FinFisher is a spyware that is installed onto PCs by governments around the world to spy on their citizens. To our surprise, a lot number of countries are actually tracking their citizens through this spy ware FinFisher.
So, how are you affected and how are you protecting yourself from these scans and probes. Read below.
Figure 1. Map of global FinFisher proliferation Around October 2012, we observed that the behavior of FinSpy servers began to change. Servers stopped responding to our fingerprint, which had exploited a quirk in the distinctive FinSpy wire protocol. We believe that this indicates that Gamma either independently changed the FinSpy protocol, or was able to determine key elements of our fingerprint, although it has never been publicly revealed. In the wake of this apparent update to FinSpy command & control servers, we devised a new fingerprint and conducted a scan of the internet for FinSpy command & control servers. This scan took roughly two months and involved sending more than 12 billion packets. Our new scan identified a total of 36 FinSpy servers, 30 of which were new and 6 of which we had found during previous scanning. The servers operated in 19 different countries. Among the FinSpy servers we found, 7 were in countries we hadn’t seen before. New Countries Canada, Bangladesh, India, Malaysia, Mexico, Serbia, Vietnam
In our most recent scan, 16 servers that we had previously found did not show up. We suspect that after our earlier scans were published the operators moved them. Many of these servers were shut down or relocated after the publication of previous results, but before the apparent October 2012 update. We no longer found FinSpy servers in 4 countries where previous scanning identified them (Brunei, UAE, Latvia, and Mongolia). Taken together, FinSpy servers are currently, or have been present, in 25 countries. Australia, Bahrain, Bangladesh, Brunei, Canada, Czech Republic, Estonia, Ethiopia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, United Arab Emirates, United Kingdom, United States, Vietnam. Importantly, we believe that our list of servers is incomplete due to the large diversity of ports used by FinSpy servers, as well as other efforts at concealment. Moreover, discovery of a FinSpy command and control server in a given country is not a sufficient indicator to conclude the use of FinFisher by that country’s law enforcement or intelligence agencies. In some cases, servers were found running on facilities provided by commercial hosting providers that could have been purchased by actors from any country. The table below shows the FinSpy servers detected in our latest scan. We list the full IP address of servers that have been previously publicly revealed. For active servers that have not been publicly revealed, we list the first two octets only. Releasing complete IP addresses in the past has not proved useful, as the servers are quickly shut down and relocated.* IPOperatorRouted to Country117.121.xxx.xxxGPLHostAustralia18.104.22.168Batelco ADSL ServiceBahrain180.211.xxx.xxxTelegraph & Telephone BoardBangladesh168.144.xxx.xxxSoftcom, Inc.Canada168.144.xxx.xxxSoftcom, Inc.Canada217.16.xxx.xxxPIPNI VPSCzech Republic217.146.xxx.xxxZone Media UVS/NodesEstonia22.214.171.124Ethio TelecomEthiopia80.156.xxx.xxxGamma International GmbHGermany37.200.xxx.xxxJiffyBox ServersGermany178.77.xxx.xxxHostEurope GmbHGermany119.18.xxx.xxxHostGatorIndia119.18.xxx.xxxHostGatorIndia118.97.xxx.xxxPT TelkomIndonesia118.97.xxx.xxxPT TelkomIndonesia103.28.xxx.xxxPT Matrixnet GlobalIndonesia126.96.36.199Biznet ISPIndonesia188.8.131.52Biznet ISPIndonesia117.121.xxx.xxxGPLHostMalaysia187.188.xxx.xxxIusacell PCSMexico201.122.xxx.xxxUniNetMexico164.138.xxx.xxxTilaaNetherlands184.108.40.206TilaaNetherlands220.127.116.11Qtel – Government RelationsQatar195.178.xxx.xxxTri.d.o.o / Telekom SrbijaSerbia117.121.xxx.xxxGPLHostSingapore18.104.22.168Ministry of CommunicationsTurkmenistan72.22.xxx.xxxiPower, Inc.United States166.143.xxx.xxxVerizon WirelessUnited States117.121.xxx.xxxGPLHostUnited States117.121.xxx.xxxGPLHostUnited States117.121.xxx.xxxGPLHostUnited States117.121.xxx.xxxGPLHostUnited States183.91.xxx.xxxCMC Telecom Infrastructure CompanyVietnamSeveral of these findings are especially noteworthy:
- Eight servers are hosted by provider GPLHost in various countries (Singapore, Malaysia, Australia, US). However, we observed only six of these servers active at any given time, suggesting that some IP addresses may have changed during our scans.
- A server identified in Germany has the registrant “Gamma International GmbH,” and the contact person is listed as “Martin Muench.”
- There is a FinSpy server in an IP range registered to “Verizon Wireless.” Verizon Wireless sells ranges of IP addresses to corporate customers, so this is not necessarily an indication that Verizon Wireless itself is operating the server, or that Verizon Wireless customers are being spied on.
- A server in Qatar that was previously detected by Rapid7 seems to be back online after being unresponsive during the last round of our scanning. The server is located in a range of 16 addresses registered to “Qtel – Corporate accounts – Government Relations.” The same block of 16 addresses also contains the website http://qhotels.gov.qa/.