Pierluigi Paganini
August 14, 2012
Two days ago, reading the news that lawful interception malware FinFisher was discovered in the wild I thought …
“wow finally we have the evidence, probably we will debate for a long time regarding the use of this tool and of similar agents”
But as fate would have it the same day came the news that a new malware has hit the Middle East and the interesting items on Finfisher ended in oblivion.
What is surprising is that the FinFisher spyware has been discovered on at least five continents.
What is FinFisher?
It is a powerful cyber espionage agent developed by Gamma Group that is able to secretly spy on target’s computers intercepting communications, recording every keystroke and taking the complete control of the host.
The spyware is for law enforcement and government use, but it seems to be preferred for those regimes that desire to monitor representatives of the opposition.
Bloomberg News reported on July 25 that security experts, led by security researcher Morgan Marquis-Boire, believe they identified instances of FinFisher during an investigation on malware e-mailed to Bahraini activists.
The malicious mails was obtained by Bloomberg News and are not the only evidence of spread of malware, another team led by Claudio Guarnieri of Boston-based security company Rapid7 has analyzed the lawful interception malware discovered in the wild explaining how they communicate with their command server.
The study has revealed that instances of the malware have been detected also in Australia, U.S, Dubai, the Czech Republic, Indonesia, Latvia, Mongolia, Estonia, Qatar and Ethiopia.
As Guarnieri clarified the discoveries don’t indicate that relative governments use Fisher, it is possible in fact that Gamma clients use the product in other nations.
According the report published by Rapid7 “Analysis of the FinFisher Lawful Interception Malware“:
“They are simply the results of an active fingerprinting of a unique behavior associated with what is believed to be the FinFisher infrastructure,”
What really worried is the uncontrolled spread of these malware, evidence of a thriving market which nevertheless has many dark sides.
As submitted by Guarnieri:
“Once any malware is used in the wild, it’s Typically only a matter of time before it gets used for nefarious purposes,”
“It’s impossible to keep this kind of thing under control in the long term.”
Gamma International GmbH managing director Martin J. Muench replied disregarding results proposed by the researchers. He confirmed that the Gamma hasn’t sold its spyware to those countries and also added that samples used for investigations were stolen demonstration copies or were sold via a third party.
Muench confirmed that Gamma complies with the current export regulations of the U.K., U.S. and Germany meanwhile the governments of the countries where the instances were detected have denied to use the spying product or have avoided to provide official explanations.
There is a great debate on the use of spyware, they represents a serious threat to privacy and human rights, the fact that similar malware were detected all around the world is the demonstration of how much wide is its diffusion and what is scaring is how is possible that a tool intended for a limited number of categories of private business and governments has been found everywhere.
According the Guarnieri’s study the malware has a very noisy presence in the system, it installs inline many user-mode hooks in several running processes. It’s not clear at this moment the entire list of functionalities of the agent but the researchers believe that it remains silent whenever it doesn’t have an active Internet connection..
The reports states:
According to CitizenLab’s research and WikiLeaks cables, following should be the supported features:
We believe that the Skype interception module is implemented tampering the circular sound buffer from Windows’ DirectSound interface.
During the tracking of C&C servers the researchers noted an unexpected behavior, all the services binded on the ports the malware tries to exchange binary data with, respond in an unusual way whenever performing any, even malformed, HTTP request.
For example, when connecting through telnet to 77.69.140.194:80 and sending “HEAD /”, the service responded the following way:
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length:12
Hallo Steffi
Of course similar behavior sounds perfect for fingerprinting, that is how the experts have conducted a search of command servers worldwide displaying them on a map and providing related IPaddresses:
Concluding the researchers declared that their high interest on governmental malware but are worried by its wide use.
The malware seems fairly complex and well protected/ obfuscated, but the infection chain is pretty weak and unsophisticated. The ability to fingerprint the C&C was frankly embarrassing, particularly for malware like this. Combined, these factors really don’t support the suggestion that thieves refactored the malware for black market use.
It ‘a matter of time, but similar applications can certainly be used by evil-minded for unspeakable purposes,
What we can do is to diffuse knowledge on them and spread info on how to protect themselves from what is a serious attack on our privacy.
Pierluigi Paganini
(Security Affairs – cyber espionage)
The guys at EmergingThreats helped us refine our Snort rules a little bit in order to lower the possibility of false positives.
Following are the updated signatures, use them to detect FinSpy in your local networks:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FinFisher Malware Connection Initialization"; flow:to_server,established; content:"|0c 00 00 00 40 01 73 00|"; depth:8; sid:1000001; rev:1; classtype:trojan-activity; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FinFisher Malware Connection Handshake"; flow:to_server,established; content:"|5c 00 00 00 a0 02 72 00 0c 00 00 00 40 04 fe 00|"; depth:16; sid:1000002; rev:1; classtype:trojan-activity; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher;)
At the time of writing 8 out of the 12 servers are not responding anymore: all the ports originally used have been filtered or closed off after our analysis and the related news articles have been published.
Even the ones that were actively responding until yesterday, like Latvia and Bahrain, are now inaccessible. A very odd timing, isn’t it?
In the last hours we read of many people questioning the validity of the “Hallo Steffi” pattern, saying that it could be completely unrelated to the FinFisher toolkit, as also Gamma’s Muench stated to Bloomberg. Fair enough, we also mentioned in this same blog post that there is no way we can guarantee a direct connection between that string and the malware, we only reported an anomaly on the Bahraini infrastructure and the discovery of the same anomaly in other locations.
We believe that this unusual behavior could have actually been a deception technique adopted by the FinSpy Proxy to disguise the nature of the service, but that when they realized it was actively used for fingerprinting the C&C servers was promptly disabled to prevent further discoveries.
Every FinSpy sample is configured with a set of multiple ports that it can try to contact: it will start from the lower port (for example 20), attempt a connection 3 times and then move over to the next one.
When running the Bahraini FinSpy sample, especially now that the server is not responding, it attempts the following connections:
13:02:43.747370 IP 10.0.2.15.1035 > 77.69.140.194.22: tcp 0 13:03:05.968816 IP 10.0.2.15.1036 > 77.69.140.194.53: tcp 0 13:03:28.100628 IP 10.0.2.15.1037 > 77.69.140.194.80: tcp 0 13:03:50.332553 IP 10.0.2.15.1038 > 77.69.140.194.443: tcp 0 13:04:21.517231 IP 10.0.2.15.1039 > 77.69.140.194.4111: tcp 0
As you can see the last one is port 4111.
We believe this is the standard FinSpy port and that all the other ones are probably just forwarded to 4111. The FinSpy “demo” sample contacted port 3111 totiger.gamma-international.de and ff-demo.blogdns.org, close enough.
Another interesting “coincidence” is that all the IP addresses that we observed responding with the “Hallo Steffi” banner also had/have port 4111 open, in fact if you check the only 4 servers currently up you can see:
Nmap scan report for bba44246.alshamil.net.ae (86.97.255.50) Host is up (0.26s latency). PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 443/tcp open https 4111/tcp open xgrid Nmap scan report for 94.112.255.116.static.b2b.upcbusiness.cz (94.112.255.116) Host is up (0.044s latency). PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 443/tcp open https 4111/tcp open xgrid Nmap scan report for 112.78.143.26 Host is up (0.26s latency). PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 443/tcp open https 4111/tcp open xgrid Nmap scan report for 213.55.99.74 Host is up (0.16s latency). PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 443/tcp open https 4111/tcp open xgrid 9111/tcp open DragonIDSConsole
The last one also shows port 9111, which we observed along with port 3111 being open fewer times as well.
Is it more convincing now?
