FINFISHER: Finspy PC 4.10 Release Notes

Home , Rootkit

FinSpy / Release Notes FINUSB SUITE 1

SPECIFICATIONS

FINFISHER: FinSpy PC 4.10 Release Notes

FinSpy / Release Notes FINUSB SUITE 2

SPECIFICATIONS

Date 2012-06-18

Release information

Version Date Author Remarks

1.0 2010-05-27 ah Initial version

1.1 2010-05-31 ht Add change log

1.2 2010-06-28 ht New format

1.3 2011-11-13 lh FinSpy 3.10 Release

1.4 2012-02-15 lh FinSpy 4.00 Release

1.5 2012-03-26 Lh FinSpy 4.01 Hot Fix Release

1.6 2012.06.16 Lh FinSpy 4.10 Release

FinSpy / Release Notes FINUSB SUITE 3

SPECIFICATIONS

Table of Content

1 Overview ...... 4

2 ChangeLog ...... 5

3 Limitations...... 6

FinSpy / Release Notes FINUSB SUITE 4

SPECIFICATIONS

1 OVERVIEW FinSpy is designed to help Law Enforcement and Intelligence Agencies to remotely monitor computer systems and get full access to:

. Online Communication: Skype, Messengers, VoIP, E-Mail, Browsing and more . Internet Activity: Discussion Boards, Blogs, File-Sharing and more . Stored Data: Remote access to hard-disk, deleted files, crypto containers and more . Surveillance Devices: Integrated webcams, microphones and more . Location: Trace computer system and monitor locations

FinSpy / Release Notes FINUSB SUITE 5

SPECIFICATIONS

2 CHANGELOG Version 4.10 Component Change Description FinSpy Target WebCam Module The old video module which contained two sub Windows (design change) modules: webcam and screen was split in two new modules. The availability and functionality of the old video module will stay unchanged for old targets. The new targets will be able only to handle the new split modules. FinSpy Target Screenshot Module The old video module which contained two sub Windows (design change) modules: webcam and screen was split in two new modules. The availability and functionality of the old video module will stay unchanged for old targets. The new targets will be able only to handle the new split modules. FinSpy Target Screenshot Module The Screenshot Module is available also for Linux (new feature) Linux Targets. The functionality of the module for this platform is limited to live sessions only.

FinSpy Target / Antivirus Bypass In presence of AVAST Antivirus in seldom Rootkit (bug fix) situations the rootkit was blocking the system. This behaviour appears due to some race condition between the antivirus and rootkit.

FinSpy Agent Custom Forensics Provide the user the capability to use a custom (new feature) tool to gather forensic information from the target. This feature enables the user to upload on the target any executable, execute it, gather the output and store it in the master database.

FinSpy / Release Notes FINUSB SUITE 6

SPECIFICATIONS

LIMITATIONS This chapter covers current known limitations within the FinSpy Software.

Component Operating System / Language Description

FinSpy Generic All Full Anti-Virus/Anti-Spyware bypassing cannot be guaranteed due to regular changes in these

products

FinSpy Target / Windows Vista Symbolic links cannot be opened or Rootkit Windows 7 downloaded in "File Access" Module.

FinSpy Target / All Windows - Chinese The logging of the "wordpad.exe" key strokes Rootkit work only with 1 out of 3 provided IMEs (Input Method Editor).

FinSpy Target / All Windows - Arabic Keylogging of digits are logged in Latin-1 instead Rootkit of Arabic.

FinSpy Target / Windows 7/VISTA 64bit Target update from version 2.41 and older to Rootkit 3.00 will require the target to restart twice to have the updated code running. The target is reachable and fully functional during this time.

FinSpy Target / All Windows The VoIP Module does not generate a valid Rootkit recording for MSN Messenger voice conversation if the parties are not talking (no sound is made in microphones).

FinSpy Target / Windows 7 64 bit with Comodo The infection will be completed and the Rootkit heartbeats will be sent only after the target machine rebooted.

FinSpy Target / All Windows with Kaspersky The admin mode infection will be completed Rootkit version 2010 (this version only) and the heartbeats will be sent only after the target machine rebooted.

FinSpy / Release Notes FINUSB SUITE 7

SPECIFICATIONS

FinFly USB / FinFly USB Infection Dongle - If the user chooses in the target creation wizard Infection ISO Image Bootable Mode to generate a bootable FinFly USB dongle the infection stored for the bootable functionality Infection ISO Image will have none of the selected modules. This limitation is mandatory due to the limited space in the MBR.

FinFly USB / FinFly USB Infection Dongle - The FinFly USB dongle and the Infection ISO Infection ISO Image Bootable Mode Images can infect the MBR of the system in one of the following situations: Infection ISO Image . The installed OS is unencrypted . The installed OS is encrypted with TrueCrypt . The installed OS is encrypted with BitLocker

FinFly USB / FinFly USB Infection Dongle – The FinFly USB Infection Dongle in bootable Infection ISO Image Remove Infection mode can be used to remove the infection from a target only if the target is infected with the Infection ISO Image MBR Trojan.

After this type of removal the Trojan will not heartbeat anymore and will stay in the offline list and has to be moved manually to the Archived list by selecting “Remove Infection” in the FinSpy Agent.

Target Installer Infected Microsoft Office The infection will be installed only if the Documents infected Microsoft Office documents are opened with the Microsoft Office.

FinSpy / Release Notes FINUSB SUITE 8

SPECIFICATIONS