Trojans for the Bundestag – German PD acquired Finfisher

FinfisherIn December of last year, the German public prosecutors’ office had declared that there was no legal basis for the use of the so-called “Bundestrojaner” spyware, which was used to spy on German citizens. On top of it being illegally used, it was also found to be of very poor quality by extensive research performed by the Chaos Computer Club. In a surprising turn of events, German political platform NetzPolitik.org has now uncovered secret documents belonging to the Ministry of Finance, that the Ministry of the Interior sent to the Bundestag (the political seat of Germany) that reveals the German Federal Police’s intention to use Gamma Group’s Finfisher spyware to do the exact same thing.

Finfisher is quite an elaborate suite that allows for remote take-over of both computer systems and mobile devices such as iPhones, Androids, Blackberries and Windows Mobile-phones by pretending to be a software update. Gamma Group sells this product to dictatorial regimes all over the world, and that says a lot. What is also quite interesting is the presence of the logo for the UK’s Home Office and a link to its’ premier Security & Policing Exhibition. Does this imply that the UK government also purchased this product? Wikileaks recently published a document that looks like Finfishers’ marketing brochure and it is certainly geared towards the more modern police forces, as it sports solid integration with LEMF, which stands for Law Enforcement Monitoring Facility.

In august of last year, Bloomberg published an article that reported Finfisher presence on 5 continents and analysis performed by Rapid7 indicated its presence in at least Australia, the Czech Republic, Dubai, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar, Bahrain  and the United States.  Now, of course this is not concrete proof that these governments actually use Finfisher, but Gamma Group is based in the UK and they have placed this software in the category of goods requiring an export permit because of the restrictions on exporting such digital weapons. Combined with how Gamma specifically markets Finfisher as ‘Governmental IT intrusion‘, it is highly unlikely that the British government would allow legitimate export to be done to just anyone. In a similar story posted by the New York Times, Bloomberg spoke to Martin J. Muench, who is managing director of Gamma International, and he stated that they had not sold their product to Bahrain and the malware that was found must have either been a stolen demonstration copy, or reverse-engineered by criminals.

To be clear, the use of this software is highly questionable. A while back the Dutch Minister of Safety and Justice Ivo Opstelten revealed that a plan was in the works to change the law so that it became allowed for the Dutch police to hack systems belonging to suspects. This led to international resistance and an open emergency letter [PDF warning – Dutch] was sent to the Minister to have this plan terminated because it was a gross violation of privacy. Apparently Germany is already at least one step further than this, having purchased the software already. Is this the future for the Netherlands as well? Will Minister Opstelten dust off his ill-advised plan and follow Germany in purchasing this software? I hope not. Not only is the Dutch police severely understaffed as it is, it also has a serious history of bending (or outright breaking) the rules and violating people’s rights when it comes to (ab)using technology such as this. And just how long will it take before hacking a suspects’ computer will no longer require an approval from a court judge? Where is our oversight then?

The Dutch and the Dorifel

Unless you happen to live in the Netherlands, chances are that you missed the outbreak of a ‘new’ piece of malware a few weeks ago called Dorifel, also known as XDocCrypt. With over 3000 infections in a matter of hours, of which 90% were systems in the Netherlands, this triggered the Dutch National Cyber Security Center almost instantly. XDocCrypt/Dorifel is a new trojan that encrypts executables, Excel- and Word files that it finds on USB drives and network disks, causing companies to come to a grinding halt almost immediately after infection. Later investigation by Digital Investigations turned up that it also distributes phishing banking websites for ING Bank, ABN AMRO and SNS Bank (all banks with a strong presence in the Netherlands). With such distinctive traits, you would expect that it would be ransomware, but it’s not. It doesn’t ask for money, and there are no real clues what the point is of encrypting those files. It may simply have been a trial run just to find out how good this technique works, but it’s all conjecture at this point.

As an aside, it should be mentioned that the malware’s efforts in encryption did uncover something I found interesting: it exploits the RTLO Unicode Hole, which uses a Windows standard Unicode “Right-to-left override” that are more commonly used in Arabic and Hebrew texts (meaning it’s a Feature, not a Bug). Through this use of the RTLO Unicode Hole, they make filenames such as testU+202Ecod.scr appear in the Windows Explorer as testrcs.doc, and effectively make a harmful executable look like a simple Word doc.

What worries me most, and this is the reason for this article, is the delivery vehicle used by this new piece of malware. You see, it doesn’t exploit some new weakness. Instead, it’s being delivered by systems previously infected with the Citadel/Zeus trojan. This means that over 3000 systems in the Netherlands –systems belonging mostly to ministries, local government and hospitals- already had active botnets inside their networks before getting infected with this new malware! Mind you, virtually all of these systems and networks had active antivirus and IDS systems, and NONE detected either the Citadel/Zeus botnet already in place, nor the new XDocCrypt/Dorifel malware. If anything should be a severe wake-up call for Dutch firms who still half-ass their security, this is it.

Major AV vendors such as Kaspersky and McAfee now address this piece of malware, but it does make you wonder: If this Trojan hadn’t gone through the trouble of encrypting all those files, would it ever have been caught? Clearly, with only a couple of thousand infections, it is not that big of an outbreak. Chances are good that Dorifel would have stayed below the “economic feasibility to fix” line that most antivirus corporations adhere to. With malware code mutation getting increasingly easier and more mature, will this be our future? No more large infections, but a lot more small ones to stay below the collective AV radar? It seems plausible. It certainly makes the dim future of the current AV Modus Operandi that much dimmer. When will we finally see a paradigm shift in our approach to defeating malware?