Basically it’s a European company that sells computer hacking and spying software to governments and police agencies. Two years ago their software was found being widely used by governments in the middle east, especially Bahrain, to hack and spy on the computers and phones of journalists and dissidents. Gamma Group (the company that makes FinFisher) denied having anything to do with it, saying they only sell their hacking tools to ‘good’ governments, and those authoritarian regimes most have stolen a copy.
And that’s the end of the story until a couple days ago when I hacked in and made off with 40GB of data from Gamma’s networks. I have hard proof they knew they were selling (and still are) to people using their software to attack Bahraini activists, along with a whole lot of other stuff in that 40GB.
Here’s a torrent of all the data. Please download and seed. Here’s a twitter feed where I’m posting some of the interesting stuff I find in there, starting off slow to build up rather than just publish all the worst shit at once.
I assumed the hacking would be the hard part and once I got the data it would just kinda go viral on it’s own or something. But it turn’s out without any media access or idea how that shit works, getting people to notice or care is actually kind of hard. Please share and seed the torrent!
The enormous file contains client lists, price lists, source code, details about the effectiveness of FinFisher malware, user and support documentation, a list of classes/tutorials, and much more.
Highlights discovered so far (h/t Netzpolitik):
Price list reveals the FinSpy program costs 1.4 million Euros and a variety of penetration testing training services priced at 27,000 Euros each.
One spreadsheet in the dump explains that FinFisher performed well against 35 top antivirus products, showing how the sophisticated malware efficiently defeats detection.
There is a zip archive “FinSploit Sales” with a text file and three videos.
The README contains those Frequently Asked Questions:
Q: Can you supply a list of the current exploits?
A: Yes but we need to do this individually for each request as the available exploits change on a regular basis.
Q: Can we name the supplier?
A: Yes you can mention that we work with VUPEN here
Q: How does the customer get the exploits?
A: They will get access to a web-portal where they can then always download the available exploits
Q: Can this be used to deploy other trojans than FinSpy?
A: Yes, any exe file can be sent
Q: Which Operating Systems do you cover?
A: Currently the focus is on Windows Vista/7. Some exploits for XP are also available. At the moment there are no 0 day exploits for OSX, Linux or mobile platforms.
Here are the three videos that show how vulnerabilities in three common software types are exploited:
This video shows a sophisticated Acrobat Reader 9 exploit with ASLR/DEP bypass and fully silent (no crash after executing the shellcode). In the video, the shellcode executes the Windows calculator (can be replaced by any other action).
Additionally, the exploit can be fully customized to create a new PDF or even infect any existing PDF document (in the video we included the exploit in the brochure of the ISS World Conference as an example).
This video shows another sophisticated exploit, this time targeting Adobe Flash which is installed on 99% of systems. Some exploits also target Java.
The exploit bypasses ASLR/DEP, and is fully silent (no crash after executing the shellcode). In the video, the shellcode executes the Windows
calculator (can be replaced by any other action).
This video shows another sophisticated exploit, this time targeting Microsoft Office 2010 with two different codes. The first one is a Word (DOC) file and
the other is for Excel (XLS). The exploits launch the calculator and immediately close Office, however, we can adapt it to make it fully silence or launch
Office again and display a real document.
Source code of FinFly Web, which found its way on the code hosting platform GitHub.
Netzpolitik called the Munich telephone number on finfisher.com and asked them for comment. At first, they denied being FinFisher, but then admitted it, albeit refusing to comment.
Today they called them again, and again the answer was: “We don’t want to comment on this.” This time around, they greeted us with “FinFisher here” instead of denying it at first.
Will update this post as more details emerge…