Hallo Steffi! German spyware developers try their hand at humour
The commercial spyware developers at Gamma International appear to have programmed an inside joke into the servers used by the command and control (C&C) programs of the FinFisher FinSpy spyware trojan, according to an analysis of FinFisher by Rapid7 security researcher Claudio Guarnieri. When analysing the trojan, the security specialists at Rapid7 noticed that the queried servers were responding with "Hallo Steffi!", which seems to be some kind of inside joke, and suggests that the spyware was likely programmed in Germany or at least by German-speaking developers.
Since this could be easily reproduced in simple tests with Telnet, the researchers checked all servers in the Critical.IO project's database and found servers in Ethiopia, Australia, Dubai, Estonia, Indonesia, Qatar, Latvia, Mongolia, the Czech Republic and the US. It's not yet clear whether these servers are actually used to manage FinFisher installations or are just proxies; Ethiopia, at least, is far from an ideal location for managing a trojan. In the meantime, the servers are now no longer behaving this way, which leads Guarnieri to believe that there has been an update.
FinFisher recently made the news when it, or malware closely related to it, was allegedly used to target political activists in Bahrain. However, Bloomberg News has quoted Martin Münch, CEO of Gamma International of Munich, denying that software from the company has been used in Bahrain. In his email to Bloomberg, Münch speculates that it may be a stolen demo version and that FinFisher servers are protected by firewalls and could not be exposed with these kinds of server checks. Münch is also listed as the CEO of Mu Shun, which develops software for security agencies.
For network administrators, Guarnieri and his team have created signatures that can be used by intrusion detection systems such as Snort to detect network traffic from computers infected with FinFisher. The authors warn, however, that the byte sequences are quite short and could lead to false alarms.
(Detlef Borchers / crve)