FinFisher government spyware spreading across the globe

Posted on August 16, 2012


A commercially available spyware tool intended for law enforcement agencies is turning up in countries where it should never have been sold, raising concerns that it could be commandeered by cyber crooks.

Security firm Rapid7 has managed to identify the the IP addresses of a handful of command and control (C&C) servers using the FinFisher snooping tool, which is developed by Gamma Group.

The firm said it has analysed characteristics that enable it to identify communications between the tool and C&C servers.

Rapid7 used this fingerprint to track the spyware and found 12 C&C servers in the US, Indonesia, Australia, Qatar, Ethiopia, Czech Republic, Estonia, Mongolia, Latvia and Dubai.

Security researcher Claudio Guarnier said that while the company could not confirm whether agencies or governments were actively using the tool to mount cyber spying campaigns, it was unlikely the spy tool was yet being used by cyber criminals.

“We are not able to determine whether they’re actually being used by any government agency, if they are operated by local people or if they are completely unrelated at all,” wrote Guarnier.

“The malware seems fairly complex and well protected/obfuscated, but the infection chain is pretty weak and unsophisticated. The ability to fingerprint the C&C was frankly embarrassing, particularly for malware like this. Combined, these factors really don’t support the suggestion that thieves refactored the malware for black market use.”


Posted in: Random