August 8, 2014

FinFisher (Gamma International) Leaked Malware Suite Analysis

Filed under: Uncategorized — aspensmonster @ 8:08 pm

flattr this!

0: Some notes

This document will be continually updated in the coming days.

Several days ago, a hacker operating under the alias PhineasFisher made the following post an the Anarchism subreddit:

This blog post serves as my main/central point from which I hope to analyze the content of these leaks. I have already begun analysis in different spaces:

I’ll likely continue to work in these spaces, but wanted to have a more personal, scratch-pad-like spot to continue to work.

1: Big picture of the leaked content

The hacker has provided his own overview (in a pastebin) of the leaked content.

The torrent file may be downloaded at:

Directory structure (root directory named “finfisher”):

  • Database.sql – A database containing data for the webapp whose root is found at /finfisher/www/GGI
  • qateam – Contains contents of an internal web server –presumably found after initial penetration of the public-facing webserver at– that was serving various mobile malware kits. The directory name seems to imply this was used by their QA team
  • www – Presumably the contents of the public-facing webserver
    • conf – site administration stuff. phpmyadmin, webalyzer
    • ffw – a demo of FinFisher Web / FinSpy Web, demonstrating numerous attack vectors for infecting target machines
    • FinFisher – Appears to be a dropbox of sorts for clients to retrieve their purchased kits; Most content is encrypted (as well as protected by an Apache mod_auth_basic username/password dialog), but there is some truly fascinating material in some of the other directories. The bulk of the size of the torrent can be found in these encrypted “”-type files.
      • Sales – Folder containing several archives of sales tools, tool documentation, company roadmaps, and even a pricelist
        • 05_New_Design.rar – Contains boilerplate business forms, like offer templates for prospective clients, license renewals for current clients, and a (relatively recent) pricelist, dated December 16 2013, that also coincidentally leaks some business-related logic (markups, preferred clients, etc)
        • – Contains lots of information about the company and its offerings, as well as roadmaps that indicate they were actively working on developing Mac and Linux intrusion capabilities in addition to the traditional Windows targets.
      • Engineers7117 – Folder filled with subdirectories and encrypted files. The directory names, as well as the filenames, seem to indicate that much of the (up-to-date) technical documentation of FinFisher/Gamma International’s catalog could be found within these files, were they decrypted.
    • GGI – Appears to be the root directory of the webapp powering the finsupport subdomain. Mostly just php stuff, but a directory named Attachments has unencrypted stuff that Gamma Group’s clients sent to them, presumably through the finsupport website’s support webform.
      • Support – Holds code for the support form
        • Attachments – Holds LOTS of different attachments, possibly named once again with the short keyids of the senders –though an initial search found no matches in public-key servers– that are unencrypted and include images (typically of FinSpy Master C&C servers that are failing to boot due to segfaults), and zip/rar archives that contain server logs for their “FinSpy Master” Command and Control (C&C) server (which, apparently, runs on a Debian GNU/Linux base). LOTS of interesting stuff in these logs, along with some basic insight into how this C&C server works (these logs, combined with diagrams from some of their sales material, can provide an excellent architectural overview of their product catalog).

Not every file is listed. I tried to only include what looked like the more useful bits for analysis.

2: A first look at corporate structure and product offerings

At this point, I will be referencing files found within the torrent by their names, as well as a sha256 hash of the file.

Filename sha256sum -> Gamma Corporate Presentation 2012-02-08_draft.pptx 2993ecb60c48a16e1d07fa207c0bdf5d3f8c1f16ec33253cef01b5285ea25dc1

Slide 2 from the aforementioned file. Diagrams corporate structure.

All of these companies fall under the parent company Gamma Group. See Project PM for more information on the Gamma Group. This leak concerns Gamma International, and focuses on (child company?) Finfisher IT Intrusion’s portfolio of technologies. That portfolio is further introduced in slide 7 of the same file:


High-level overview of the various components of the portfolio.

Further detail on this architecture –specifically, how the components communicate with each other– can be found in several brochures, along with a slide from the following file:

Filename sha256sum -> FinFisher-Presentation-2012-02-08_final.pptx 11ef3578be97cfa29d5d44036a6a307cc2d9fac0139124eaf1af5610e2920d96

Details communications pathways for the FinSpy product family.

Of particular importance is the use of relays throughout the internet to shield targets from the FinSpy Master command and control server. This product suite is architecturally identical to that of typical botnets found in the wild. Where the FinSpy product suite excels is in its coverage of the entire communications chain. Whereas typical botnet operators have only web-based attacks –visit a malicious url, download an infected file– FinFisher IT Intrusion and Gamma International have developed an entire suite of offerings that can be deployed at attack vectors all along the chain for the purposes of compromising the target with malware. The various pieces of software are described in turn in the same powerpoint slideshow file, and are detailed in the next section.

3: Investigating product capabilities

First, an overview of the available products that can be used to compromise target systems:

Product Name Description
FinSpy Mobile Offers ability to compromise target’s mobile phone: BlackBerry, iOS, Android.
FinSpy Refers to the suite of FinFly offerings enumerated below.
FinFly USB Requires direct access to machine. Can extract and infect.
FinFly FireWire Requires direct access to machine. Can extract and infect.
FinFly LAN Requires direct access to the target LAN. Can perform various MITM activities.
FinFly NET Requires that target visit a network that is in the control of the attacker. Can perform various MITM activies.
FinFly ISP Attacks the target’s ISP. Can MITM either before hitting the ISPs core network, or afterward.
FinFly Web Attempts to deploy malware to targets through various web-based attack vectors (See github repo for the code found in the leaks).
FinFly Exploit Portal Basically an online repository of 0-days and 1-days that paying customers can integrate into their attacks on targets and deploy to said targets using various other FinFly offerings.

Gamma International provides a handy suite of brochures that detail these capabilities, previously leaked by Wikileaks as well as more recently by the hacker. The hacker also gained access to some of the software behind the FinSpy Mobile and FinFly Web offerings, as well as customer-provided support documents (images, log files). Utilizing these sources, a more thorough understanding of these products can be obtained than is revealed by the brochures alone. As well, some of the attack vectors have since been uncovered and disclosed publicly –in particular, the FinFly Firewire attack has been revealed since 2012 and largely mitigated.

FinFly Web


May 22, 2014

Leaving Hacker News

Filed under: Uncategorized — aspensmonster @ 10:47 pm

flattr this!

I meant to get this up earlier, but between finals and graduation and hustling for employment, things fell through the cracks. Some basic background info:

  • Hacker News’ moderation has always been a black box.
  • Hacker News was experimenting with “pending” comments that had to be approved by elder members.
    • If you “abused” your privilege as an elder member by always granting pending comments, you would lose your privilege.
  • Hacker News has been experimenting with a new type of “amplified downvote.”
    • Under this amplifed downvote, the effects of a downvote persist across all of your posts for an as yet undetermined amount of time.
  • Hacker News’ comment ranking system used to implement a sort-of percolating algorithm, where almost all comments were at least guaranteed some exposure at the top of the thread before percolating downwards (or staying where they were if they were upvoted). In my limited observations this behaviour is now gone, and the ranking is based solely on average comment score.
  • The downvote decrementing counter appears to “stop” at -4, but can continue downward indefinitely, tanking an otherwise decent average comment score.
  • Hacker News is under newer, more active moderation –even more active than before (though still not transparent).
  • Hacker News utilizes slow-banning and hell-banning, neither of which the user would be aware of.
  • Hacker News mods often edit titles and penalize stories (causing them to drop off the front page) with no background as to why.
  • Hacker News mods can set user posts to be “autodead” if they contain certain keywords.

Suffice it to say, I’ve grown increasingly tired of all of the shenanigans. It reached a tipping point with the following thread that basically established the way things would be from then on out:

An Update On HN Comments

And my particular comment on that thread:

My Comment

Unless you’re logged in and set “showdead” to “on,” you probably won’t be able to see my comment in the thread. It was autodeaded, presumably because of my use of the term “circlejerk,” which HN is quite sensitive to.

In any case, the comment is reproduced below, and serves as my parting from the HN community. I’ve since joined

The majority of HN users are thoughtful and nice. It’s clear from the data that they reliably downvote jerks and trolls (and specifically, they don’t silence minority groups—we’ve looked into this). What dang and kogir found was a way to turn the volume up on this kind of downvote.

I suppose that explains why the effects of downvotes on my past comments are persisting for weeks, regardless of the content of comments that come after. Heck, it explains everything about my experience on HN for the past three weeks or so. Story time!

I was recently met with a torrent of downvotes –nearly 100, might have actually crossed that– for poking fun at HN’s incessant we’re-not-reddit-we’re-much-more-sophisticated circlejerking (the irony is not lost). I’m specifically referring to this submission:

It was an announcement that Valve was open-sourcing its fork of Mesa. Someone made a HL3 confirmed chain: Mesa -> Black Mesa -> Half-Life -> Half-Life 3 CONFIRMED etc etc. That it was a story about Valve only helped, and so I cheerfully advised this commenter not to distract Gaben from Left 4 Dead 3. I was downvoted and I proceeded to taunt the hivemind. Indeed I felt quite gleeful that I managed to hit the floor of “-4″ for each of the comments whilst my total karma counter continued to decrement. There were even others that saw fit to traverse my past comments and downvote those too. I’m sure those comments deserved it; they must have been off-topic or non-substantive or out-of-scope.

Of course, the Rules of HN are such that you can’t complain about downvoting. You cannot incite people to downvote you either. So yes, “shame on me” for not engaging in the proper circlejerking motions. Shame on me for continually pointing out this community’s obsession over being the “glorious master race” of online discussion whilst poo-pooing the cesspools of “filthy casuals” like Reddit or, god forbid, Slashdot. “Shame on me” for partaking in the memes of any culture other than HN’s. I should know better. Those are “low/no-content” things. They are “not substantive.” Or my personal favorite: they are “outside the scope of HN.” There’s always some excuse that the hivemind will come to a consensus on.

The net effect is thus:

  • I now get to wait several seconds for a page load, as if I were shadow banned. Who knows. Maybe I am :D Viewing the website without a logged-in session produces immediate page loads.
  • Any comment I submit, regardless of length, is lucky to make it more than a third of the way up from the bottom of the page to *start*. It seems my comments don’t get to percolate from the top down any more.
  • My comments that do get upvotes never seem to rise past this point on the page.

I’m sure someone will insist that I message the mods. I refuse. I’m not going to beg the censor to restore my speech privileges whilst he pulls a Putin and insists he’s doing nothing of the sort. The mere suggestion is indicative of just how big a problem moderation of this sort really is. The algorithms and moderation behind HN are a black box and any suggestion to make it transparent is met with the resistance of an open circuit.

I find it hard to believe that the Gods of HN are merely “silencing” the “jerks and trolls” whilst leaving the pure and unadulterated essence of HN to flourish. Perhaps this is all just a consequence of a single, massive downvote spike that torched my 5.0+ rating down to 1.14 (do I see 0.* yet?). I don’t believe that. Between “pending” comments and the “downvote threshold” and the “flagging threshold” and the “we’ll revoke your privileges if we please” attitude, I’d say things are exactly the way they want them to be.

At this point, I really don’t think I’m interested in continuing to be a part of HN. I don’t want to continue to be a data point in some Big Data Miner’s grand experiment to see just how organically he can manufacture consent. And I’m sure the hivemind will have no problem with that state of affairs. I’m just a perfect example of the system working as intended. It’s not a bug. It’s a feature. I’m the problem they’re trying to solve. Etc etc etc…

HN isn’t trying to stave off an Eternal September. It’s doing everything it can to never reach October.

Older Posts »