Wikileaks outs latest FinFisher 'government spyware' that anti-virus can't spot

julian assange

WikiLeaks founder Julian Assange gestures during a news conference at the Ecuadorian embassy in central London August 18, 2014.

Credit: REUTERS/John Stillwell

Wikileaks has released what it claims are previously unknown fourth-generation versions of the controversial 'government' FinFisher spyware, lambasting the German Government for allowing it to be sold to "some of the most abusive regimes in the world."

In a media announcement fronted with statements from Ecuadorian embassy refugee and editor in chief Julian Assange himself, Wikileaks offered the files for a number of the spyware's components, including Relay 4.3, Proxy 2.1, and Master 2.1, and zips containing 'weaponised' executables for the Windows FinSpy client used to monitor events such as a Skype conversation.

The organization said its motivation for releasing the files was to "challenge the secrecy and the lack of accountability of the surveillance industry," a reference to the fact that this malware is legally used by a wide variety of governments, including repressive ones.

"FinFisher continues to operate brazenly from Germany selling weaponized surveillance malware to some of the most abusive regimes in the world," wrote Assange.

"The Merkel government pretends to be concerned about privacy, but its actions speak otherwise. Why does the Merkel government continue to protect FinFisher? This full data release will help the technical community build tools to protect people from FinFisher including by tracking down its command and control centers."

Releasing files of malware looks more like a publicity stunt than a major help to the security industry, although it's unlikely that many or even any of them would have detected it. That said, even if they now do, the makers of FinFisher can simply produce a new iteration if they haven't already done so.

Also released by Wikileaks is a bundle of mostly old and known documents, including cheap-looking Videos, dull brochures and support details. However, one eye-catching one is a spreadsheet from April 2014 laid out like a perverse antivirus test where almost every single product fails on almost every single count. For these anti-testers, a failure happens when a program detects FinFisher.

This stands to underline how easy it now is to get past more or less any antivirus program going as long as the malware is new enough or the antivirus older. It is in fairness a tough job for security firms. FinFisher isn't like conventional malware in that it is directed against tiny numbers of people spread across the globe. Spotting malware this rare is a task.

Information taken from the cache also suggested that FinFisher had been used by 64 customers, with 171 licenses issued. That doesn't sound like a lot but this is a very very expensive piece of software and a license gives a lot of use. Wikileaks reckons that it has generated revenue of up to $100 million and counting.

Governments it said had used it - identified through support requests - included Slovakia, Mongolia, Qatar, South Africa, Bahrain, Pakistan, Estonia, Vietnam, Belgium, Nigeria, Netherlands, PCS Security in Singapore, Bangladesh, Hungary, Italy, Bosnia & Herzegovina, and even Australia's NSW state Police, Wikileaks said.

Wikileaks describes Gamma International as being a German company but it's not entirely clear that it's that simple. The holding company, Lench IT solutions, has a UK subsidiary (where the company started), Gamma International Ltd, but also a German equivalent, Gamma International GmbH. Mysterious.

What we do know is that FinFisher is hugely popular. Too popular. It has also upset companies such as Mozilla which in 2013 sent the firm a cease and desist letter after discovering that the spyware was impersonating Firefox in order to infect targets.

This story, "Wikileaks outs latest FinFisher 'government spyware' that anti-virus can't spot" was originally published by Techworld.com.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.