Feeds

Cyber-cop Trojan used iTunes flaw to spy on crims

Gamekeeper turned poacher

Protecting against web application threats using SSL

A law enforcement Trojan takes advantage of the same recently patched iTunes flaw also used by Ghost Click botnet, according to a demo at a recent German trade show.

Spiegel Online reports that a promo video for a variant of the FinFisher spyware application shows it exploits a vulnerability in iTunes to update the software on targeted systems. Prior to a recent update, iTunes used an unencrypted HTTP request to poll for the latest version of Apple's media player software. This technique created an opening for man-in-the-middle attacks, providing Apple Software Updater is not in play*.

Instead of receiving the URL for the latest version of the iTunes from Apple, an attacker could send a dummy update request that induces victims to visit a counterfeit webpage under the control of attackers.

For the redirection to work, a machine would already need to be infected with the DNSChanger software (in the case of the alleged Ghost Click botnet operators) or in the case of law enforcement agencies using Gamma's FinFly ISP technology, you'd need ISPs to be in on the redirection ruse.

FinFisher is marketed by Gamma International to cops and spooks as a means to tap the Skype calls, IM chats and emails of suspected criminals. Documents found during the ransacking of Egypt's secret police headquarters, at the height of the Arab Spring uprising, suggest that the Mubarak regime purchased FinFisher to spy on dissidents. Gamma International, which denies selling its wares to Egypt, ran a stall at the Cyberwarfare Europe conference in Berlin back in September. Delegates to the conference included government and business representatives from the United Arab Emirates, Indonesia and Malaysia.

Don't ever bother asking journos to leave, it never works

Gamma made sure journalists had left the room when it gave its product demonstration but Der Spiegel nonetheless discovered that its pitch included video showing how its FinFly ISP technology took advantage of the recently patched iTunes flaw to push updates of its remote monitoring tool. Other versions of its technology used a specially adapted USB flash drive ("USB FinFly") to drop spyware onto systems but this approach, unlike FinFly ISP, requires physical access to computers.

German software developer DigiTask offers similar law enforcement Trojan technology. German federal law allows the use of malware to eavesdrop on Skype conversations, however samples of the so-called R2D2 (AKA "0zapftis") Trojan that recently came into the possession of the Chaos Computer Club (CCC) had a far wider range of functionality than this, including keystroke logging and establishing a backdoor on compromised machines.

CCC criticised the R2D2 code as both "amateurishly written" and illegal. Five German states subsequently admitted using the controversial backdoor Trojan to spy on criminal suspects. It's suspected that the R2D2 Trojan was developed by DigiTask, based on similarities in the sample obtained by CCC and the functionality as described in documents published by WikiLeaks last year, but this remains unconfirmed.

The use of law enforcement Trojans is particularly controversial in Germany, which is more privacy-sensitive than most countries thanks in large part to the memory of the invidious spying tactics by the former East German secret police, the Stasi. As Spiegel Online notes, adopting the same tactics as cyber-criminals makes those marketing law enforcement Trojans look even more sneaky. ®

Patchnote

* Apple addressed the underlying vulnerability with a cross-platform update for iTunes, version 10.5.1, last week. The latest version of iTunes requests update URLs over a secure (https) connection, thereby blocking man-in-the-middle attacks.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.