June 25, 2024

Bits Blog: Company Denies Role in Recently Uncovered Spyware

6:35 p.m. | Updated Adding discovery of latest sample of the spyware at end.

An executive at Gamma Group, a British company that sells surveillance technologies, denied on Wednesday that a spyware program running on servers in 11 countries is part of his company’s product line.

Gamma Group makes FinFisher, spyware that, according to the company’s promotional materials, can be “used to access target systems, giving full access to stored information with the ability to take control of the target system’s functions to the point of capturing encrypted data and communications.”

Martin J. Muench, a managing director at the company, said in an e-mail that the company only sells its products to governments for the express purpose of monitoring criminals. “The most frequent fields of use are against pedophiles, terrorists, organized crime, kidnapping and human trafficking,” he said.

But recent findings by security researchers suggest it is being used more broadly. Researchers believe they found FinFisher spyware in e-mails sent to three Bahraini activists — one in the United States, one in London and one in Bahrain — none of whom have criminal backgrounds. And they found that the spyware was communicating with a server in Bahrain. It was capable of grabbing images of users’ computer screens, recording their Skype chats, remotely turning on their cameras and microphones and logging their keystrokes. The word “FinSpy” — the name of part of the FinFisher product — appeared in the spyware’s code.

In an e-mail, Mr. Muench said he could not disclose Gamma Group’s client list or confirm whether his company had sold its spyware products to Bahrain. He said he thought the server the researchers found was most likely a proxy server, which redirects traffic to mask its true origins.

“The server that was found in Bahrain is very likely a custom-built software that was simply used as a proxy to forward traffic between two or more systems. It is not a product from the FinFisher product line, “ Mr. Muench wrote.

But researchers question this explanation. “The timing suggests that the Bahrain server was not a proxy,” said Bill Marczak, a computer science graduate student at the University of California, Berkeley, who has been looking into the malware.

Proxy servers typically take longer to respond to commands because they have to forward traffic elsewhere. Researchers compared the response time of the Bahrain server to nonproxy servers and found no difference in their response times.

Mr. Muench also disputed additional findings by researchers at Rapid7, a security research firm, which found evidence that FinFisher spyware was being run off 11 additional servers in 10 countries, including on EC2, a popular Amazon cloud service, in the United States.

As of Wednesday afternoon, the spyware was still being dispersed from an I.P. address hosted on Amazon’s service. Researchers tested its response time and believe it is a proxy server. Amazon has not responded to a request for further information about the owner of the I.P. address and why it continues to send out spyware.

Rapid7’s researchers were able to find the Amazon I.P. address and the 10 others because they shared a unique trait with the Bahrain server. They found that when they sent unexpected data to that server, it responded with an unusual message: “Hallo Steffi.” They then scanned the Internet to uncover other I.P. addresses that responded with the same message and found others in Indonesia, Australia, Qatar, Ethiopia, the Czech Republic, Estonia, Mongolia, Latvia, the United Arab Emirates and the United States.

“FinFisher servers would not respond in such a way and would not be able to be fingerprinted with such a technique,” Mr. Muench wrote in his e-mail. He added, “None of our server components send out strings like ‘Hallo Steffi.’”

“The core FinSpy servers are protected with firewalls which only allow incoming connections from the setup proxies, and therefore a global scan by third parties would not reveal any real FinSpy servers,” Mr. Muench said.

Mr. Muench added that Gamma Group was still investigating the malware samples found last week, but suggested that the company’s code may have been modified by someone else.

“We cannot confirm whether this is the actual FinFisher product as it does not match any of our released versions,” Mr. Muench said. “Any comment on how third parties may or may not have acted would be pure speculation on my part.”

As security researchers analyze the spyware, new samples continue to pop up. Late Wednesday, Morgan Marquis-Boire, the security researcher who first connected the Bahraini samples to FinSpy, said he had uncovered a new spyware sample running on a server in Britain. He said that the sample shared the same structure and functions as the spyware that was aimed at the Bahraini activists, and that he believed the spyware to be FinSpy.

Article source: http://bits.blogs.nytimes.com/2012/08/16/company-denies-role-in-recently-uncovered-spyware/?partner=rss&emc=rss

Speak Your Mind