Analysis of the Finfisher lawful interception malware
(Publication) Google search: [1]
Analysis of the Finfisher lawful interception malware | |
---|---|
Botnet | Finfisher |
Malware | Finfisher (bot) |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | HTTP |
Date | 2012 / 08 aug2012 |
Editor/Conference | Rapid7 |
Link | https://community.rapid7.com/community/infosec/blog/2012/08/08/finfisher (Archive copy) |
Author | Claudio Guarnieri |
Type |
Abstract
“ It's all over the news once again: lawful interception malware discovered in the wild being used by government organizations for intelligence and surveillance activities. We saw it last year when the Chaos Computer Club unveiled a trojan being used by the federal government in Germany, WikiLeaks released a collection of related documents in the Spy Files, we read about an alleged offer from Gamma Group to provide the toolkit FinFisher to the Egyptian government, and we are reading once again now with the same one being delivered to human rights activists in Bahrain along with some spearphishing attacks. We all are very aware of a rising market of Western companies developing and selling malware for the use of government organizations all around the world, but whenever one of these products is found in other geographical areas, the potential political and ethical implications tend to generate interest. While I'm trying to provide context for the analysis below, it's not in the scope of this article to digress into the political context of the incident. We are security practitioners interested in technology and when dealing with malware, which in this case can be easily prone to abuses, we want to understand what they do, what's the spread and how we can respond.
Bibtex
@misc{Guarnieri2012BFR1121,
editor = {Rapid7},
author = {Claudio Guarnieri},
title = {Analysis of the Finfisher lawful interception malware},
date = {08},
month = Aug,
year = {2012},
howpublished = {\url{https://community.rapid7.com/community/infosec/blog/2012/08/08/finfisher}},
}