Download FINFISHER: FinFly Web 4.0 Release Notes

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
Transcript 
FinFly Web / Release Notes
FINUSB SUITE
SPECIFICATIONS
FINFISHER: FinFly Web 4.0
Release Notes
1
FinFly Web / Release Notes
FINUSB SUITE
SPECIFICATIONS
Copyright
2013 by Gamma Group International, UK
Date
2013-08-09
Release information
Version
Date
Author
Remarks
1.0
2010-06-29
ht
Initial version
1.1
2010-07-05
pk
Review
1.2
2010-09-24
Pk
Add changes for release 1.4
1.3
2012-02-05
PK
Add changes for release 2.0
1.4
2012-03-16
PK
Add changes for release 2.1
1.5
2012-05-12
PK
Add changes for release 2.2
1.6
2013-01-08
PK
Add changes for release 3.0
1.7
2013-03-26
PK
Add changes for release 3.1
1.8
2013-05-17
PK
Add changes for release 3.2
1.9
2013-08-09
PK
Add changes for release 4.0
2
FinFly Web / Release Notes
FINUSB SUITE
3
SPECIFICATIONS
Table of Content
1
Overview ............................................................................................................................................... 4
2
ChangeLog ............................................................................................................................................. 5
3
Limitations........................................................................................................................................... 14
FinFly Web / Release Notes
4
FINUSB SUITE
SPECIFICATIONS
1
OVERVIEW
FinFly Web is designed to help Law Enforcement and Intelligence Agencies to covertly install Remote
Monitoring software onto Target Systems through Websites which install the software by using the
Web-browser module functionalities.
The product can generate a wide-range of attack codes that can be implemented into any given Website
and which will infect the Target when visiting the website.
Tactical IT Intrusion Portfolio
3
Remote Monitoring
& Infection Solution
FinSpy
FinUSB Suite
FinIntrusion Kit
Tactical IT Intrusion Portfolio
FinFly
FinFireWire
FinTraining
FinSpy Mobile
IT Intrusion Training Program

USB

Web

LAN

ISP
FinFly Web / Release Notes
FINUSB SUITE
5
SPECIFICATIONS
2 CHANGELOG
Version: 4.0
Component
Modules
Change
Code Review
Description
Optimize Source Code of different modules
Modules
Update
Optimize all modules to support latest version
of all browsers.
Module
New Information Gathering
Module
Each module can be extended by an
information gathering module. This module will
collect information from target PC (e.g. OS,
Language, Timezone, IP-Address etc.)
Module
Replacement / New
Module (Iframe /
Framebuster)
The existing IFRAME module was replaced by a
new module. In previous releases the FFWeb
code could be rejected by some webpages, to
prevent the content can be shown in an
IFRAME. The new module require php preinstalled on the webserver. The new version will
bypass IFRAME Framebustering technique.
Module
New Feature / AntiDebugging
A special encoder script was written, to prevent
an easy debugging / interception of javascript
code.
Module
New Module (IE Click Once)
A new module was added. It runs only in an
Internet Explorer browser. A click once
application will be loaded. User has to accept
the application only once. Code signing with a
trusted certificate is integrated.
GUI
Update
New enhanced content check was integrated,
which detects if all necessary files will be
successfully written.
Mobile Targets
Update
All modules were tested and optimized for
mobile targets.
FinFly Web / Release Notes
FINUSB SUITE
6
SPECIFICATIONS
Version: 3.2
Component
Module
Change
Removal of XPI Plugins
Description
The XPI-based plugins have been temporary
suspended. We are working on new
functionalities and techniques which
work on all common browsers and are not
limited to certain vendors"
GUI
Fix Input Validation
“~”- character can be used inside Java Payload
URL.
FinFly LAN/ISP
Fix Configuration File
HTTP/HTTPS protocol will be detected
automatically.
Module
Fix All Module
Documentation
User Manual / Training
Slides
Linux Payload without any file extension will
generate an output filename without any file
extension too.
Both documents were updated.
Version: 3.1
Component
GUI
Change
Fix
Description
Fixed button size in the wizard.
GUI
New Feature
Reset previous selected payload is possible now.
Installer
Bugfix
Fix update error if FinFly Web was installed with
user permission.
Change
Module Support Update
Description
Support / Update for Mobile Targets
Version: 3.0
Component
FinFly Lan / ISP
FinFly Web / Release Notes
7
FINUSB SUITE
SPECIFICATIONS
Module
Code Obfuscating
Implementation of Java Script Code
Obfuscating.
Module
Bugfix / Java – Module
Fix UAC bypass to start non-UAC payload.
Module
XPI – Module
Add possibility to change version number of XPI
Add-On.
Module
Java – Module
Java Applet can be signed with a *.pfx/*.p12
certificate file.
Modules
Mobile Targets
Modules
Add support for more
Browser
Modules
Code Review
Modules were improved to support Mobile
Targets:
- Android
- iOS
- Blackberry
- Windows Mobile
- Symbian
New Browser are supported:
- Opera Mini / Mobile
- Dolphin
- Skyfire
- Blackberry / Symbian Default Browser
- IE for Windows Mobile
Optimize Source Code of different modules
Modules
OS-Detection
Update for Mobile Targets
GUI
Improvements
-
Module Selection with Preview
Comfortable Payload Selection
FinFly Web / Release Notes
8
FINUSB SUITE
SPECIFICATIONS
Version: 2.2
Component
FinFly Lan / ISP
Change
Module Support Update
Description
Add condition tag, which specified the “user
agent”, “domain” and “protocol”.
FinFly Lan / ISP
Module Resource Fix
Extensions of resources will be written in lowercase.
FinFly Lan / ISP
Module Init Fix
Remove empty Body/Attribute tag for XPIPopup
Module
Bugfix / Java – Modules
Java – URL will be checked after focus out and
not immediately anymore.
Module
XPI – Modules
Module
Bugfix / XPI-Modules
Parameter for XPI-Popup and XPI-Plugin-Bar will
be saved in different xml-tags. Both XPI modules
can have their own configuration.
Preview of generated XPI-Module in Firefox
Browser blocked output folder.
Module
XPI-Popup – Modules
Payload
Mac OSX – Payload
Updates
Bugfix
*.msi – Installer are supported now.
Target
Improvements
New browser versions are supported:
Change all default values from Realplayer into
Flashplayer (Plugin Name, Vendor Name,
Vendor URL etc.)
Mac OS X – Installer (= *.pkg) files are also
supported now.






Chrome: 11/12/13/14/15/16/17/18
Firefox: 3/3.5/4/5/6/7/8/9/10/11/12/13
Internet Explorer: 7/8/9
Opera: 10/11
Safari: 4/5
Seamonkey: 2.4/2.5/2.6/2.7/2.8/2.9
FinFly Web / Release Notes
FINUSB SUITE
9
SPECIFICATIONS
Version: 2.1
Component
FinFly Lan
Change
Module Support
Module
Bugfix / XPI – Modules
Module
Improvement / XPI –
Modules
Module
Improvement / XPI –
Modules
Module
Bugfix / Improvement XPIModules
Description
Introduced support for the Infection proxy in all
modules, specifically the modules which make
use of Iframes and in the past would fail to load
inside the infection proxy. New routines were
added to the following modules:
 XPI-Popup
 XPI-Plugin Bar
 IFrame
 Java
This version fixes a bug where the page
wouldn’t load if one of the XPI modules
(xpi_popup and xpi_bar) is loaded in a different
web browser than Firefox or Seamonkey.
Both modules will now load the Iframe only and
will not run any code that involves the actual
XPI loading and executing.
This affected not only Internet Explorer, the fix
supports all general available web browsers.
The web browser Seamonkey (that is derived
from Mozilla Firefox) is now supported in the
XPI modules (XPI Popup and XPI Plugin-Bar).
Handling of the payload was changed.
These modules don’t rely on a cookie and can
detect if the XPI is actually installed or not, now.
This fix patch two issues of the past release:
 The page now loads after the
installation of the XPI, but does not
attempt to install the XPI again - no
popup is shown.
 After a de-installation of the XPI the
module allows new attempts to install
the XPI again.
The popup image for all relevant modules is
now un-selectable.
Module
Bugfix / XPI – Popup
The XPI - Popup module supports newlines now.
Module
Bugfix / XPI – Plugin Bar
Modified the “click-coordinates” of the XPI –
Plugin Bar module to make it run properly.
GUI
Improvement / Bugfix
Modified Output Folder and FinFly Lan Settings
can be configured.
FinFly Web / Release Notes
FINUSB SUITE
10
SPECIFICATIONS
Version: 2.0
Component
GUI
Change
Multiple Language Support
Description
GUI can be translated into different languages
GUI
Improvement / Rewrite
Improve GUI / Implement Wizard for an easy
creation process.
GUI
Summary Page
Module
Improve Static Module
Module
Improve Iframe Module
Module
Improve Java Module
Module
Improve XPI Plugin Bar
Module
After a new module was generated, a summary
page lists all module configurations, a
supported browser list and a status message.
New / Improved Features:
- Module was completely rewritten
- Auto-Scale Popup Image
- Session – Cookie Implementation
- Multi – OS – Payload Support
- OS Auto-Detection
- Improve Display / Blocking Behavior if
browser will be resized
New / Improved Features:
- Module was completely rewritten
- Auto-Scale Popup Image
- Frame Buster implementation
- Session – Cookie Implementation
- Multi – OS – Payload Support
- OS Auto-Detection
- Improve Display / Blocking Behavior if
browser will be resized
New / Improved Features:
- Applet Name can be defined
- Improve Validation Period of Certificate
to prevent Warning
- Module was completely rewritten
- Multi – OS – Payload Support
- OS Auto-Detection
New / Improved Features:
- Frame Buster Support for Iframe
- Plugin Bar will be shown in OS specific
Theme
- More example screenshots will be
installed with the new installer.
- Module was completely rewritten
- Multi – OS – Payload Support
- OS Auto-Detection
- Remove Plugin-ID (= email – Address,
FinFly Web / Release Notes
11
FINUSB SUITE
SPECIFICATIONS
won’t be shown / displayed any more)
Module
New XPI Popup Module
Payload
More Operating Systems
are supported.
Module
OS Auto-detection
implemented.
Module
Session Cookie
Browser
Compatibility Test
New / Improved Features:
- Same improved XPI functionality like XPI
Plugin Bar
- Customize Popup Message with a
Header, Image, Description and Link.
- Multi – OS – Payload Support
- OS Auto-Detection
Payloads for all three major Target Operating
Systems are supported (Windows, MAC and
Linux).
Module can be configured to include payload
for different Operating Systems. An integrated
OS auto-detection selects the correct payload
which needs to be delivered to the target.
Session-Cookie will be used to unblock the
content after the payload was delivered.
Improve all modules to support:






FinFly LAN / ISP
Output- and Configuration
File
Chrome - Version
11/12/13/14/15/16/17
Firefox - Version 3/3.5/4/5/6/7/8/9
Internet Explorer - Version 7/8/9
Opera - Version 10/11
Safari - Version 4/5
Seamonkey - Version 2.4/2.5/2.6
All FinFlyWeb settings will be written into a new
special configuration file for FinFly LAN / ISP and
can be imported into these products. Output
Filename and Directory can be defined
manually.
FinFly Web / Release Notes
FINUSB SUITE
12
SPECIFICATIONS
Version: 1.4
Component
Installer
Change
National language support
Description
FinFlyWeb could be installed on a non-Latin
letters Windows Operation System.
Module
National language /
Unicode support
Parameters like description, names etc. could
handle non-Latin letters now.
FinFly LAN / ISP
Configuration File
All FinFlyWeb settings will be written into a
special configuration file for FinFly LAN / ISP and
can be imported into these products.
FinFly Web / Release Notes
FINUSB SUITE
SPECIFICATIONS
Version: 1.3 (Initial Public Version)
Component
Generic
Change
Plugin: Mozilla
Description
Install a malicious Mozilla Extension
Plugin: Internet Explorer
Install a malicious IE Addon
Plugin: Adobe Flash
Install a malicious Flash Plugin
Graphical User Interface
Point-And-Click Interface for Infection
Generation
13
FinFly Web / Release Notes
FINUSB SUITE
14
SPECIFICATIONS
3
LIMITATIONS
This chapter covers current known limitations within the FinFly Web Software.
Feature
Description
FinFly Web
Full Anti-Virus / Anti-Spyware bypassing cannot be guaranteed
due to regular changes in these products
FinFly Web Configuration
Each update must replace the previous configuration file of
FinFly Web, otherwise some new features were not supported.
All previous settings will be gone.
Script Blocker
When a script-blocker is installed and configured to block all
sorts of scripts from public websites the generated attack code
will not work.
Iframe / Popup Prevention
Some Websites prevent to be loaded in an iframe (e.g. youtube,
google/gmail, facebook) and cannot be bypassed with frame
buster technology.
All Modules
Encoding, Obfuscating and Anti-Debugging technology, which
can be combined with each module, can prevent it to be
executed. In this case the options have to be disabled and the
module has to be used plain.
Latest Browser Support
Based on the update and development circle of FFWeb, there is
no guarantee, that always the latest browser version can be
supported by each module.
Limited Start Options
Each FinFly Web modules, especially Static & Iframe are limited
by the functionality of the Browser. Following different
download and execute possibilities are available:
-
Run: Browser will download and start the payload
within one step
-
Download: Browser will download the payload. User
has to open the downloaded payload manually.
-
Extra Warning: e.g. IE/Chrome will show an extra
warning to the target, if a file will be requested, which
could harm the system. On Windows target systems it
FinFly Web / Release Notes
FINUSB SUITE
15
SPECIFICATIONS
will triggered by:
o
File-Extension: each *.exe file will trigger that
warning
o
Unsigned Executable: if the *.exe file is not
signed by a trusted root CA, another warning
will be shown.
Signed Java Applet
The latest Java version blocks any un-/self-signed Java applet by
default. Please sign the applet with a certificate from a trusted
root CA.
IE Click Once
The module is limited to Internet Explorer and Windows target
systems. The module needs an executable/payload, which is
signed with a code signing certificate from a trusted root CA.
Web server Support
Currently only Apache web server, which hosted the FinFly Web
output, is tested and supported. The web server needs to have
PHP and CGI support; otherwise IFRAME and Information
Gathering module cannot be used. A setup guide how to get
PHG & CGI support for an Apache web server can be found in
the training slides and user manual.
Payload want be started
automatically
Most of the browsers only allow saving the content. FinFly Web
can only trigger an automatic start/run of the payload via the
Java Applet module. With all other modules the targets needs
to run the delivered payload manually. Payload of a Linux
Targets won’t have an executable permission by default and
cannot be started automatically.
Browser Cache / Cleanup
Some operation seem to run only once or always on a target
system. The reason can be:
-
Once: FinFly Web creates a cookie on the target system,
which prevents multiple starts against one single target.
The cookie will be stored on the target system, as soon
as the payload is requested by the target. If the
infection will fail, a new/different payload has to be
generated and provided to the target on a different
web server address.
FinFly Web / Release Notes
FINUSB SUITE
16
SPECIFICATIONS
-
Always: if the target will clean up his browser/cookie
cache every time, when the browser will be closed,
FinFly Web (standalone version) cannot identify, if the
payload was provided and installed on the target
system or not.  Solution: use FinFly LAN/NET/ISP in
combination with FinFly Web.
Missing Plug-in / Browser
Not every module can be used against each target. Some
browsers are not available for each platform (e.g. Internet
Explorer). Java Applets cannot be started on Mobile Targets (no
Java Runtime Environment available or pre-installed by
default).
Sandbox / Missing Permission
Especially on Mobile Targets payload runs with limited user
permission or inside a sandbox.
iOS Payload
Currently only *.app files are supported, which are not
compatible with the FinSpy Trojan.
FinFly Web / Release Notes
FINUSB SUITE
SPECIFICATIONS
17
Related documents
finfisher™: governmental it intrusion
finfisher™: governmental it intrusion
Un gros requin de l`intrusion » OWNI, News, Augmented
Un gros requin de l`intrusion » OWNI, News, Augmented
digital security resources for media trainers - SaferJourno
digital security resources for media trainers - SaferJourno
HACKER DISASSEMBLING UNCOVERED/SE
HACKER DISASSEMBLING UNCOVERED/SE
FINFISHER: FinSpy 3.00 User Manual
FINFISHER: FinSpy 3.00 User Manual
How To Set Up Android Tablet - Digital Technology Solutions
How To Set Up Android Tablet - Digital Technology Solutions
User Manual - Digital Rebellion
User Manual - Digital Rebellion
Scroll Instruction Manual
Scroll Instruction Manual
SIMSAnywhere Synchronization Manager (SASM)
SIMSAnywhere Synchronization Manager (SASM)
User Manual of MiTraveler 10Q-8
User Manual of MiTraveler 10Q-8
- phylink
- phylink
NetShred X Read Me - Mireth Technology
NetShred X Read Me - Mireth Technology
RJ Tech Cypad (iView-760TPC) 7 pulgadas a color
RJ Tech Cypad (iView-760TPC) 7 pulgadas a color
Installation and user manual
Installation and user manual
User Manual - Gray Technical
User Manual - Gray Technical
Performance Controller Panel Mount Installation
Performance Controller Panel Mount Installation
0. Logging In & User Menu
0. Logging In & User Menu