WikiLeaks publishes "FinFisher Relay" and "FinSpy Proxy" weaponised malware

(Jack Coulter) #1

Today, 15 September 2014, WikiLeaks releases previously unseen copies of weaponised German surveillance malware used by intelligence agencies around the world to spy on journalists, political dissidents and others.

Considering the advent of rootkits that can survive even a disk wipe, by infecting the BIOS, or even the firmware of other components (graphics cards, network cards), do not run any of the software on that page on anything less than a fully isolated machine that you’re willing to trash / never trust again afterwards.

Also, a fun excerpt from one of the documents:

4 ANTI-VIRUS TESTING
FinSpy utilizes various techniques to bypass most known Anti-Virus and Anti-Spyware tools. In case a product cannot be bypassed, the agent will be faced with one of the following scenarios:

• The product displays pop-ups warning about suspicious activities and/or programs which can be accepted or rejected by the agent

Due to regular updates of these products, their behavior cannot exactly be specified. Regular tests are conducted within the Gamma Quality Assurance where all FinFisher products are checked against the latest version of these security products and new techniques for bypassing them are being researched in case a new detection has been
discovered.

Current Antivirus systems in our quality assurance environment:

• Kaspersky Internet Security
• Comodo Internet Security Pro
• Norton Internet Security
• ESET Smart Security
• F-Secure Internet Security
• avast! Professional Edition
• Panda Internet Security
• AVG Internet Security
• ZoneAlarm Internet Security Suite
• BitDefender Internet Security
• Bullguard Internet Security
• CA Internet Security Suite Plus
• McAfee Internet Security
• Trend Micro Internet Security PRO
• ClamAV
• Sophos Security Suite
• VIPRE® Antivirus + Antispyware
• F-PROT Antivirus Version
• G DATA Internet Security
• Ikarus
• Mamutu
• NORMAN SECURITY SUITE
• Outpost Security Suite Pro
• RISING Internet Security
• Spybot Search & Destroy
• Spyware Doctor
• Steganos Internet Security
• Trustport PC Security
• VirusBuster Internet Security Suite
• Quick Heal Total Security
• Windows Defender
• K7 TotalSecurity
• Ad-Aware PRO
• Ashampoo AntiSpyware
• a-squared Anti-Malware
• Avira Premium Security Suite
Dr.Web Security Space
• Security Essentials

Monthly Brief - October 2014
(Bryn Busai) #2

Shit… do we know of any products that the spyware may have been bundled with… and any way to decontaminate the affected machines, apart from complete annihilation.

Also very certain ex-MIT student would think that this would be an apt time to spruik GNU HURD (or GNU/Linux) on a Lemote Yeeloong netbook or a Gluglug LibreBoot X60 :stuck_out_tongue_winking_eye:.

But I digress…

(David Campbell) #3

run a live OS from a CD if you want a secure environment hah.

(Jack Coulter) #4

A live CD still has full hardware access; there’s no need to even touch the disk, as a sufficiently advanced malware can persist in NIC firmware or in BIOS/EFI.

(Bryn Busai) #5

but… You’re still needing to place trust on the hardware manufacturers that their firmware hasn’t been infected by this crap either by design, or as @jscinoz mentioned above, an infection. Which is basically the point of The Ken Thompson Hack (original article)