The Real Mozilla Stands Up to Firefox-Cloaked Spyware

Mozilla, the creator of the Firefox browser, has sent a cease-and-desist letter to Gamma International, a German company that sells spyware to governments and law enforcement agencies.

The move was a reaction to the news that a booby-trapped Microsoft Word document — sent out for upcoming Malaysian elections — embeds a copy of Gamma’s FinSpy spyware that masquerades as a Firefox executable.

That news was disclosed in a reportfrom Citizen Lab published on Tuesday.

“Good spyware creators spoof legitimate software all the time,” said Randy Abrams, a research director at NSS Labs. “It’s a lot easier than any other form of social engineering.”

“We have nothing to add beyond what’s in our blog post,” Mozilla spokesperson Mike Manning told TechNewsWorld.

What Gamma Did

The FinSpy spyware that Citizen Lab discovered in the Malay-language document masquerades as Firefox in both file properties and manifest. This is similar to samples discussed in Citizen Lab’s earlier reports, including a demo copy of the product and samples targeting activists in Bahrain.

When a user views the properties of the installed spyware, the program carries the Firefox.exe name and includes the properties associated with Firefox, as well as a version number, copyright and trademark claims attributed to Firefox and Mozilla developers, Mozilla said.

The assembly manifest from Firefox is included verbatim in the spyware’s underlying code.

It’s not clear whether Mozilla will take any further action if Gamma ignores its cease-and-desist letter.

What’s Gamma About?

Gamma International is part of the Gamma Group, which includes Gamma TSE, Gamma Group International and G2 Systems.

Gamma TSE is a government contractor providing surveillance vehicles and technical surveillance equipment to state intelligence and law enforcement. Gamma Group International provides advanced technical surveillance and monitoring solutions to national and state intelligence departments and law enforcement, and also acts as a consultant.

Gamma International has “world-class” intrusion and IT experts and offers a portfolio of intrusion products called “FinFisher.” G2 Systems provides training and products to government security agents worldwide.

The FinFisher Toolkit unveiled a mobile product last year that conducts surveillance, steals files, tracks the locations of devices it infects, and communicates with command and control servers. TrustWave SpiderLabs looked at the Android version of this spyware.

In 2011, protesters in Egypt found an offer for FinFisher spyware in the offices of the country’s state security investigation department, according to F-Secure.

FinFisher products have been used to spy on citizens of several countries. Citizen Lab has identified FinFisher C&C servers around the globe, including Hungary, Turkey, Panama, Lithuania, South Africa, Austria, Malaysia, India, Singapore, the UK, and the U.S.

“I guess governments spy on their citizens a lot more than we know,” NSS Labs’ Abrams told TechNewsWorld. “But I don’t see our government telling us anything any more than other more repressive governments.”

The Gamma Group did not respond to our request to comment for this story.

Reaction to FinFisher

Privacy International has filed suit against the British government, which it contends should have used the Export Control Act of 2002 to restrict sales of FinFisher products to repressive governments.

In February, Privacy International, the European Center for Constitutional and Human Rights, Bahrain Watch and Reporters Without Borders jointly filed complaints with the Organization for Economic Cooperation and Development in the UK and Germany against Gamma International and another surveillance company, Trovicor. The complaints centered on their potential complicity in human rights abuses in Bahrain.

In the U.S., the Electronic Frontier Foundation is among the groups that have been tracking FinFisher products.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Malware

Technewsworld Channels