Lord777
Professional
- Messages
- 2,576
- Reaction score
- 1,550
- Points
- 113
Tracking trojans with a built-in keylogger and critical data stealing functions are one of the oldest types of malware. For a quarter of a century, spy software has only evolved, receiving more and more anti-detection functions. At the same time, mobile devices were mastered, and varieties of Trojans designed for targeted attacks appeared. In this article we will take a look at the most famous representatives of commercial spyware and talk about protective measures.
It would seem that the most obvious way to protect yourself from any computer or mobile spy is to install an antivirus and forget about the problem forever. But "obvious" is not synonymous with "effective." Most anti-virus programs catch Trojans in much the same way counterintelligence detects real spies: by fingerprints, that is, by signature detection.
A signature is a unique file identifier stored in a special database, which can be used to distinguish it from others. If a sample of this malicious file has not been previously examined in a virus laboratory and its signature has not been added to the databases, the antivirus will not be able to identify it.
There are different ways to bypass signature detection - we have written about them more than once. There is still a heuristic left. But heuristic mechanisms for searching for threats, based on behavioral analysis, running a program in a sandbox and other tricks, are not a panacea, otherwise antiviruses would not encounter false positives. In other words, even if your computer is equipped with the most advanced protection, this does not mean that you are safe.
What are the most popular commercial spyware on the market today and how can you calculate their presence in the system?
FinFisher tracking Trojan
A cyber-espionage software called FinFisher, aka FinSpy, was developed by the Gamma Group and is rumored to be used for political surveillance of journalists and dissidents around the world. The program was leaked to WikiLeaks by Julian Assange in 2011, after which it became the property of anonymous and was subjected to close scrutiny by information security specialists and other interested parties.
FinFisher can intercept victim's correspondence on social networks, track email messages, work as a keylogger, provide access to files stored on the infected machine, and record video and audio using the built-in microphone and camera. FinFisher builds exist for Windows, macOS and Linux. In addition, mobile versions of the Trojan were created for almost all platforms existing today: Android, iOS, BlackBerry, Symbian and Windows Mobile.
FinSpy Agent main window interface
The FinFisher distribution scheme is typical for Trojans: the spyware was distributed using downloaders that were sent by e-mail under the guise of useful applications or arrived on a computer with updates to a previously installed safe program. One of the attacks investigated by the guys from ESET also used the implementation of the MITM scheme: when trying to download the necessary program, an unsuspecting victim was redirected to a phishing site, from where he downloaded the distribution package with the trojan. In the ESET example, FinFisher was built into the TrueCrypt distribution. The irony is that a user who wants to protect their data and encrypt the disk for greater security installed spyware on their own machine with their own hands.
The creators tried to make FinFisher's work as invisible as possible and make it difficult to detect the Trojan in every possible way. Its code contains functions of protecting the application from debugging, preventing it from running in a virtual machine, preventing disassembly, and the code itself is obfuscated. In addition, the program tries to act unnoticed in the infected system and once again does not attract the user's attention.
FinFisher Trojan protection
Catching a FinFisher on a device manually is a pretty tricky task. Known samples are successfully detected and removed by popular antivirus programs, but unknown ones ... It's more difficult with them.
No matter how trite it may sound, a properly configured firewall is an obvious (and very effective) means of protection against this spy. During operation, FinFisher establishes a connection not only with its control server (its address can change from sample to sample), but also with several other hosts, from where its components are loaded. If you configure your firewall to paranoidly block application connections to unknown hosts, FinFisher will not be able to work properly on such a device. Well, in order not to get the software trodden by well-wishers instead of a clean distribution, it is better to download programs via HTTPS and not be lazy to check the digital signature of the programs.
Tracking Trojan Adwind
This cross-platform program, which can be classified as remote control systems (RCS, Remote Control Systems) or RAT (Remote Access Tool), became known in 2016, and was revealed even earlier - in 2013. This Trojan is known by various names: Sockrat, JSocket, jRat, Unrecom, Frutas, and AlienSpy. In fact, all of this is a rehash of the same melody.
Adwind RAT Trojan Interface
Since Adwind is written in Java, it targets almost all platforms that support it: Windows, Linux, macOS, and of course Android. The popularity of Adwind among anonymous users is primarily due to the fact that the Trojan was distributed for a long time using the SAAS (Software as a Service) scheme, that is, by subscription. The developers had their own online store, technical support service and even an advertising channel with vidos on PornHub YouTube. The price tag was quite democratic: from 20 to 300 evergreen American dollars, depending on the chosen service package. The second reason is the relative ease of getting a working, scripted binary that won't be fired by antiviruses - at least until someone uploads it to VirusTotal.
The main purpose of the Trojan is to provide well-wishers with unauthorized access to a compromised machine. In addition, it can take screenshots, capture keystrokes, steal saved passwords and form data from browsers, and play with the camera and microphone.
The main distribution channel of a spy is e-mail flavored with social engineering. Potential victims of the attack were sent letters either with a downloader in the .JAR format in the attachment, or containing HTML code with inserts in VBScript and JScript, which secretly pulled the JRE and trojan dropper onto the machine. Analysts from Kaspersky Lab have also recorded cases of Adwind being distributed using RTF documents containing an exploit for the CVE-2012-0158 vulnerability.
Trojan protection Adwind
To protect yourself from the Adwind Trojan, you can disable Java on your computer or demolish the Java Runtime - without waiting, as they say, for peritonitis. And of course, don't run a competition to open attachments quickly in emails received from suspicious senders. If you really need Java, another primitive but effective method of protection against Adwind is to change the .JAR file association from JRE to, say, notepad.exe.
For obvious reasons, it is impossible to completely root out Java in Android, but there it is enough just not to root the device and not install anything from anywhere, limiting ourselves to Google Play as the main source of applications.
DroidJack Tracking Trojan
This is the name of probably the most popular commercial Android remote control Trojan, which is based on the Sandroid app. This tool has two components: the client side and the server side. One is installed on a smartphone or tablet as an APK file, the second is implemented as a regular Windows application that allows you to control the device. A lifetime license for this software costs $ 210.
DroidJack Trojan Interface
DroidJack allows you to transfer the current GPS coordinates of the device, manage incoming and outgoing calls, record phone conversations, read and send SMS, messages in WhatsApp, view browser history, list of running applications, copy contacts, receive images from the built-in camera, control volume and much more. ...
Obviously, for DroidJack to work, you first need to install the app on your device. This can be done either by physically taking possession of it, or by somehow forcing the user to install the program on his own. Most of the currently known DroidJack samples lack any covert installation mechanisms.
The Trojan is freely sold, but the price is not particularly democratic. That is why good developers have developed cheaper analogs of this program - among them, for example, OmniRAT can be noted, which can boast almost the same set of functions, but four times cheaper.
DroidJack Trojan protection
The first thing the user should pay attention to is that both DroidJack and OmniRAT require a large number of permissions during installation. If you are trying to install a flashlight on your smartphone, it is reasonable to think about why it needs access to sending SMS and address book.
Secondly, even though the spy removes its icon from the list of applications, the running program can still be seen in the list of running processes. Finally, DroidJack is perfectly caught by most modern antiviruses for Android, so a regular check of the device can still be useful.
Pegasus Tracking Trojan
Pegasus is, as you know, a horse with wings. For Android and iOS, Pegasus is a Trojan horse, one of the most famous varieties of commercial mobile spyware.
Curiously, Pegasus can be installed on Apple mobile devices that have not been jailbroken. Several known targeted attacks attempted to deliver Pegasus to the iPhone using SMS messages containing a malicious link. The Trojan uses vulnerabilities to install it on the system, albeit for outdated versions of iOS (up to 9.3.5). However, no one knows for sure what the more modern editions of Pegasus are capable of, whose developers (and the Israeli company NSO Group is suspected of creating a spy) are still in good health.
The Trojan consists of several functional modules that are loaded onto the infected device as needed. The set of functions of Pegasus is generally standard for such spyware: keylogging, taking screenshots, reading SMS and email correspondence, copying browser history, listening to phone calls, and so on.
The Pegasus Trojan tries to behave as stealthily as possible and not show itself in any way on a compromised device. If she discovers that another SIM card is inserted into the phone, or fails to reach the control server within 60 days, the program will self-destruct. All this testifies to the fact that Pegasus is focused on targeted attacks, it is not a "weapon of mass destruction".
The well-known Pegasus samples for Android do not use vulnerabilities, but to obtain administrator privileges (without which they cannot steal anything from the device except the name of its model), they use traditional tactics - they get the user with annoying alerts until he agrees to press the coveted button.
Protection against the Pegasus Trojan
There are several methods of protection against Pegasus: for iPhone and iPad owners - to update the system in time, for Android users - not to grant administrative privileges to left-hand applications, even if they really ask for it.
Conclusion
Commercial Trojans have been, are, and will continue to be on user systems. Simply because demand, as one smart guy named John Maynard Keynes said, creates supply.
Antiviruses, as we have already found out, are not a panacea, so to protect against Trojans for surveillance, you should use the most powerful analytical tool available today - the brain.
Check the installed programs with antivirus utilities, watch what network addresses they knock on during operation, observe what processes are launched in the system, do not forget to update the OS in time, disable unnecessary components like Java Runtime and roll in the evenings not only zero five unfiltered, but also all current security patches.
It would seem that the most obvious way to protect yourself from any computer or mobile spy is to install an antivirus and forget about the problem forever. But "obvious" is not synonymous with "effective." Most anti-virus programs catch Trojans in much the same way counterintelligence detects real spies: by fingerprints, that is, by signature detection.
A signature is a unique file identifier stored in a special database, which can be used to distinguish it from others. If a sample of this malicious file has not been previously examined in a virus laboratory and its signature has not been added to the databases, the antivirus will not be able to identify it.
There are different ways to bypass signature detection - we have written about them more than once. There is still a heuristic left. But heuristic mechanisms for searching for threats, based on behavioral analysis, running a program in a sandbox and other tricks, are not a panacea, otherwise antiviruses would not encounter false positives. In other words, even if your computer is equipped with the most advanced protection, this does not mean that you are safe.
What are the most popular commercial spyware on the market today and how can you calculate their presence in the system?
FinFisher tracking Trojan
A cyber-espionage software called FinFisher, aka FinSpy, was developed by the Gamma Group and is rumored to be used for political surveillance of journalists and dissidents around the world. The program was leaked to WikiLeaks by Julian Assange in 2011, after which it became the property of anonymous and was subjected to close scrutiny by information security specialists and other interested parties.
FinFisher can intercept victim's correspondence on social networks, track email messages, work as a keylogger, provide access to files stored on the infected machine, and record video and audio using the built-in microphone and camera. FinFisher builds exist for Windows, macOS and Linux. In addition, mobile versions of the Trojan were created for almost all platforms existing today: Android, iOS, BlackBerry, Symbian and Windows Mobile.
FinSpy Agent main window interface
The FinFisher distribution scheme is typical for Trojans: the spyware was distributed using downloaders that were sent by e-mail under the guise of useful applications or arrived on a computer with updates to a previously installed safe program. One of the attacks investigated by the guys from ESET also used the implementation of the MITM scheme: when trying to download the necessary program, an unsuspecting victim was redirected to a phishing site, from where he downloaded the distribution package with the trojan. In the ESET example, FinFisher was built into the TrueCrypt distribution. The irony is that a user who wants to protect their data and encrypt the disk for greater security installed spyware on their own machine with their own hands.
The creators tried to make FinFisher's work as invisible as possible and make it difficult to detect the Trojan in every possible way. Its code contains functions of protecting the application from debugging, preventing it from running in a virtual machine, preventing disassembly, and the code itself is obfuscated. In addition, the program tries to act unnoticed in the infected system and once again does not attract the user's attention.
FinFisher Trojan protection
Catching a FinFisher on a device manually is a pretty tricky task. Known samples are successfully detected and removed by popular antivirus programs, but unknown ones ... It's more difficult with them.
No matter how trite it may sound, a properly configured firewall is an obvious (and very effective) means of protection against this spy. During operation, FinFisher establishes a connection not only with its control server (its address can change from sample to sample), but also with several other hosts, from where its components are loaded. If you configure your firewall to paranoidly block application connections to unknown hosts, FinFisher will not be able to work properly on such a device. Well, in order not to get the software trodden by well-wishers instead of a clean distribution, it is better to download programs via HTTPS and not be lazy to check the digital signature of the programs.
Tracking Trojan Adwind
This cross-platform program, which can be classified as remote control systems (RCS, Remote Control Systems) or RAT (Remote Access Tool), became known in 2016, and was revealed even earlier - in 2013. This Trojan is known by various names: Sockrat, JSocket, jRat, Unrecom, Frutas, and AlienSpy. In fact, all of this is a rehash of the same melody.
Adwind RAT Trojan Interface
Since Adwind is written in Java, it targets almost all platforms that support it: Windows, Linux, macOS, and of course Android. The popularity of Adwind among anonymous users is primarily due to the fact that the Trojan was distributed for a long time using the SAAS (Software as a Service) scheme, that is, by subscription. The developers had their own online store, technical support service and even an advertising channel with vidos on PornHub YouTube. The price tag was quite democratic: from 20 to 300 evergreen American dollars, depending on the chosen service package. The second reason is the relative ease of getting a working, scripted binary that won't be fired by antiviruses - at least until someone uploads it to VirusTotal.
The main purpose of the Trojan is to provide well-wishers with unauthorized access to a compromised machine. In addition, it can take screenshots, capture keystrokes, steal saved passwords and form data from browsers, and play with the camera and microphone.
The main distribution channel of a spy is e-mail flavored with social engineering. Potential victims of the attack were sent letters either with a downloader in the .JAR format in the attachment, or containing HTML code with inserts in VBScript and JScript, which secretly pulled the JRE and trojan dropper onto the machine. Analysts from Kaspersky Lab have also recorded cases of Adwind being distributed using RTF documents containing an exploit for the CVE-2012-0158 vulnerability.
Trojan protection Adwind
To protect yourself from the Adwind Trojan, you can disable Java on your computer or demolish the Java Runtime - without waiting, as they say, for peritonitis. And of course, don't run a competition to open attachments quickly in emails received from suspicious senders. If you really need Java, another primitive but effective method of protection against Adwind is to change the .JAR file association from JRE to, say, notepad.exe.
For obvious reasons, it is impossible to completely root out Java in Android, but there it is enough just not to root the device and not install anything from anywhere, limiting ourselves to Google Play as the main source of applications.
DroidJack Tracking Trojan
This is the name of probably the most popular commercial Android remote control Trojan, which is based on the Sandroid app. This tool has two components: the client side and the server side. One is installed on a smartphone or tablet as an APK file, the second is implemented as a regular Windows application that allows you to control the device. A lifetime license for this software costs $ 210.
DroidJack Trojan Interface
DroidJack allows you to transfer the current GPS coordinates of the device, manage incoming and outgoing calls, record phone conversations, read and send SMS, messages in WhatsApp, view browser history, list of running applications, copy contacts, receive images from the built-in camera, control volume and much more. ...
Obviously, for DroidJack to work, you first need to install the app on your device. This can be done either by physically taking possession of it, or by somehow forcing the user to install the program on his own. Most of the currently known DroidJack samples lack any covert installation mechanisms.
The Trojan is freely sold, but the price is not particularly democratic. That is why good developers have developed cheaper analogs of this program - among them, for example, OmniRAT can be noted, which can boast almost the same set of functions, but four times cheaper.
DroidJack Trojan protection
The first thing the user should pay attention to is that both DroidJack and OmniRAT require a large number of permissions during installation. If you are trying to install a flashlight on your smartphone, it is reasonable to think about why it needs access to sending SMS and address book.
Secondly, even though the spy removes its icon from the list of applications, the running program can still be seen in the list of running processes. Finally, DroidJack is perfectly caught by most modern antiviruses for Android, so a regular check of the device can still be useful.
Pegasus Tracking Trojan
Pegasus is, as you know, a horse with wings. For Android and iOS, Pegasus is a Trojan horse, one of the most famous varieties of commercial mobile spyware.
Curiously, Pegasus can be installed on Apple mobile devices that have not been jailbroken. Several known targeted attacks attempted to deliver Pegasus to the iPhone using SMS messages containing a malicious link. The Trojan uses vulnerabilities to install it on the system, albeit for outdated versions of iOS (up to 9.3.5). However, no one knows for sure what the more modern editions of Pegasus are capable of, whose developers (and the Israeli company NSO Group is suspected of creating a spy) are still in good health.
The Trojan consists of several functional modules that are loaded onto the infected device as needed. The set of functions of Pegasus is generally standard for such spyware: keylogging, taking screenshots, reading SMS and email correspondence, copying browser history, listening to phone calls, and so on.
The Pegasus Trojan tries to behave as stealthily as possible and not show itself in any way on a compromised device. If she discovers that another SIM card is inserted into the phone, or fails to reach the control server within 60 days, the program will self-destruct. All this testifies to the fact that Pegasus is focused on targeted attacks, it is not a "weapon of mass destruction".
The well-known Pegasus samples for Android do not use vulnerabilities, but to obtain administrator privileges (without which they cannot steal anything from the device except the name of its model), they use traditional tactics - they get the user with annoying alerts until he agrees to press the coveted button.
Protection against the Pegasus Trojan
There are several methods of protection against Pegasus: for iPhone and iPad owners - to update the system in time, for Android users - not to grant administrative privileges to left-hand applications, even if they really ask for it.
Conclusion
Commercial Trojans have been, are, and will continue to be on user systems. Simply because demand, as one smart guy named John Maynard Keynes said, creates supply.
Antiviruses, as we have already found out, are not a panacea, so to protect against Trojans for surveillance, you should use the most powerful analytical tool available today - the brain.
Check the installed programs with antivirus utilities, watch what network addresses they knock on during operation, observe what processes are launched in the system, do not forget to update the OS in time, disable unnecessary components like Java Runtime and roll in the evenings not only zero five unfiltered, but also all current security patches.
