[liberationtech] Finfisher Spy Kit Revealed in Bahrain

[Fabio Pietrosanti (naif)]

On 7/26/12 4:27 AM, Jacob Appelbaum wrote:
> Ronald Deibert:
>> For Immediate Release
>>
>> From Bahrain With Love: FinFisher’s Spy Kit Exposed?
>>
>> July 25, 2012 -- The Citizen Lab announces the publication of a detailed post analyzing several pieces of malware targeting Bahraini dissidents, shared with us by Bloomberg News.
> 
> I just wanted to say that this is the best news I've read in a very long
> time. Thanks for your efforts on this - FinFisher is bad news and you're
> helping a lot of people by exposing their targeted malware.
> 
> In an ideal world, I'd like to see a tool for detecting FinSpy on a disk
> - it should be possible for the currently deployed FinSpy stuff - I
> suspect they'll make some changes soon but that won't make too much of a
> difference for the cache of disks already sitting in a lab.
> 
> The FinSpy network traffic is also really interesting - the fact that
> they don't stand up to the most obvious of traffic analysis is
> *hilarious* and so fitting.

That would be a cool project:
- To get FinSpy malware
- To make a call to RE communities like OpenRCE
(http://www.openrce.org/articles/) and Antimalware communities to
design/document 10-20 different pattern to recognize it (like a contest?)
- To analyze the network traffic and derive 5-10 pattern to detect it
- To submit all that data publicly asking to network security and
anti-virus company to embedd it

That way it would be a *much more difficult* for FinFisher to just "make
a little change to became undetected again" and in one-shot we would
probably make all the operations in the world using FinSpy + an
antivirus, detectable.

It sounds like a cool counter-intelligence-trolling-operation!

If well done, also with proper media coverage and market push, it would
be relatively easy to have them close the company after such a disaster.

I like it.

But at first we would need someone to provide this software binary.

-naif