Commercial spyware. How popular spyware works and how to protect yourself from them.

[Brother]

Trojans with a built-in keylogger and critical data stealing functions are one of the oldest types of malware. For a quarter of a century, spy software has only evolved, receiving more and more anti-detection functions. At the same time, mobile devices were mastered, and varieties of Trojans designed for targeted attacks appeared. In this article we will take a look at the most famous representatives of commercial spyware and talk about protective measures.

It would seem that the most obvious way to protect yourself from any computer spy is to install an antivirus and forget about the problem forever. But "obvious" is not synonymous with "effective." Most anti-virus programs catch Trojans in much the same way counterintelligence detects real spies: by fingerprints, that is, by signature detection.

There are different ways to bypass signature detection - "Hacker" has written about them many times. There is still a heuristic left. But heuristic threat search engines based on behavioral analysis, program execution in a sandbox and other tricks are not a panacea, otherwise antiviruses would not encounter false positives. In other words, even if your computer has the most advanced protection installed, this does not mean that you are safe.

What are the most popular commercial spyware on the market now and how can you calculate their presence in the system?

FinFisher​

A cyber-espionage software called FinFisher, aka FinSpy, was developed by the Gamma Group and is rumored to be used for political surveillance of journalists and dissidents around the world. The program was leaked to WikiLeaks by Julian Assange in 2011, after which it became the property of anonymous and was subjected to close scrutiny by information security specialists and other interested parties. "Hacker" has already talked about this wonderful program.

FinFisher can intercept the victim's correspondence on social networks, track email messages, work as a keylogger, provide access to files stored on the infected machine, and record video and audio using the built-in microphone and camera. There are FinFisher builds for Windows, macOS and Linux. In addition, mobile versions of the Trojan were created for almost all platforms existing today: Android, iOS, BlackBerry, Symbian and Windows Mobile.

FinSpy Agent main window interface

The FinFisher distribution scheme is typical for Trojans: the spyware was distributed using downloaders, which were sent by e-mail under the guise of useful applications or arrived on a computer with updates to a previously installed safe program. One of the attacks investigated by the guys from ESET also used the implementation of the MITM scheme: when trying to download the necessary program, an unsuspecting victim was redirected to a phishing site, from where he downloaded the distribution kit "with a surprise." In the ESET example, FinFisher was built into the TrueCrypt distribution. The irony is that a user who wants to protect their data and encrypt the disk for greater security installed spyware on their own machine with their own hands.

The creators tried to make FinFisher's work as invisible as possible and make it difficult to detect the Trojan in every possible way. Its code contains functions of anti-debugging, prevention of starting in a virtual machine, counteracting disassembly, and the code itself is obfuscated. In addition, the program tries to act in the infected system unnoticed and once again not attract the user's attention.

Protection​

Catching a FinFisher on a device manually is a rather non-trivial task. Known samples are successfully detected and removed by popular antivirus programs, but unknown ones ... It's more difficult with them.

No matter how trite it may sound, a properly configured firewall is an obvious (and very effective) means of protection against this spy. During operation, FinFisher establishes a connection not only with its control server (its address can change from sample to sample), but also with several other hosts, from where its components are loaded. If you configure your firewall to paranoidly block application connections to unknown hosts, FinFisher will not be able to work properly on such a device. Well, in order not to get the software trodden by well-wishers instead of a clean distribution, it is better to download programs via HTTPS and not be lazy to check the digital signature of the installed applications.

Adwind​

This cross-platform program, which can be classified as RCS (Remote Control System) or RAT (Remote Access Tool), gained fame in 2016, and was revealed even earlier - in 2013. "Hacker" has already written about her. This trio is known by various names: Sockrat, JSocket, jRat, Unrecom, Frutas, and AlienSpy. In fact, all of this is a rehash of the same melody.

Adwind RAT interface

Since Adwind is written in Java, it targets almost all platforms that support it: Windows, Linux, macOS, and of course Android. The popularity of Adwind among anonymous users is primarily due to the fact that for a long time the three were distributed under the SAAS (Software as a Service) scheme, that is, by subscription. The developers had their own online store, technical support service and even an advertising channel with vidos on PornHubYouTube. The price tag was quite democratic: from 20 to 300 evergreen American dollars, depending on the chosen service package. The second reason is the relative ease of getting a working, scripted binary that won't be fired by antiviruses - at least until someone uploads it to VirusTotal.

The main purpose of the Trojan is to provide well-wishers with unauthorized access to a compromised machine. In addition, it can take screenshots, capture keystrokes, steal saved passwords and form data from browsers, and play with the camera and microphone.

The main channel for the distribution of a spy is e-mail. Potential victims of the attack were sent letters either with a downloader in the .JAR format in the attachment, or containing HTML code with inserts in VBScript and JScript, which secretly pulled the JRE and trojan dropper onto the machine. Analysts from Kaspersky Lab have also documented cases of Adwind being distributed using RTF documents containing an exploit for the CVE-2012-0158 vulnerability.

Protection​

To protect against the tricks of Adwind, you can disable Java on your computer or demolish the Java Runtime - without waiting, as they say, for peritonitis. And of course, don't run a competition to open attachments quickly in emails received from suspicious senders. If you really need Java, another primitive but effective method of protection against Adwind is to change the .JAR file association from JRE to, say, notepad.exe.

For obvious reasons, it is impossible to completely root out Java in Android, but there it is enough just not to root the device and not install anything from anywhere, limiting ourselves to Google Play as the main source of applications.

DroidJack​

This is the name of probably the most famous commercial remote control utility for Android, which is based on the Sandroid application. This tool has two components: the client side and the server side. One is installed on a smartphone or tablet as an APK file, the second is implemented as a regular Windows application that allows you to control the device. A lifetime license for this software costs $ 210.

DroidJack Utility Interface

DroidJack allows you to transfer the current GPS coordinates of the device, manage incoming and outgoing calls, record phone conversations, read and send SMS, messages in WhatsApp, view browser history, list of running applications, copy contacts, receive images from the built- in camera, control volume and much more. ...

Obviously, for DroidJack to work, you first need to install the app on your device. This can be done either by physically taking possession of it, or by somehow forcing the user to install the program on his own. Most of the currently known DroidJack samples lack any covert installation mechanisms.

Tulza is freely sold, but the price is not particularly democratic. That is why good developers have developed cheaper analogs of this program - among them, for example, OmniRAT can be noted, which can boast almost the same set of functions, but four times cheaper.

Protection​

The first thing the user should pay attention to is that both DroidJack and OmniRAT require a large number of permissions during installation. If you are trying to put a flashlight on your smartphone, it is reasonable to think about why he needs access to sending SMS and address book.

Secondly, even though the spy removes its icon from the list of applications, the running program can still be seen in the list of running processes. Finally, DroidJack is perfectly caught by most modern antiviruses for Android, so a regular check of the device can still be useful.

Pegasus​

Pegasus is, as you know, a horse with wings. For Android and iOS, Pegasus is a Trojan horse, one of the most famous varieties of commercial mobile spyware.

Curiously, Pegasus can be installed on Apple mobile devices that have not been jailbroken. Several known targeted attacks attempted to deliver Pegasus to the iPhone using SMS messages containing a malicious link. The spy uses vulnerabilities to install it into the system, albeit for outdated versions of iOS (up to 9.3.5). However, no one knows for sure what the more modern editions of Pegasus are capable of, whose developers (and the Israeli company NSO Group is suspected of creating a spy) are still in good health.

The Trojan consists of several functional modules that are loaded onto the infected device as needed. The set of functions of Pegasus is generally standard for such spyware: keylogging, taking screenshots, reading SMS and email messages, copying browser history, listening to phone calls, and so on.

The program tries to behave as secretly as possible and not show itself in any way on a compromised device. If she discovers that another SIM card is inserted into the phone, or fails to reach the control server within 60 days, the program will self-destruct. All this testifies to the fact that Pegasus is focused on targeted attacks, it is not a "weapon of mass destruction".

The well-known Pegasus samples for Android do not use vulnerabilities, but to obtain administrator privileges (without which they cannot steal anything from the device except the name of its model), they use the traditional tactics - they get the user with annoying alerts until he agrees to press the coveted button.

Protection​

There are several methods of protection against Pegasus: for iPhone and iPad owners - to update the system in time, for Android users - not to grant administrative privileges to left-hand applications, even if they really ask for it.

Conclusions​

Commercial spyware has been, is and will be user systems. Simply because demand, as one smart guy named John Maynard Keynes said, creates supply.

Antivirus, as we have already found out, is not a panacea, so to protect against spyware, you should use the most powerful analytical tool available today - the brain.

Check the installed programs with antivirus utilities, keep track of which network addresses they knock on during operation, observe what processes are launched in the system, do not forget to update the OS in time, disable unnecessary components like Java Runtime and roll in the evenings not only zero five unfiltered, but also all current security patches.