In today's threat landscape the lines between legitimate cyber-investigation tools and spying tools are becoming ever more blurred. In recent days, the discovery of two different threats has highlighted this point. Intego, in a blog, has discussed the Mac OS Trojan called "Crisis", which is part of an advanced covert surveillance tool that is for sale online and is marketed towards governmental cyber investigation needs. This threat is detected by Symantec as OSX.Crisis and examined in a previous blog. Meanwhile, Citizenlab.org has blogged about FinFisher, another covert surveillance tool that is marketed as a governmental IT intrusion and remote monitoring solution, detected by Symantec as Backdoor.Finfish.
Both tools are sold with the intent to be used for lawful purposes. However, there are different reports in the media related to both products that suggest they are being used for questionable purposes. The following list of marketed capabilities of these products would raise obvious privacy concerns if the products were to be used unlawfully:
- Cross platform support (Windows, Mac OSX and Linux)
- Key logging
- Live surveillance through Webcam and Microphone
- Location identification
- Silent extraction of files from hard drives
- Skype monitoring
The above list also reflects the promotional material for one of the products, as can be seen in the following image:
Symantec has detection in place for both tools and is continuing to monitor the threat landscape for further developments around such tools. Reports suggest that these tools are primarily being used for political interest. Furthermore, with the costs related to the use of such tools being prohibitive to the masses, we do not expect to see a lot of activity related to such tools in the wild. However, Symantec still recommends that you use the latest Symantec technologies and up-to-date virus definitions to stay protected. Also, if using Skype or other similar programs, please ensure that you are using the latest version.