CSOs warned to watch for FinFisher spyware

Computers that appear to be running the commercially available FinFisher spyware sold to law enforcement and governments have been found in almost a dozen countries on five continents, a security researcher said on Wednesday.

Because of his discovery, Rapid7 researcher Claudio Guarnier warned that corporate IT should monitor systems for signs of communication with command and control servers running FinFisher, made by U.K.-based Gamma Group.

Rapid7 has published the IP addresses and communication “fingerprint” of the command and control servers it has discovered. The information can be used in intrusion detection systems.

“If you can identify those networks actually communicating with those IPs, it most likely means some of the people on those networks are being spied on in some way,” Guarnieri said.

[See also from Antone Gonsalves: Virtual analysis misses a third of malware]

FinFisher is able to record Skype and other voice over IP communications, log keystrokes and turn on a computer’s webcam and microphone. The spyware, which can also steal files from a hard disk, is built to bypass dozens of antivirus systems.

Spyware that appeared to be FinFisher was first discovered last month in Bahrain. The malware was targeted at activists within the Persian Gulf kingdom. Gamma later told Bloomberg that it never sold the product to Bahrain and was investigating whether a demonstration copy had been stolen from the company.

After obtaining samples of the Bahrain malware, Guarnier was able to isolate a peculiar way computers communicate with the software. The researcher found that the Bahrain server answered HTTP requests with the message “Hallo Steffi.”

With the discovery of the fingerprint, Guarnier and his Rapid7 team started searching the Internet and found 12 C&C servers in 10 countries: the U.S., Indonesia, Australia, Qatar, Ethiopia, Czech Republic, Estonia, Mongolia, Latvia and Dubai.

Whether governments or police are using the servers cannot be determined by the information gathered by Rapid7. The security company also cannot say for sure that the computers are running FinFisher. “But it’s a very big clue,” Guarnier said of his findings.

“We think that they are most likely connected to the [FinFisher] infrastructure and are being run by different people across the globe,” he said.

Gamma told Bloomberg that it sells FinFisher according to export regulations of the U.K., U.S. and Germany. Nevertheless, once the spyware is released on the Internet, samples will likely end up in the hands of cybercriminals who could build their own versions.

“Now that FinFisher is in the public domain, every government the world over should assume that those who intend to seek and destroy or steal and manipulate will be studying the mechanics of how this application was designed and will undoubtedly develop more of its kind,” Dennis Portney, president of Security Forensics, told CSO Online.

The malware is also expected to be particularly difficult to detect. “With the stealth nature of these types of spyware, it is hard to estimate the number or scope of their infection or deployment,” Xuxian Jiang, an assistant professor and computer science researcher at North Carolina State University, said.