Feeds

Cyber-cop Trojan used iTunes flaw to spy on crims

Gamekeeper turned poacher

3 Big data security analytics techniques

A law enforcement Trojan takes advantage of the same recently patched iTunes flaw also used by Ghost Click botnet, according to a demo at a recent German trade show.

Spiegel Online reports that a promo video for a variant of the FinFisher spyware application shows it exploits a vulnerability in iTunes to update the software on targeted systems. Prior to a recent update, iTunes used an unencrypted HTTP request to poll for the latest version of Apple's media player software. This technique created an opening for man-in-the-middle attacks, providing Apple Software Updater is not in play*.

Instead of receiving the URL for the latest version of the iTunes from Apple, an attacker could send a dummy update request that induces victims to visit a counterfeit webpage under the control of attackers.

For the redirection to work, a machine would already need to be infected with the DNSChanger software (in the case of the alleged Ghost Click botnet operators) or in the case of law enforcement agencies using Gamma's FinFly ISP technology, you'd need ISPs to be in on the redirection ruse.

FinFisher is marketed by Gamma International to cops and spooks as a means to tap the Skype calls, IM chats and emails of suspected criminals. Documents found during the ransacking of Egypt's secret police headquarters, at the height of the Arab Spring uprising, suggest that the Mubarak regime purchased FinFisher to spy on dissidents. Gamma International, which denies selling its wares to Egypt, ran a stall at the Cyberwarfare Europe conference in Berlin back in September. Delegates to the conference included government and business representatives from the United Arab Emirates, Indonesia and Malaysia.

Don't ever bother asking journos to leave, it never works

Gamma made sure journalists had left the room when it gave its product demonstration but Der Spiegel nonetheless discovered that its pitch included video showing how its FinFly ISP technology took advantage of the recently patched iTunes flaw to push updates of its remote monitoring tool. Other versions of its technology used a specially adapted USB flash drive ("USB FinFly") to drop spyware onto systems but this approach, unlike FinFly ISP, requires physical access to computers.

German software developer DigiTask offers similar law enforcement Trojan technology. German federal law allows the use of malware to eavesdrop on Skype conversations, however samples of the so-called R2D2 (AKA "0zapftis") Trojan that recently came into the possession of the Chaos Computer Club (CCC) had a far wider range of functionality than this, including keystroke logging and establishing a backdoor on compromised machines.

CCC criticised the R2D2 code as both "amateurishly written" and illegal. Five German states subsequently admitted using the controversial backdoor Trojan to spy on criminal suspects. It's suspected that the R2D2 Trojan was developed by DigiTask, based on similarities in the sample obtained by CCC and the functionality as described in documents published by WikiLeaks last year, but this remains unconfirmed.

The use of law enforcement Trojans is particularly controversial in Germany, which is more privacy-sensitive than most countries thanks in large part to the memory of the invidious spying tactics by the former East German secret police, the Stasi. As Spiegel Online notes, adopting the same tactics as cyber-criminals makes those marketing law enforcement Trojans look even more sneaky. ®

Patchnote

* Apple addressed the underlying vulnerability with a cross-platform update for iTunes, version 10.5.1, last week. The latest version of iTunes requests update URLs over a secure (https) connection, thereby blocking man-in-the-middle attacks.

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.