Analysis of the Finfisher lawful interception malware

From Botnets.fr
Jump to navigation Jump to search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

Analysis of the Finfisher lawful interception malware
Botnet Finfisher
Malware Finfisher (bot)
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol HTTP
Date 2012 / 08 aug2012
Editor/Conference Rapid7
Link https://community.rapid7.com/community/infosec/blog/2012/08/08/finfisher (Archive copy)
Author Claudio Guarnieri
Type

Abstract

It's all over the news once again: lawful interception malware discovered in the wild being used by government organizations for intelligence and surveillance activities. We saw it last year when the Chaos Computer Club unveiled a trojan being used by the federal government in Germany, WikiLeaks released a collection of related documents in the Spy Files, we read about an alleged offer from Gamma Group to provide the toolkit FinFisher to the Egyptian government, and we are reading once again now with the same one being delivered to human rights activists in Bahrain along with some spearphishing attacks. We all are very aware of a rising market of Western companies developing and selling malware for the use of government organizations all around the world, but whenever one of these products is found in other geographical areas, the potential political and ethical implications tend to generate interest. While I'm trying to provide context for the analysis below, it's not in the scope of this article to digress into the political context of the incident. We are security practitioners interested in technology and when dealing with malware, which in this case can be easily prone to abuses, we want to understand what they do, what's the spread and how we can respond.

Bibtex

 @misc{Guarnieri2012BFR1121,
   editor = {Rapid7},
   author = {Claudio Guarnieri},
   title = {Analysis of the Finfisher lawful interception malware},
   date = {08},
   month = Aug,
   year = {2012},
   howpublished = {\url{https://community.rapid7.com/community/infosec/blog/2012/08/08/finfisher}},
 }