|Home » Industry Watch|
From Redmond with Love
You can't claim you weren't warned.
REDMOND (Radsoft) — The first assessment that most of the attacks from the Spy Files were based on duping users into installing trojans on their system may have been an oversimplification. A report released today by the Citizen Lab of the University of Toronto points in the opposite direction.
Software from FinFisher, a subsidiary of Gamma International of the UK, uses tried and true methods to break into standard Windows computers.
You'd Been Warned
Microsoft Windows users have been warned for years. The Electronic Frontier Foundation advised against using Microsoft products, as have several governments in the European Union. Yet despite the abysmal Redmond track record and the outrageous prices, the sheeple keep on keeping on buying their products.
Now comes a report from the Citizen Lab at the University of Toronto, with an assist from the Electronic Frontier Foundation, that shows in detail how a major corporation uses the myriad known exploits in Windows design to effect total control of any Windows computer.
The report concerns a piece of intrusion software known as FinFisher, by a company also known as FinFisher, a subsidiary of Gamma International UK. The product is classified as 'governmental IT intrusion'. Gamma were in negotiations with Mubarak's regime in Egypt to sell licences to the product. Vernon Silver of Bloomberg News was able to get a copy, and he forwarded it to Bahraini activists in late spring of this year. After which the people at the University of Toronto were also able to acquire a copy.
The Citizen Lab analysis of FinFisher was carried out by Morgan Marquis-Boire and Bill Marczak of the University of California at Berkeley, with assistance from Seth Hardy, Harry Tuttle, John Scott-Railton on location in the middle east, Marcia Hofmann of the EFF, and Privacy International.
The details of the analysis are available at the website of the Citizen Lab. The intrusion follows the same basic procedure as always - get something on the local Windows system, then go ahead willy-nilly and corrupt the system with nothing standing in the way. One otherwise interesting aspect of the attack vector is use of the Unicode 'RLO' character 0x202e which cues text to be read in the opposite direction. So that file names such as:
With the invisible RLO character before the grouping 'cod.exe' at the far right will cause the name to be displayed backwards.
The user will think it's a MS Word attachment and likely open it, activating the malware. The 'RLO' technique has been used by black hats to dupe Windows users since 2010.
[Note: Although Apple's NSText system will recognise the RLO character in text files (but the caret of the corresponding NSTextView will give an alert to its presence) the OS X operating system will not act on them in file names. Thankfully. Ed.]
What happens once FinFisher is on disk is pure rote. System files and processes are overwritten, the system is totally corrupted.
It must be pointed out that the only way software like FinFisher can succeed is by finding and exploiting weaknesses in what is marketed by Microsoft as a secure and safe operating system. The ease with which black hats can poke holes into Windows is legendary. FinFisher is no exception.
And one ultimately has to wonder why Microsoft never fix their terrible system - whether in fact this is at the behest of agencies and organisations of the most repressive governments on the planet, with the United States of America up there at the top.
WikiLeaks: The Spy Files
Rixstep Learning Curve: Spyfiles & You
Radsoft Security: Microsoft Windows Security is an Afterthought