Leaked FinFisher spyware docs detail surveillance limitations, antivirus detection

“Phineas Fisher” aka @GammaGroupPR, a parody Twitter account of the Gamma Group that specializes in FinFisher spyware, certainly knows how to snag attention. Its very first tweet announced, “Here at Gamma International, we’ve run out of governments to sell to, so we’re opening up sales to the general public!”

Here at Gamma International, we’ve run out of governments to sell to, so we’re opening up sales to the general public!

— Phineas Fisher (@GammaGroupPR) August 3, 2014

Then come the links to leaked FinFisher documents stored in Dropbox, including a product brochure featuring FinFisher’s selection of monitoring software and capabilities (pdf), user manual with troubleshooting tips for setting up a FinSpy server, price list, release notes for FinSpy Mobile 4.51, and another document that spells out how well the spyware does on Windows Mobile devices.

WikiLeaks Spy Files first released documents detailing FinFisher in 2011. Citizen Lab research from 2012 showed how the sneaky FinFisher surveillance had gone mobile. The leaked documents via @GammaGroupPR are the newest, with some dated April 2014.

Spyware, Trojan…you can call FinFisher whatever you want, but it’s malware meant to surreptitiously monitor targets. As malware, you would hope that antivirus solutions would detect and block it. Here’s a screenshot showing how “@avast_antivirus was irresponsibly interfering with law enforcement investigations by detecting FinSpy 4.50.” Thanks to @GammaGroupPR, you can see the extended test results, dated on April 2014, for the 35 antivirus products that detect FinFisher products on Windows XP, Windows 7 and Windows 8.

Although the HotFix release notes for FinSpyPC 4.51 (pdf) discuss OS X and Linux, since this is the Microsoft Subnet, here’s what it says about Windows as the target:

Gamma International

In red text, it specifies that the Trojan was adapted so it would avoid detection by Microsoft Security Essentials and Avast antivirus. In other words, Microsoft and Avast had been working to block the spyware. Microsoft’s Skype had also notified users via a popup before tweaks were made so FinSpyPC would fly under the radar.

Other tidbits from the user manual include that FinSpy can’t run without Microsoft .NET Framework being installed on Windows machines. The “Trust Center” settings must be changed in Microsoft Office for Word 2003 or 2007; “if not, FinSpy Agent will not be able to infect Microsoft Word (.doc) documents.” Another limitation deals with the Windows 8 Metro version of Skype, which is not supported.

Here’s a sample of what it would look like to analyze the data of a FinSpy target, but other screenshots show how an “agent” can add comments on the “Screen Recording” such as “MSN conversation which might prove subject involvement in case.”

Yet another description from the user manual about FinSpy modules claims that accessing file, changing files, command shell, deleted files, file access, forensic tools, keylogger, microphone, printer, scheduler, Skype, screen and webcam as well as VoIP all work with Microsoft Windows. Only a few also work with OS X and Linux.

Below are the supported platforms, according to the release notes for FinSpy Mobile 4.51:

“We’ve taken down our website at http://finsupport.finfisher.com/ while we investigate rumors that it may have been hacked,” @GammaGroupPR, tweeted yesterday, before the next tweet added, “Hope our customers’ data is safe.”

It’s unknown if that is true; if FinFisher (government) customers’ names or sensitive info were leaked, that would be a nasty break, huh?