FinFisher: The Cyber Espionage Tool Found Everywhere

Wednesday, August 15, 2012

Plagiarist Paganini


(Translated from the original Italian)

A few days ago, after reading the news that the lawful interception malware FinFisher was discovered in the wild, I thought... "Wow, finally we have the evidence, and probably we will debate for a long time regarding the use of this tool and of similar agents."

But as fate would have it, the same day came the news that a new malware hit the Middle East and the interest in FinFisher ended abruptly.

What is surprising is that the FinFisher spyware has been discovered on at least five continents.

What is FinFisher?

It is a powerful cyber espionage agent developed by the Gamma Group that is able to secretly spy on a target's computers, intercepting communications, recording every keystroke and taking complete control of the host.

The spyware was developed for law enforcement and government use, but it seems to be preferred by those regimes that desire to monitor representatives of the opposition.

Bloomberg News reported on July 25 that security experts, led by security researcher Morgan Marquis-Boire, believed they had identified instances of FinFisher during an investigation of malware e-mailed to Bahraini activists:

(click image to enlarge)

The malicious emails were obtained by Bloomberg News, and are not the only evidence of the spread of this malware, as another team led by Claudio Guarnieri of Boston-based security company Rapid7 has analyzed the lawful interception malware discovered in the wild, explaining how it communicates with its command server.

The study has revealed that instances of the malware have been detected also in Australia, U.S, Dubai, the Czech Republic, Indonesia, Latvia, Mongolia, Estonia, Qatar and Ethiopia.

As Guarnieri clarified, the discoveries don't indicate that the relative governments use FinFisher, it is possible in fact that Gamma's clients use the product in other nations.

According the report published by Rapid7 "Analysis of the FinFisher Lawful Interception Malware":

“They are simply the results of an active fingerprinting of a unique behavior associated with what is believed to be the FinFisher infrastructure,”

What really worried me is the uncontrolled spread of this malware, evidence of a thriving market which nevertheless has many dark sides.

As submitted by Guarnieri:

"Once any malware is used in the wild, it's Typically only a matter of time before it gets used for nefarious purposes... It’s impossible to keep this kind of thing under control in the long term.”

Gamma International GmbH managing director Martin J. Muench replied disregarding  results proposed by the researchers. He confirmed that the Gamma hasn't sold its spyware to those countries and also added that samples used for investigations were stolen demonstration copies or were sold via a third party.

Muench confirmed that Gamma complies with the current export regulations of the U.K., U.S. and Germany - meanwhile the governments of the countries where the instances were detected have either denied they use the spying product or have avoided providing official explanations.

There is a great debate on the use of spyware, as they represent a serious threat to privacy and human rights, and the fact that similar malware was detected all around the world is a demonstration of how wide the diffusion is.

What is alarming is how it is possible that a tool intended for a limited number of categories of private businesses and governments has been found everywhere.

According the Guarnieri’s study, the malware has a very noisy presence in the system, it installs inline many user-mode hooks in several running processes. It's not clear at this moment the entire list of functionalities of the agent but, the researchers believe that it remains silent whenever it doesn't have an active Internet connection..

The reports states:

"According to CitizenLab's research and WikiLeaks cables, following should be the supported features":

  • Bypassing of 40 regularly tested Antivirus Systems
  • Covert Communication with Headquarters
  • Full Skype Monitoring (Calls, Chats, File Transfers, Video, Contact List)
  • Recording of common communication like Email, Chats and Voice-over-IP
  • Live Surveillance through Webcam and Microphone
  • Country Tracing of Target
  • Silent extracting of Files from Hard-Disk
  • Process-based Key-logger for faster analysis
  • Live Remote Forensics on Target System
  • Advanced Filters to record only important information
  • Supports most common Operating Systems (Windows, Mac OSX and Linux)

"We believe that the Skype interception module is implemented tampering the circular sound buffer from Windows' DirectSound interface."

During the tracking of C&C servers, the researchers noted an unexpected behavior - all the services binded on the ports the malware tries to exchange binary data with respond in an unusual way whenever performing any, even malformed, HTTP request.

For example, when connecting through telnet to and sending “HEAD /”, the service responded the following way:

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8


Hallo Steffi

Of course, similar behavior sounds perfect for fingerprinting, that is how the experts have conducted a search of command servers worldwide displaying them on a map and providing related IP addresses:

  • (Indonesia)
  • (Australia)
  • (Qatar)
  • (Ethiopia)
  • (Czech Republic)
  • (Estonia)
  • (USA)
  • (Mongolia)
  • (Czech Republic)
  • (Latvia)
  • (Dubai, UAE)

(click image to enlarge)

Concluding, the researchers declared their interest in governmental malware, but are worried by its wide-spread use.

"The malware seems fairly complex and well protected/ obfuscated, but the infection chain is pretty weak and unsophisticated. The ability to fingerprint the C&C was frankly embarrassing, particularly for malware like this. Combined, these factors really don’t support the suggestion that thieves refactored the malware for black market use."

It's a matter of time, but similar applications can certainly be used by the evil-minded for unspeakable purposes. What we can we do to diffuse knowledge of them and info on how to protect ourselves from what is a serious attack on our privacy?

Update #1

The guys at EmergingThreats helped us refine our Snort rules a little bit in order to lower the possibility of false positives.

Following are the updated signatures, use them to detect FinSpy in your local networks:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FinFisher Malware Connection Initialization"; flow:to_server,established; content:"|0c 00 00 00 40 01 73 00|"; depth:8; sid:1000001; rev:1; classtype:trojan-activity; reference:url,;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"FinFisher Malware Connection Handshake"; flow:to_server,established; content:"|5c 00 00 00 a0 02 72 00 0c 00 00 00 40 04 fe 00|"; depth:16; sid:1000002; rev:1; classtype:trojan-activity; reference:url,;)

Update #2

At the time of writing, 8 out of the 12 servers are not responding anymore: all the ports originally used have been filtered or closed off after our analysis and the related news articles have been published.

Even the ones that were actively responding, like Latvia and Bahrain, are now inaccessible. A very odd timing, isn't it?

In the last few hours we read of many people questioning the validity of the "Hallo Steffi" pattern, saying that it could be completely unrelated to the FinFisher toolkit, as also Gamma's Muench stated to Bloomberg.

Fair enough, we also mentioned in this same blog post that there is no way we can guarantee a direct connection between that string and the malware, we only reported an anomaly on the Bahraini infrastructure and the discovery of the same anomaly in other locations.

We believe that this unusual behavior could have actually been a deception technique adopted by the FinSpy Proxy to disguise the nature of the service, but that when they realized it was actively used for fingerprinting the C&C servers was promptly disabled to prevent further discoveries.

Every FinSpy sample is configured with a set of multiple ports that it can try to contact: it will start from the lower port (for example 20), attempt a connection 3 times and then move over to the next one.

When running the Bahraini FinSpy sample, especially now that the server is not responding, it attempts the following connections:

13:02:43.747370 IP > tcp 0

13:03:05.968816 IP > tcp 0

13:03:28.100628 IP > tcp 0

13:03:50.332553 IP > tcp 0

13:04:21.517231 IP > tcp 0

As you can see the last one is port 4111.

We believe this is the standard FinSpy port and that all the other ones are probably just forwarded to 4111. The FinSpy "demo" sample contacted port 3111 to and, close enough.

Another interesting "coincidence" is that all the IP addresses that we observed responding with the "Hallo Steffi" banner also had/have port 4111 open, in fact if you check the only 4 servers currently up you can see:

Nmap scan report for (
Host is up (0.26s latency).
22/tcp   open     ssh
53/tcp   open     domain
443/tcp  open     https
4111/tcp open     xgrid

Nmap scan report for (
Host is up (0.044s latency).
22/tcp   open   ssh
53/tcp   open   domain
80/tcp   open   http
443/tcp  open   https
4111/tcp open   xgrid

Nmap scan report for
Host is up (0.26s latency).
22/tcp   open   ssh
53/tcp   open   domain
80/tcp   open   http
443/tcp  open   https
4111/tcp open   xgrid

Nmap scan report for
Host is up (0.16s latency).
22/tcp   open   ssh
53/tcp   open   domain
80/tcp   open   http
443/tcp  open   https
4111/tcp open   xgrid
9111/tcp open   DragonIDSConsole

The last one also shows port 9111, which we observed along with port 3111 being open fewer times as well.

Is it more convincing now?

Cross-posted from Security Affairs

Possibly Related Articles:
Viruses & Malware
Information Security
malware Government Spyware Espionage Surveillance Law Enforcement FinFisher FinSpy Gamma Group
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked