of Toronto's Munk School of Global Affairs, is providing new details about a German-made, high-tech piece of spy software that some fear may be used to target dissidents by oppressive regimes.
Researchers said Wednesday that they have identified 25 countries that host servers linked to FinFisher, a Trojan horse program which can dodge anti-virus protections to steal data, log keystrokes, eavesdrop on Skype calls, and turn microphones and webcams into live surveillance devices.
Researchers at the University of Toronto have linked a German-made espionage software program to servers in Canada and 24 other countries. (CBC)Canada, Mexico, Bangladesh, Malaysia, Serbia and Vietnam were among the host countries newly named in a report. That alone doesn't necessarily mean those countries' governments are using FinFisher, a program distributed by British company Gamma International, but it is an indication of the spyware's international reach.
Morgan Marquis-Boire, the report's lead author, said the IP addresses of the servers in Canada were traced back to a web hosting company, so it's hard to know who might be using FinFisher in Canada.
"They (Gamma) claim that they only sell to government, law enforcement and intelligence communities," said Marquis-Boire, a Citizen Lab researcher who is based in San Francisco.
"Given that hosting in (the web hosting company's) ranges is acquirable with the use of money, it's difficult to provide strong attribution."
His goal was "to show the proliferation of this type of active intrusion and surveillance," he said.
"It's not just phone tapping," Marquis-Boire said. "It's installing a backdoor on your computer to record your Skype conversations and go through your email."

Government use questioned

Advocacy group Privacy International said the report was further evidence that Gamma had sold FinFisher to repressive regimes, calling it a "potential breach of UK export laws."
Gamma had no immediate comment.
The company, based in the English town of Andover, has come under increasing scrutiny after a sales pitch for the spyware was recovered from an Egyptian state security building shortly after the toppling of dictator Hosni Mubarak in 2011. Reporting by Bloomberg News subsequently identified opposition activists from the Persian Gulf kingdom of Bahrain as targets of the company's surveillance software.
The discovery of FinFisher servers in countries run by authoritarian governments such as Turkmenistan and Ethiopia have raised further questions about the company's practices. On Tuesday, Paris-based journalists' rights group Reporters Without Borders named Gamma one of its five "corporate enemies of the Internet."
Gamma referred questions about FinFisher to its German developer, Martin Muench. Muench did not immediately return several emails seeking comment, but in a recent interview with German newspaper Suddeutsche Zeitung, he defended his work as part of the fight against crime.
"I think it's good when the police do their job," Muench told the daily. He dismissed the notion that what he was doing was violating anyone's human rights.
"Software doesn't torture anybody," he said.
http://www.cbc.ca/news/politics/story/20...anada.html

[Magda Hassan]

36 governments (including Canada's) are now using sophisticated software to spy on their citizens

By Leo Mirani @lmirani May 1, 2013

FinFisher's satisfied customers. Citizen Lab



A new report from Citizen Lab, a Canadian research center, shows surveillance software sold by FinFisher, a "governmental IT intrusion" company owned by the UK-registered Gamma International, is now active in 36 countries. That's up from the 25 countries reported two months ago.
Gamma's product, which it sells exclusively to governments, infects computers and mobile phones through devious means. These include posing as Mozilla Firefox and the (frankly quite elegant) ruse of using a "right-to-left override," which is typically used to render writing in Arabic but can work in any language. This helps it foil users trained to look out for suspicious file extensions by hiding, say, an ".exe," and making the file appear to be an image with a .jpg extension instead.
Once the file has been installed on a machine, the "command-and-control server," which does exactly what it sounds like it would, can be used to monitor the infected computer.
In the past, intelligence agencies have used the program to infiltrate "internet cafes in critical areas in order to monitor them for suspicious activity, especially Skype communication" and to target members of organized crime groups, according to a FinFisher brochure released by Wikileaks.
The product may also have been used in the past by repressive nations hoping to monitor dissidents. In his new book, Eric Schmidt mentions "a raid on the Egyptian state security building after the country's 2011 revolution [which] produced explosive copies of contracts with private outlets, including an obscure British firm that sold online spyware to the Mubarak regime." Gamma denied that it had supplied the regime with its program, which its agents were hawking for a piddling $560,000.
Gamma is far from the only such company. Governmental surveillance is a thriving marketworth about $5 billion annually, according to the Wall Street Journal. Firms such as the German Trovicor and Vupen, from France, also deal in "government grade exploits."
The business is necessarily discreet, but it's still legitimate. The use of such software is legal in many countries. None of which makes a presentation called "Governmental IT Intrusion: Applied Hacking Techniques Used by Governments" any less creepy.
http://qz.com/80153/36-countries-now-use...solutions/

[Magda Hassan]

Spyware used by governments poses as Firefox, and Mozilla is angry

Mozilla sends cease and desist letter to maker of FinFisher software.

by Jon Brodkin - May 2 2013, 2:41am AUSEST

• Privacy
  

Mozilla has sent a cease-and-desist letter to a company that sells spyware allegedly disguised as the Firefox browser to governments. The action follows a report by Citizen Lab, which identifies 36 countries (including the US) hosting command and control servers for FinFisher, a type of surveillance software. Also known as FinSpy, the software is sold by UK-based Gamma International to governments, which use it in criminal investigations and allegedly for spying on dissidents.
Mozilla revealed yesterday in its blog that it has sent the cease and desist letter to Gamma "demanding that these illegal practices stop immediately." Gamma's software is "designed to trick people into thinking it's Mozilla Firefox," Mozilla noted. (Mozilla declined to provide a copy of the cease and desist letter to Ars.)
The spyware doesn't infect Firefox itself, so a victim's browser isn't at risk. But the spyware "uses our brand and trademarks to lie and mislead as one of its methods for avoiding detection and deletion" and is "used by Gamma's customers to violate citizens' human rights and online privacy," Mozilla said. Mozilla continues:

Through the work of the Citizen Lab research team, we believe Gamma's spyware tries to give users the false impression that, as a program installed on their computer or mobile device, it's related to Mozilla and Firefox, and is thus trustworthy both technically and in its content. This is accomplished in two ways:
1. When a user examines the installed spyware on his/her machine by viewing its properties, Gamma misrepresents its program as "Firefox.exe" and includes the properties associated with Firefox along with a version number and copyright and trademark claims attributed to "Firefox and Mozilla Developers."
2. For an expert user who examines the underlying code of the installed spyware, Gamma includes verbatim the assembly manifest from Firefox software.
The Citizen Lab research team has provided us with samples from the following three instances that demonstrate how this misuse of our brand, trademarks and public trust is a designed feature of Gamma's spyware products and not unique to a single customer's deployment:

• A spyware attack in Bahrain aimed at pro-democracy activists;
  
• The recent discovery of Gamma's spyware apparently in use amidst Malaysia's upcoming General Elections; and
  
• A promotional demo produced by Gamma.
  

Each sample demonstrates the exact same pattern of falsely designating the installed spyware as originating from Mozilla. Gamma's own brochures and promotional videos tout one of the essential features of its surveillance software is that it can be covertly deployed on the person's system and remain undetected.

The Citizen Lab report provides pictorial evidence of the impersonation:
Enlarge
Citizen Lab
FinFisher doesn't just masquerade as Firefox. The Citizen Lab report says it has also been used to target Malay language speakers by "masquerading as a document discussing Malaysia's upcoming 2013 General Elections."
The countries where Citizen Lab identified FinFisher command-and-control servers are Australia, Austria, Bahrain, Bangladesh, Brunei, Bulgaria, Canada, Czech Republic, Estonia, Ethiopia, Germany, Hungary, India, Indonesia, Japan, Latvia, Lithuania, Macedonia, Malaysia, Mexico, Mongolia, Netherlands, Nigeria, Pakistan, Panama, Qatar, Romania, Serbia, Singapore, South Africa, Turkey, Turkmenistan, United Arab Emirates, United Kingdom, United States, and Vietnam.
We've asked Gamma if the company has a response to Mozilla's cease and desist letter but haven't heard back yet.
http://arstechnica.com/information-techn...-is-angry/

[Magda Hassan]

Torrent of the day (year?) and needing seeders

Gamma FinFisher hacked: 40 GB of internal documents and source code of government malware published

von Andre Meister am 06. August 2014, 17:23 in Ãœberwachung / Keine Kommentare

"Try before you buy! One free license key for the first taker!"

A hacker claims to have hacked a network of the surveillance technology company Gamma International and has published 40 gigabytes of internal data. A Twitter account has published release notes, price lists and source code. Malware researchers and human rights activists welcome the publication, Gamma itself refuses to comment. This is an english adaption of two German articles. Thanks to Anna and Kilian for their help on the translation.
Yesterday, we reported that the Twitter account @GammaGroupPR is publishing internal documents of the offensive computer intrusion product suite FinFisher/FinSpy, developed by Gamma and marketed and sold to state actors around the world. A post on reddit with the same username claims:

[…] a couple days ago when I hacked in and made off with 40GB of data from Gamma's networks. I have hard proof they knew they were selling (and still are) to people using their software to attack Bahraini activists, along with a whole lot of other stuff in that 40GB.
Here's a torrent of all the data. Please download and seed. Here's a twitter feed where I'm posting some of the interesting stuff I find in there, starting off slow to build up rather than just publish all the worst shit at once.

If this Tweet is accurate, the hacked server is finsupport.finfisher.com, but it was since taken down.
Unfortunately, the Dropbox-accuont with the original Torrent-file is "temporarily disabled", but we are happy to provide a mirror. (Magnet-Link)
The following are some of the files that were leaked on the Twitter account:
"FinSpy the professional botnet C&C solution"

Portable Document Format (PDF):

• Cyber solutions for the fight against crime (17 pages)
  
• FinSpy 3.00 User Manual 2011-06-05, by Stephan Oelkers (127 pages)
  
• FinSpyPC 4.51 (HotFix for 4.50) Release Notes 2014-04-14 (14 pages)
  
• FinSpyMobile 4.51 Release Notes 2014-04-14 (15 pages)
  

Microsoft Excel:

• FinFisher Price list 2014 2013-12-16 (updated: 2014-01-24)
  
• FinFisher Products Extended Antivirus Test (Anti-Virus Results FinSpy PC 4.51) 2014-04-04
  
• Device Tests FinSpyMobile 4.51 2006-09-16 (updated: 2014-04-15)
  

FinSploit Sales

There is a zip archive "FinSploit Sales" with a text file and three videos.
The README contains those Frequently Asked Questions:

Q: Can you supply a list of the current exploits?
A: Yes but we need to do this individually for each request as the available exploits change on a regular basis.
Q: Can we name the supplier?
A: Yes you can mention that we work with VUPEN here
Q: How does the customer get the exploits?
A: They will get access to a web-portal where they can then always download the available exploits
Q: Can this be used to deploy other trojans than FinSpy?
A: Yes, any exe file can be sent
Q: Which Operating Systems do you cover?
A: Currently the focus is on Windows Vista/7. Some exploits for XP are also available. At the moment there are no 0 day exploits for OSX, Linux or mobile platforms.

Really close: Martin Münch (Gamma) and Chaouki Bekrar (VUPEN) last month. Source: @cBekrar.

This further proves the close collaboration between german/swiss/british Gamma/FinSpy and the french exploit seller VUPEN. The limitation to Windows 7 and Vista seems outdated. Two years ago, we reported that FinSpy Mobile also exists for all common mobile systems (iOS, Android, BlackBerry, Windows Mobile and Symbian). And last year, internal slides showed that FinSpy was able to infect all major operating systems (Windows, Linux and Mac OS X). If the newly published files are unmodified, they were created in October 2011, only a few days before ISS (Intelligent Support Systems) World in the US,. Most likely this was the status for presenting it at this "Wiretappers Ball", and since then the product range was expanded to all common systems.
Here are the three videos that show how vulnerabilities in three common software types are exploited:

• Windows 7 SP1 Acrobat Reader PDF Exploit
  
• Windows 7 SP1 Browsers Exploit
  
• Windows 7 SP1 Microsoft Office 2010 DOC-XLS
  

Source code of FinFly Web

Another trophy is source code of FinFly Web, which found its way the code hosting platform GitHub. A company brochure that was published by WikiLeaks as part of the SpyFiles three years ago describes it like this:

FinFly Web is designed to provide remote and covert infection of a Target System by using a wide range of web-based attacks.
FinFly Web provides a point-and-click interface, enabling the Agent to easily create a custom infection code according to selected modules.
Target Systems visiting a prepared website with the implemented infection code will be covertly infected with the configured software.

A video advertises its features, and other documents describe provide more details.

Malware researcher: "This guy is a malware developer"

Raphaël Vinot, a malware researcher from France, has since decompiled a few java class files to make the code more understandable. He told netzpolitik.org (as himself, not his employer):

Yesterday, I just had a very fast look at the repository and decompiled a few class files. The website is a testing instance to show to the new clients what they can do.
I don't think there is anything particularly interesting in that code, but it is a very good platform to show to non-technical people what attackers can do and how it will look like in the wild.
I am personally going to reuse it at cyptoparties.
The most interesting thing I found is in the file SearchEnhancer.java, which references the website www.codito.de. This redirects to www.mushun.de, which in turn lists Martin J. Muench in the imprint. MJM used to work for Gamma GmbH and acted as a speaker for the company.
This guy is a malware developer and has to be treated like one. I really hope the clients are going to be revealed soon-ish, but most especially detections and indicators so it will be possible to share them with companies and other partners in order to detect FinFisher in the wild.

FinFisher: "We don't want to comment on this"

"@avast_antivirus was irresponsibly interfering with law enforcement investigations by detecting FinSpy 4.50″

Already yesterday we called up the Munich telephone number on finfisher.com and asked them for comment. At first, they denied being FinFisher, but then admitted it, albeit refusing to comment. Today we called them again, and again the answer was: "We don't want to comment on this." This time around, they greeted us with "FinFisher here" instead of denying it at first. When we asked, if we could speak to Martin Muench, we were rejected again:

netzpolitik.org: Is Mr. Muench available? I already talked to him before.
FinFisher GmbH: You already talked to him before?
netzpolitik.org: Yes, but that was a while ago. Maybe last year.
FinFisher GmbH: Mr Muench is not in the house.
netzpolitik.org: Not at all or just at the moment?
FinFisher GmbH: […]
netzpolitik.org: ?
FinFisher GmbH: Definitely not now.

We have heard rumors that Martin MJM' Muench does not work for Gamma/FinFisher anymore. If you have more information on this (or anything else on the topic): don't hesitate to contact us!

Human rights activist: "such techniques are not lawful"

Eric King, Deputy Director of the UK-based charity that defends and promotes the right to privacy across the world, told netzpolitik.org:

In the last few years, a spotlight has been shone on the secretive practice of government hacking. This completely unchecked area of intelligence collection amounts to some of the most intrusive forms of surveillance any government can conduct.
FinFisher are one of the most aggressive companies to try and supply the worlds law enforcement agencies with such tools, but without public debate, and clear laws authorising their use such techniques are not lawful. Privacy International and EFF have both filed lawsuits on behalf of activists who have been targeted by the Ethiopian government using FinFisher. Many more activists will have been targeted by repressive regimes, and surveillance companies like FinFisher must take responsibility for their role in that repression, and stop their damaging practices.

Security researcher: "generally considered criminal behavior"

Yesterday, Jacob Appelbaum, computer security researcher and hacker, told netzpolitik.org:

This document release shows that those responsible for protecting our security are aware of bypasses for commonly advocated security technologies. As an example, anti-virus bypass, which is a well known issue is compounded by the desire for certain attackers to ensure that bypassses are not fixed but rather exploited. There is a dual role here and the overall security of our computers is being subverted by this dual role to protect and the desire to infect protection loses in service of attacking people. Furthermore, we see that these government customers are aware that FinFisher is defrauding companies and their users by abusing their branding, logos and names something that is generally considered criminal behavior when done by any other actor on the internet.
These exploitable issues in commonly used software in our everyday telephones, personal computers and in our infrastructure are problems that need to be fixed; rather than fixing them, they are being exploited and are left vulnerable for any attacker, regardless of motive.

Today, Jacob Appelbaum adds:

This larger release of 40GB of data raises many interesting questions impersonating companies such as RealPlayer, Adobe, and others has been well documented by third parties; we now have further evidence of such attack vectors as well as the government officials who were party to this kind of fraud for their own benefit.

We hope, that there are many more interesting things to be found in the 40 GB torrent download. Please post your findings in the comments.

More here:
http://www.reddit.com/r/Anarchism/commen...al_leaked/