Feeds

Cyber-cop Trojan used iTunes flaw to spy on crims

Gamekeeper turned poacher

Beginner's guide to SSL certificates

A law enforcement Trojan takes advantage of the same recently patched iTunes flaw also used by Ghost Click botnet, according to a demo at a recent German trade show.

Spiegel Online reports that a promo video for a variant of the FinFisher spyware application shows it exploits a vulnerability in iTunes to update the software on targeted systems. Prior to a recent update, iTunes used an unencrypted HTTP request to poll for the latest version of Apple's media player software. This technique created an opening for man-in-the-middle attacks, providing Apple Software Updater is not in play*.

Instead of receiving the URL for the latest version of the iTunes from Apple, an attacker could send a dummy update request that induces victims to visit a counterfeit webpage under the control of attackers.

For the redirection to work, a machine would already need to be infected with the DNSChanger software (in the case of the alleged Ghost Click botnet operators) or in the case of law enforcement agencies using Gamma's FinFly ISP technology, you'd need ISPs to be in on the redirection ruse.

FinFisher is marketed by Gamma International to cops and spooks as a means to tap the Skype calls, IM chats and emails of suspected criminals. Documents found during the ransacking of Egypt's secret police headquarters, at the height of the Arab Spring uprising, suggest that the Mubarak regime purchased FinFisher to spy on dissidents. Gamma International, which denies selling its wares to Egypt, ran a stall at the Cyberwarfare Europe conference in Berlin back in September. Delegates to the conference included government and business representatives from the United Arab Emirates, Indonesia and Malaysia.

Don't ever bother asking journos to leave, it never works

Gamma made sure journalists had left the room when it gave its product demonstration but Der Spiegel nonetheless discovered that its pitch included video showing how its FinFly ISP technology took advantage of the recently patched iTunes flaw to push updates of its remote monitoring tool. Other versions of its technology used a specially adapted USB flash drive ("USB FinFly") to drop spyware onto systems but this approach, unlike FinFly ISP, requires physical access to computers.

German software developer DigiTask offers similar law enforcement Trojan technology. German federal law allows the use of malware to eavesdrop on Skype conversations, however samples of the so-called R2D2 (AKA "0zapftis") Trojan that recently came into the possession of the Chaos Computer Club (CCC) had a far wider range of functionality than this, including keystroke logging and establishing a backdoor on compromised machines.

CCC criticised the R2D2 code as both "amateurishly written" and illegal. Five German states subsequently admitted using the controversial backdoor Trojan to spy on criminal suspects. It's suspected that the R2D2 Trojan was developed by DigiTask, based on similarities in the sample obtained by CCC and the functionality as described in documents published by WikiLeaks last year, but this remains unconfirmed.

The use of law enforcement Trojans is particularly controversial in Germany, which is more privacy-sensitive than most countries thanks in large part to the memory of the invidious spying tactics by the former East German secret police, the Stasi. As Spiegel Online notes, adopting the same tactics as cyber-criminals makes those marketing law enforcement Trojans look even more sneaky. ®

Patchnote

* Apple addressed the underlying vulnerability with a cross-platform update for iTunes, version 10.5.1, last week. The latest version of iTunes requests update URLs over a secure (https) connection, thereby blocking man-in-the-middle attacks.

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.