Combining technical and legal expertise to deliver investigative, discovery and forensic solutions worldwide.

Staying Safe IN A MALICIOUS WORLD Malicious and intru- sions have been on a rise over FINFISHER IT Based Intrusion July 31, 2013 the past decade and there is no sign of a slow down. Or- ganizations should have proper controls and safeguards in place The deployment of advanced Internet to a remote for prevention, detection, and by governmental entities FinFisher Command response of malware. Further- has resulted in broad global & Control server for more, adherence to information distribution of spyware products. others to review. security best practices such as Originally, such products enabled This information may those defined by National Institute nation-states to achieve unparalled include keystrokes, of Standards and Technology (NIST) or International Organi- levels of highly targeted and in-depth websites, file on system, web cam, and zation for Standardization) can monitoring of their citizenry. The current other computer functions. facilitate reduced risk exposure. reality is that this sophisticated spyware is FinSpy software is customizable and When incidents arise, active use now being incorporated into malware (or designed to operate in the background. of a Computer Incident Response malicious software) and is used outside For example, FinSpy can be adapted for Team (CIRT), reduces the severity governmental control. a specific language such and intensity of exposure. CIRT Knowledge of such as Malay. Additionally, teams can also mitigate future spyware tools and FinSpy can be disguised to threats. Finally, ongoing educa- their advanced “WE CANNOT SOLVE look like software such as tion and training of employees capabilities is OUR PROBLEMS WITH Mozilla —a practice about social engineering and good security practices decreases imperative to protecting THE SAME THINKING that resulted in Mozilla WE USED WHEN WE the human vulnerabilities that lead organizational issuing a cease-and-desist CREATED THEM” to malware infestation. infrastructure and order against Gamma -ALBERT EINSTEIN maintaining control International. Watchouts over digital assets. How is FinSpy installed on FOR LAW FIRMS This paper provides an a user device? FinSpy can introduction to spyware through a review be installed through direct physical access 1. Attorneys are targets because attorneys are holders of confidential of the software known as FinSpy. to a device or indirectly by a hyperlink in information. So what is FinSpy? FinSpy is part , SMS, a web page or in a file. For 2. A single attorney may hold of the FinFisher™ suite of governmental example, Apple iPhones are vulnerable valuable information for many remote monitoring and intrusion products to this software by SMS phishing attempts target clients. sold by Gamma International, Ltd. FinSpy that trick the user to install needed security 3. Attorney names and contact garnered significant public attention applications. Coincidentally, software information is publically available in early 2013 when the report From such as iTunes has been identified as on the Internet—making attorneys with Love: FinFisher’s Spy Kit a potential source of FinSpy although ideal targets for social engineering. Exposed? was released by . Apple reportedly patched the majority of 4. Law firms may also have The report provided a detailed expose these vulnerabilities. USB devices are weaker technology defenses than their corporate clients. about a malware that was identified as another option for installing FinSpy. USB a. Older technology such as Win- FinSpy. Essentially, FinSpy is powerful devices containing FinSpy can also be dows XP stealth software that can be utilized for secondary surveillance where b. Not using encryption for data at installed on a user laptop, computer, a USB flash drive is inserted into a user rest, in use and in transit smart phone—or any computer media device to extract data based on pre setup c. Lack of layered security such device. Unbeknownst to the targeted commands. as firewalls, strong authentication, individual, FinSpy captures a diversity How long does FinSpy stay on a separate encrypted email, and of information and transmits it over the device? After FinSpy is downloaded to critical computer isolated such as banking systems isolated on a continued on next page computer network.

44 Montgomery Street, Suite 700 San Francisco, CA 94104 415.524.7320 FINFISHER, continued

a user’s device, it will establish “persistence” to be a Microsoft in various locations in the operating system document, but in actuality, that allow it to run after a restart of the system. the name is based on Persistence is a common characteristic of the RTL override Unicode malicious software and payloads and means command would that such software is built to avoid detection actually read the file as and potentially survive deletion. Persistence is “MYFOCFINANCIAL.exe” built within the software code and is executed With the broader by installing various computer commands in discovery of FinSpy, a computer’s operating system and user files. a number of anti-virus This allows the malicious software to create computer software companies, such as Bitdefender, McAfee, commands after a user powers on their device—unknown Symantec, and Kaspersky have begun to detect the to the user. installation of FinSpy on computers and mobile devices. In What is a FinFisher Command & Control Server? these occurrences, anti-virus software has become a useful A Command & Control server is a central system that detection resource for consumers. automates collecting information, managing software, Prevention. To prevent becoming a victim of FinSpy, it is monitoring and performing other activities. FinSpy advised that computer users actively look for and avoid spyware on a user’s device communicates with a FinFisher clicking on unknown hyperlinks on any computing device. Command & Control Server. This activity can be difficult Additionally, adherence to well-established best practices to trace since FinFisher’s related communications can such as installation and updating of anti-virus software be filtered or masked prior to reaching the intended is highly recommended. Also, regular updating of all monitoring location. Observers in charge of FinFisher software including antivirus, Windows, Apple, Java or Command & Control servers have the ability to record Mobile platforms to the latest stable version reduces the information from the infected machines and activate number of avenues an attacker would have available to commands such as web cam features. An observer can install malicious software. monitor a number of infected machines within a user A majority of malicious vulnerabilities are seen in older interface. According to a Citizen Lab report entitled versions of software. For instance, businesses that use For Their Eyes Only: The Commercialization of Digital Windows XP may be an easy target for . Use Spying, it is believed that “FinFisher Command & Control of software such as Java also provides a gateway for a servers are currently active, or have been present, in 36 number of vulnerabilities, and Oracle works around the countries.” clock patching new vulnerabilities. Detection. FinSpy will mask itself in a user’s device What’s the future of governmental use of FinFisher? by appearing to run as a legitimate program. FinSpy Nation-state use of spyware continues to grow in has other obfuscation techniques such as right-to- sophistication as newer tools become available. For left file naming in order to mask the executable and example, FinFisher was identified as being implemented make the payload look like a different extension. For by the Egyptian government prior to the 2011 revolution. According to Eric Schmidt’s new book, “a raid on the Egyptian state security building after the country’s 2011 revolution [which] produced explosive copies of contracts with private outlets, including an obscure British firm that sold online spyware to the Mubarak regime.” With respect to individual rights, some nation-states adhere to formal laws and protocols that limit use of such software while other nation- states have no restraint of use. United States laws require authorization from a search warrant or court ordered documentation issued by a judge to install such monitoring example, right-to-left naming can be observed in software onto a user’s target device. ECPA (Electronic “MYDOCFINANACIALexe.doc”. This file would appear Communication Privacy Act) 18 U.S.C. § 2709 protects continued on next page FINFISHER, continued

us from these intrusions against seizure if not ordered by a judge to produce records. There are a number of documentation steps the U.S. government is obligated to undertake prior and during such an operation. Time restrictions will typically be placed on any of the activities. Nation-states also differ in how cyber-crimes are punished. Australian Kivu Consulting, combines technical and laws indicate if one commits a “serious offense” with cyber-crime, one can be legal expertise to deliver investigative, dis- sentenced to life in prison. Japan cyber laws contrast sharply with punishment covery and forensic solutions worldwide. Kivu’s digital forensics professionals such as a single year of imprisonment. are experts in collecting, analyzing and Further difficulties arise as spyware moves beyond formal territorial processing computer data. Organizations boundaries and offers the ability to reach individuals regardless of are storing information on ever-increasing geographical presence or citizenship. The ubiquitous nature of spyware numbers of devices, operating systems and poses significant risk for nation states and their citizenry. shared platforms. These range from mobile Conlcusion: FinFisher is not the only surveillance and monitoring solution devices to distributed “cloud networks.” The available to nation-states. According to the Wall Street Journal, this market result has been an explosion in vulnerabil- is worth an estimated $5 billion annually. Other companies have released ity to data theft and the potential cost of similar software such as German Trovicor and French company Vupen. The e-discovery. growing number of spyware products and competition from newer vendors Kivu is unique in understanding the legal implications and advising on the technical should put organizations on alert for the presence of this software. Eventually, and practical challenges of digital forensics these sophisticated spyware technologies find their way into malware in the modern workplace. Our in-house deployments. team has testified as experts and worked on almost every conceivable type of computer media, configuration, and email application. Our expertise and years of experience allow us to avoid the icebergs and offer practical solutions to reduce costs.

About the Author Jeff Stanton GCIH is an Incident Response and Digital Forensic Analyst at Kivu Consulting. He conducts forensic analysis of digital evidence, leads computer inves- tigations and provides expert reports, declarations and testimony. Jeff has 10 years’ experience as a police detective and computer examiner. Jeff is a court-qualified computer forensics expert. He has extensive experience in the forensic preservation and analysis of various systems including Windows, Mac and Linux operating systems (OS). Jeff is an expert in mobile device forensics and cell tower evidence. He has performed forensic analysis on a diversity of cell phones and smart phones including Android, Apple, or Blackberry devices. CONTACT JEFF [email protected]

kivuconsulting.com [email protected] 415.524.7320