Two IP addresses belonging to the ADSL range registered by Telkom have been found to host FinFisher command and control servers, according to a recently released report.
"For their Eyes Only: The Commercialisation of Digital Spying", a report by Citizen Lab, Canada Centre for Global Security Studies, Munk School of Global Affairs, and the University of Toronto, found FinFisher servers in 11 new countries, including SA.
FinFisher, also known as FinSpy, is a monitoring took that "enables governments to face the current challenges of monitoring mobile and security-aware targets that regularly change location, use encrypted and anonymous communication channels, and reside in foreign countries," according to Wikileaks.
However, because of the limited nature of the information in the report, it is not clear whether the software is being used by the state, or by criminals who have illicitly obtained it.
When FinSpy is installed on a computer system, it can be remotely controlled and accessed as soon as it is connected to the Internet. The software is able to bypass 40 regularly tested anti-virus systems, as well as monitor Skype calls, chats and file transfers. It can also record e-mail, chats and voice over IP.
FinFisher, which allows the software user full access over a device, can also conduct live surveillance through Webcams and microphones, silently extract files from hard drives, and can be used on most operating systems.
Widespread
In March, the Canadian group published its latest report, identifying 34 FinFisher command and control servers. Since the first scans conducted by Rapid7 in 2012, FinFisher command and control servers have been found in 36 countries, including several in Europe, Australia, India, the US and the East:
The latest report identifies servers in the 41.241 range, which it lists as belonging to Telkom. The report redacts the rest of the IP addresses, although an IP lookup shows they are a DSL range belonging to Telkom. Telkom had 841 831 ADSL subscribers at the end of September.
"For their Eyes Only" notes that although it only released the first two octets of server addresses in its March report, many of the servers referenced were quickly taken offline after publication. "Only 17 of these servers remain online."
Watching you
FinFisher has been produced by Gamma International and is billed as being a governmental IT intrusion and remote monitoring solution.
Its Web site states the "remote monitoring and deployment solutions are used to access target systems to give full access to stored information with the ability to take control of target systems' functions to the point of capturing encrypted data and communications".
When used in combination with enhanced remote deployment methods, government agencies will have the capability to remotely deploy software on target systems, it notes.
However, the tool is hidden through the use of other legitimate software. Recently, Firefox maker Mozilla sent Gamma a cease and desist letter, after the "Eyes Only" report noted that the commercial spyware "is designed to trick people into thinking it's Mozilla Firefox".
"As an open source project trusted by hundreds of millions of people around the world, defending Mozilla's trademarks from this type of abuse is vital to our brand, our users and the continued success of our mission," the browser notes in a blog.
Mozilla says the spyware does not affect Firefox, and is separate, but uses the brand "to lie and mislead as one of its methods for avoiding detection and deletion".
Who knows?
Dominic White, Sensepost CTO, explains that although the software is targeted at governments for use, this does not rule out that a criminal element could have sourced a cracked version and be using it for nefarious means. He explains that a redacted IP address on its own would not provide information that will allow the determination of who is using the software, and for what.
White says the software functions on a command and control basis, receiving information back from connected machines that it affects in a similar way to malware. It could be embedded in hundreds of tools, such as other software and games, he adds.
In SA, government may not necessarily resort to such a tool, because of the powers of RICA to intercept communications, adds White. However, he points out that it has been used by other countries, including oppressive regimes, and its use would be a significant step beyond interception as it can be used to control devices.
White says these tools are not new, and the report does suggest the FinFisher software is more widely available than the public may have thought. He says more investigation is required to determine who or what is behind its use on South African servers, although it would make sense logistically for the user to also be based in SA due to bandwidth constraints.
The IP addresses cited in the report belong to Telkom's ADSL range, so the tool could be on a computer hooked up to Telkom's fixed broadband network, says White. Telkom was not able to respond to queries this morning.
Share