Governmental FinSpy Spyware Shows up in 10 Countries

Marketed and sold as a solution that provides “world-class offensive techniques for information gathering.” to government agencies, the FinFisher spyware is “used to access target systems, giving full access to stored information with the ability to take control of the target system’s functions to the point of capturing encrypted data and communications.”

According to virus hunters and security researchers, after having studied the spyware last month, the spyware is capable of taking shots of users’ computer screens, record Skype chats, taking control of cameras and microphones, and keystroke logging.

The spyware came to light in last year’s Egyptians protests in March 2011 when protesters found an offer to buy the spyware for €287K or $353,000 following a raid at the country’s security headquarters. There were also instances where pro-democracy activists of Bahrain received suspicious emails which when studied revealed that the emails had evidence of FinSpy, which his part of the FinFisher spyware tool kit.

The findings of the study were published in July suggesting that the British product was not only used in surveillance but, was also used for much more beyond just surveillance activity.

Security firm Rapid7 managed to study the method of communication used by the spyware. They found that a computer system infected by this spyware responds with a unique message: “Hallo Steffi.” as and when probed with unexpected data.

Going a step further, Rapid7 scanned the Internet to check if there are other IP addresses that returned similar messages and the results were startling. As many as 11 IP addresses from 10 countries including Australia, Qatar, Latvia, the United Arab Emirates and the United States were detected. The thing that is even more surprising is that the IP address found in the US is tied to Amazon’s EC2.

Another surprising thing is the capability of the spyware to evade detection by as many as 40 antivirus products on the market. This definitely indicates that the engineers of the spyware are far more advanced than the people distributing it.

Mr. Muench, Managing Director of Gamma Group, told Bloomberg that the FinSpy samples may have been stolen demonstration copies or probably would have been reverse engineered. This argument doesn’t stand at all for the fact that the demo copies were not mere demos but fully functional copies.

There is no evidence in regards to how the spyware is being distributed and by whom. IP addresses that showed up through the Rapid7 do not pinpoint the source of the spyware perfectly. With a couple of IP addresses from country capital, chances of government involvement shoot up.