Precise details of the FinFisher range have been difficult to find since it is, according to Gamma Group, sold only to bona fide law enforcement and government agencies who do not tend to admit that they use it. Now Mikko Hypponen, CRO at security firm F-Secure, has published a series of slides from FinFisher sales brochures and presentations that "were leaked on the net."
The first slide gives clues on its origin. The "research starting point was the most government used intrusion tool worldwide: Backtrack." The founder of Backtrack was recruited to the company; that is, says Hypponen, a reference to Martin Johannes Münch.
Other slides provide details on some of the FinFisher components: FinIntrusion Kit, FinUSB, FinFly (USB, Web and ISP) and FinSpy Mobile.
FinIntrusion focuses on WiFI intrusion. It is able to recover WEP passphrases within 2 to 5 minutes, and can break WPA1 and WPA2 passphrases with a dictionary attack. It can remotely break into email accounts, and can – for both wired and wireless – "extract usernames and passwords even for SSL/TLS-encrypted sessions like Gmail, Hotmail, Facebook, etc;" and, according to a separate slide, usernames and passwords for online banking.
FinUSB is the stuff of spy movies – it's a USB stick designed to 'covertly extract data' from the target system by 'sources that have physical access.' 'Housekeeping staff' are mentioned; reminding travelers not to leave their computers unattended in a hotel room.
FinFly is the mainstream spyware trojan, described by Gamma as its 'remote monitoring tool.' USB, Web and ISP suffixes refer to the primary methods of infection. FinFly USB is a 'common USB device with hidden functionality'. It runs automatically on Windows 2000 and XP, and has one-click execution on Vista and Windows 7. Noticeably, it "can even infect switched off target systems when the hard disk is fully encrypted with TrueCrypt."
FinFly Web is used to provide drive-by and water hole attacks, and, says Hypponen, "can be integrated by a local ISP to inject the module into Gmail or Youtube when the victim accesses those 'trusted' sites."
FinFly ISP can be used by the ISP when it can be instructed to, forced to, or will willingly co-operate. It identifies the target by means such as username and password, MAC address, dial-in phone number or IMSI on mobile networks. It can hide the malware in the target's downloads, or inject it hidden in automatic software updates.
FinSpy Mobile is the mobile version, compatible with Android, Blackberry, iOS and Windows Phone. All communication with the C&C is encrypted, it can record incoming and outgoing emails, provide location tracking, and provide "live surveillance through silent calls."
"Interestingly," comments Hypponen, "the description of FinSpy Mobile specifically mentions they support Windows Phone. This is the first reference of any malware for Windows Phone we are aware of."