Computers Go (Fin)Fishing

Gone FinFishing

Hackers and governments have access to government-grade spyware — and your ISP or VPN service providers are in a perfect position to infect your devices with it.

Sound scary? Let’s break it down…

What is FinFisher ?

FinFisher (aka FinSpy) is spyware ostensibly developed for governments and law enforcement agencies. It can spy on users by watching them through their webcams, listening through their microphones, logging their keystrokes, peeking into their files, and possibly more.

To get installed, it has traditionally relied on virus and malware infection techniques such as exploiting zero-day flaws, or even physical access to the machine.

Now, some security researches believe that Internet Service Providers (ISPs) and Virtual Private Network (VPN) services may be installing it as part of any download request for popular applications, making it much more effective at infecting target devices that might otherwise have been protected by anti-virus and anti-malware tools and techniques.

What Happens?

When you go looking for an application you want to download, like video conferencing software, messaging apps, antivirus programs or other popular tools, your browser can be redirected to a “spoofed” (i.e. fake) version of the app’s download link. This redirection is something an ISP or VPN is in a perfect position to perform. The download can contain a modified version of the app in question, typically loaded with the FinFisher spyware, which then installs itself along with the desired application.

A browser redirect (a “307” temporary redirect return code) can happen as part of the natural process of navigating to any website—it’s like your computer taking a detour when a road is closed. This is the key to FinFisher installation remaining covert as this redirect occurs in the background so as not to interrupt your browsing experience. You aren’t even aware that the redirect has occurred!

How Does it Work?

It’s called a “man-in-the-middle” attack, where services between you and the site you’re visiting change the information that goes back and forth. In this case, the service in question is replacing a trusted download link with a fake one. What’s really alarming is that a trusted service provider such as an ISP or VPN is in a perfect position to be (knowingly or unknowingly) complicit in this attack.

ISPs, for example, are no stranger to altering the data traveling to and from your devices: the debate surrounding net neutrality has revealled that ISPs are more than capabale of tracking and altering browsing activity.

Can You Prevent Being Infected?

This type of infection method can be very hard to protect against. Because FinFisher, or other spyware and malware for that matter, can be inserted silently into “normal” internet activities such as downloading, it can be difficult to protect your devices from it.

Here are a few tips to mitigate the risks of infection when downloading any files to your computer using a browser or other protocols such as FTP:

  • Always save the downloaded file(s) to your machine first. Never just allow the browser to directly “run” what’s downloaded.
  • Look for a “hash” signature for the file(s) on the download site. These are typically MD5 or SHA signatures that look like a string of numbers and letters. The hash should be unique to each download file - they are designed to let you ensure that what you downloaded is what they intended for you to download. (If possible, try and get these hashes from a different location than the files themselves. If the file you are downloading has been corrupted, then it’s likely the hashes have been corrupted too.)
  • Run a hashing program on your machine to check the downloaded file’s hash. If the string that the hashing program returns is not the same as the one claimed on the download site for that item, then you didn’t actually get the real file – you got something else. Just delete it. Unfortunately, not all download sites provide hashes – it’s a leap of faith to trust any downloaded files that have not been verified.
  • Even if the hashes match, you still need to virus-check the downloaded file(s) with your installed virus checker (you DO have a virus scanner installed, right?!)

If you cannot validate the downloaded files as authentic, then you probably shouldn’t trust them.

Of course, this won’t completely stop FinFisher or other spyware/malware from getting installed on your machine – a lot of software perform updates in the background, giving no control to the user regarding scanning of the file(s), validity checking hashes, or taking other preventative and protective measures. In these cases, some additional steps might be available, including;

  • Turn off automatic updates, and only perform updates by manually downloading and applying the updates yourself. Unfortunately, this is getting harder and harder to do, as operating systems and applications are trending towards zero-touch updating that require little or no user intervention or even notification.
  • Configure a firewall to only allow connections to specific servers for downloading. This is not a very practical option, as it can take some time and knowledge to just determine what servers are being contacted for updates. It also requires configuring your machines to not use the ISP-controlled DNS servers, as these can also be co-opted to return bogus server IPs in response to lookup requests.

Once Infected…

Once infected, it can be very difficult to actually remove FinFisher and other spyware/malware from devices. Depending on how it has embedded itself, it may even survive a complete refresh of the device firmware or operating system.

The bottom Line

Spyware and malware being installed through service providers such as ISPs and VPNs serves as a wake-up call that anything can be introduced into your machines through channels that you may have thought were trusted and protected. It reveals that there is no such trust and protection anymore. Any point in the connection between your machine and files being downloaded can be co-opted to allow malware and spyware to be inserted as well.