Oppressive governments have not been shy about using surveillance software to monitor dissidents’ activity. Like cybercriminals, these governments have been accused of using any means at their disposal to implant the spyware on computers.
One tactic, uncovered by Citizen Lab, Munk School of Global Affairs at the University of Toronto, used in attacks alleged to have been carried out by the Malaysian and Bahraini governments, involves embedding the notorious FinSpy program in a document masquerading as a copy of the Firefox Web browser. In a paper published yesterday documenting abuses of lawful intercept products that essentially behave as malware, researchers Morgan Marquis-Boire, Bill Marczack, Claudio Guarnieri, and John-Scott Railton, expose the commercialization of these products and how citizens’ lack of awareness of its use and abuse, and how to challenge it.
“Once a boutique capability possessed by few nation states, commercial intrusion and monitoring tools are now being sold globally for dictator pocket change,” wrote Marquis-Boire, noting how tools such as FinSpy, which is part of the FinFisher kit, are targeting not only oppressed people, but activists, journalists and human rights workers. “While this technology is frequently marketed as lawful intercept capability, in countries where criminal activity is broadly defined, or dissent is criminalized, these tools are used as a mechanism for repression. The concept of ‘lawful interception’ does not apply in countries where the rule of law is absent.”
Mozilla immediately took action, and has sent a cease-and-desist letter to Gamma International, the UK and German makers of FinFisher. Alex Fowler, Mozilla chief privacy officer, said Mozilla will not tolerate abuses of its brand for illegal practices.
“We cannot abide a software company using our name to disguise online surveillance tools that can be – and in several cases actually have been – used by Gamma’s customers to violate citizens’ human rights and online privacy,” Fowler said.
Fowler said the spyware not only tricks users into downloading the program, but that it is related to Mozilla and Firefox, giving it an air of trustworthiness. Mozilla alleges that Gamma International misrepresents FinSpy as Firefox.exe within the program’s properties and includes a Firefox version number and copyright and trademark claims from Mozilla developers.
“For an expert user who examines the underlying code of the installed spyware, Gamma includes verbatim the assembly manifest from the Firefox software,” Fowler said.
In addition to the attacks allegedly carried out in Bahrain and Malaysia, a promotional demonstration developed by Gamma International also demonstrates how abuse of Mozilla’s brand is a design feature of the spyware, Fowler said.
“Each sample demonstrates the exact same pattern of falsely designating the installed spyware as originating from Mozilla,” Fowler said. “Gamma’s own brochures and promotional videos tout one of the essential features of its surveillance software is that it can be covertly deployed on the person’s system and remain undetected.”
A Citizen Lab report released in March said that a FinSpy command and control server was found on a Malaysian IP address, kicking off a firestorm of media coverage that the government was using spyware to monitor its citizens, a practice that was immediately denied by the Malaysian Communications and Multimedia Commission. The Citizen Lab report said that shortly thereafter, FinSpy was discovered in a document posing as a candidate list for upcoming elections in the country. Once the document, which was similar to documents used in the Bahraini attacks, was opened, FinSpy was installed in the background. VirusTotal, the report said, said that eight security products detected the document as a dropper program, but none picked it up as FinSpy.
The sample document in the Citizen Lab report was last modified in November, and embeds a copy of the spyware posing as a legitimate Firefox installation. Further investigation discovered that once FinSpy was running, it communicated with command and control servers in Canada, Singapore and the U.S.
“While we cannot make definitive statements about the actors behind the booby-trapped candidate list, the contents of the document suggest that the campaign targets Malay speakers who are interested in Malaysia’s hotly contested 5 May 2013 General Elections,” the report said. “This strongly suggests that the targets are Malaysians either within Malaysia or abroad. We trust that both domestic and international elections monitoring officials and watchdog groups will investigate to determine whether the integrity of the campaign and electoral process may have been compromised.”
FinFisher command and control servers have since been found in 36 countries, many of which, the report says, are hijacked servers while others are in countries with spotty human rights records.
“We hope that civil society groups, as well as the competent regional and domestic authorities, will investigate the deployments we have described in order to determine whether any laws have been broken,” the report said.