finfisher: finfly web 4.0 release notes · finfly web / release notes finusb suite specifications 4...
TRANSCRIPT
FinFly Web / Release Notes
FINUSB SUITE
SPECIFICATIONS
1
FINFISHER: FinFly Web 4.0
Release Notes
FinFly Web / Release Notes
FINUSB SUITE
SPECIFICATIONS
2
Copyright 2013 by Gamma Group International, UK
Date 2013-08-09
Release information
Version Date Author Remarks
1.0 2010-06-29 ht Initial version
1.1 2010-07-05 pk Review
1.2 2010-09-24 Pk Add changes for release 1.4
1.3 2012-02-05 PK Add changes for release 2.0
1.4 2012-03-16 PK Add changes for release 2.1
1.5 2012-05-12 PK Add changes for release 2.2
1.6 2013-01-08 PK Add changes for release 3.0
1.7 2013-03-26 PK Add changes for release 3.1
1.8 2013-05-17 PK Add changes for release 3.2
1.9 2013-08-09 PK Add changes for release 4.0
FinFly Web / Release Notes
FINUSB SUITE
SPECIFICATIONS
3
Table of Content
1 Overview ............................................................................................................................................... 4
2 ChangeLog ............................................................................................................................................. 5
3 Limitations........................................................................................................................................... 14
FinFly Web / Release Notes
FINUSB SUITE
SPECIFICATIONS
4
1 OVERVIEW FinFly Web is designed to help Law Enforcement and Intelligence Agencies to covertly install Remote
Monitoring software onto Target Systems through Websites which install the software by using the
Web-browser module functionalities.
The product can generate a wide-range of attack codes that can be implemented into any given Website
and which will infect the Target when visiting the website.
3Tactical IT Intrusion Portfolio
Remote Monitoring& Infection Solution
Tactical IT Intrusion Portfolio
IT Intrusion Training Program
FinUSB Suite
FinIntrusion Kit
FinFireWire
FinTraining
FinSpy
FinSpy Mobile
FinFly
USB
Web
LAN
ISP
FinFly Web / Release Notes
FINUSB SUITE
SPECIFICATIONS
5
2 CHANGELOG
Version: 4.0 Component Change Description
Modules Code Review Optimize Source Code of different modules
Modules Update Optimize all modules to support latest version of all browsers.
Module New Information Gathering Module
Each module can be extended by an information gathering module. This module will collect information from target PC (e.g. OS, Language, Timezone, IP-Address etc.)
Module Replacement / New Module (Iframe / Framebuster)
The existing IFRAME module was replaced by a new module. In previous releases the FFWeb code could be rejected by some webpages, to prevent the content can be shown in an IFRAME. The new module require php pre-installed on the webserver. The new version will bypass IFRAME Framebustering technique.
Module New Feature / Anti-Debugging
A special encoder script was written, to prevent an easy debugging / interception of javascript code.
Module New Module (IE Click Once) A new module was added. It runs only in an Internet Explorer browser. A click once application will be loaded. User has to accept the application only once. Code signing with a trusted certificate is integrated.
GUI Update New enhanced content check was integrated, which detects if all necessary files will be successfully written.
Mobile Targets Update All modules were tested and optimized for mobile targets.
FinFly Web / Release Notes
FINUSB SUITE
SPECIFICATIONS
6
Version: 3.2 Component Change Description
Module Removal of XPI Plugins The XPI-based plugins have been temporary suspended. We are working on new functionalities and techniques which work on all common browsers and are not limited to certain vendors"
GUI Fix Input Validation “~”- character can be used inside Java Payload URL.
FinFly LAN/ISP Fix Configuration File HTTP/HTTPS protocol will be detected automatically.
Module Fix All Module Linux Payload without any file extension will generate an output filename without any file extension too.
Documentation User Manual / Training Slides
Both documents were updated.
Version: 3.1 Component Change Description
GUI Fix Fixed button size in the wizard.
GUI New Feature Reset previous selected payload is possible now.
Installer Bugfix Fix update error if FinFly Web was installed with user permission.
Version: 3.0 Component Change Description
FinFly Lan / ISP Module Support Update Support / Update for Mobile Targets
FinFly Web / Release Notes
FINUSB SUITE
SPECIFICATIONS
7
Module Code Obfuscating Implementation of Java Script Code Obfuscating.
Module Bugfix / Java – Module Fix UAC bypass to start non-UAC payload.
Module XPI – Module Add possibility to change version number of XPI Add-On.
Module Java – Module Java Applet can be signed with a *.pfx/*.p12 certificate file.
Modules Mobile Targets Modules were improved to support Mobile Targets:
- Android - iOS - Blackberry - Windows Mobile - Symbian
Modules Add support for more Browser
New Browser are supported: - Opera Mini / Mobile - Dolphin - Skyfire - Blackberry / Symbian Default Browser - IE for Windows Mobile
Modules Code Review Optimize Source Code of different modules
Modules OS-Detection Update for Mobile Targets
GUI Improvements - Module Selection with Preview - Comfortable Payload Selection
FinFly Web / Release Notes
FINUSB SUITE
SPECIFICATIONS
8
Version: 2.2 Component Change Description
FinFly Lan / ISP Module Support Update Add condition tag, which specified the “user agent”, “domain” and “protocol”.
FinFly Lan / ISP Module Resource Fix Extensions of resources will be written in lower-case.
FinFly Lan / ISP Module Init Fix Remove empty Body/Attribute tag for XPI-Popup
Module Bugfix / Java – Modules Java – URL will be checked after focus out and not immediately anymore.
Module XPI – Modules Parameter for XPI-Popup and XPI-Plugin-Bar will be saved in different xml-tags. Both XPI modules can have their own configuration.
Module Bugfix / XPI-Modules Preview of generated XPI-Module in Firefox Browser blocked output folder.
Module XPI-Popup – Modules Change all default values from Realplayer into Flashplayer (Plugin Name, Vendor Name, Vendor URL etc.)
Payload Mac OSX – Payload Mac OS X – Installer (= *.pkg) files are also supported now.
Updates Bugfix *.msi – Installer are supported now.
Target Improvements New browser versions are supported:
Chrome: 11/12/13/14/15/16/17/18
Firefox: 3/3.5/4/5/6/7/8/9/10/11/12/13
Internet Explorer: 7/8/9
Opera: 10/11
Safari: 4/5
Seamonkey: 2.4/2.5/2.6/2.7/2.8/2.9
FinFly Web / Release Notes
FINUSB SUITE
SPECIFICATIONS
9
Version: 2.1 Component Change Description
FinFly Lan Module Support Introduced support for the Infection proxy in all modules, specifically the modules which make use of Iframes and in the past would fail to load inside the infection proxy. New routines were added to the following modules:
XPI-Popup XPI-Plugin Bar IFrame Java
Module Bugfix / XPI – Modules This version fixes a bug where the page wouldn’t load if one of the XPI modules (xpi_popup and xpi_bar) is loaded in a different web browser than Firefox or Seamonkey. Both modules will now load the Iframe only and will not run any code that involves the actual XPI loading and executing. This affected not only Internet Explorer, the fix supports all general available web browsers.
Module Improvement / XPI – Modules
The web browser Seamonkey (that is derived from Mozilla Firefox) is now supported in the XPI modules (XPI Popup and XPI Plugin-Bar).
Module Improvement / XPI – Modules
Handling of the payload was changed. These modules don’t rely on a cookie and can detect if the XPI is actually installed or not, now. This fix patch two issues of the past release:
The page now loads after the installation of the XPI, but does not attempt to install the XPI again - no popup is shown.
After a de-installation of the XPI the module allows new attempts to install the XPI again.
Module Bugfix / Improvement XPI-Modules
The popup image for all relevant modules is now un-selectable.
Module Bugfix / XPI – Popup The XPI - Popup module supports newlines now.
Module Bugfix / XPI – Plugin Bar Modified the “click-coordinates” of the XPI – Plugin Bar module to make it run properly.
GUI Improvement / Bugfix Modified Output Folder and FinFly Lan Settings can be configured.
FinFly Web / Release Notes
FINUSB SUITE
SPECIFICATIONS
10
Version: 2.0 Component Change Description
GUI Multiple Language Support GUI can be translated into different languages
GUI Improvement / Rewrite Improve GUI / Implement Wizard for an easy creation process.
GUI Summary Page After a new module was generated, a summary page lists all module configurations, a supported browser list and a status message.
Module Improve Static Module New / Improved Features: - Module was completely rewritten - Auto-Scale Popup Image - Session – Cookie Implementation - Multi – OS – Payload Support - OS Auto-Detection - Improve Display / Blocking Behavior if
browser will be resized
Module Improve Iframe Module New / Improved Features: - Module was completely rewritten - Auto-Scale Popup Image - Frame Buster implementation - Session – Cookie Implementation - Multi – OS – Payload Support - OS Auto-Detection - Improve Display / Blocking Behavior if
browser will be resized
Module Improve Java Module New / Improved Features: - Applet Name can be defined - Improve Validation Period of Certificate
to prevent Warning - Module was completely rewritten - Multi – OS – Payload Support - OS Auto-Detection
Module Improve XPI Plugin Bar Module
New / Improved Features: - Frame Buster Support for Iframe - Plugin Bar will be shown in OS specific
Theme - More example screenshots will be
installed with the new installer. - Module was completely rewritten - Multi – OS – Payload Support - OS Auto-Detection - Remove Plugin-ID (= email – Address,
FinFly Web / Release Notes
FINUSB SUITE
SPECIFICATIONS
11
won’t be shown / displayed any more)
Module New XPI Popup Module New / Improved Features: - Same improved XPI functionality like XPI
Plugin Bar - Customize Popup Message with a
Header, Image, Description and Link. - Multi – OS – Payload Support - OS Auto-Detection
Payload More Operating Systems are supported.
Payloads for all three major Target Operating Systems are supported (Windows, MAC and Linux).
Module OS Auto-detection implemented.
Module can be configured to include payload for different Operating Systems. An integrated OS auto-detection selects the correct payload which needs to be delivered to the target.
Module Session Cookie Session-Cookie will be used to unblock the content after the payload was delivered.
Browser Compatibility Test Improve all modules to support:
Chrome - Version 11/12/13/14/15/16/17
Firefox - Version 3/3.5/4/5/6/7/8/9
Internet Explorer - Version 7/8/9
Opera - Version 10/11
Safari - Version 4/5
Seamonkey - Version 2.4/2.5/2.6
FinFly LAN / ISP Output- and Configuration File
All FinFlyWeb settings will be written into a new special configuration file for FinFly LAN / ISP and can be imported into these products. Output Filename and Directory can be defined manually.
FinFly Web / Release Notes
FINUSB SUITE
SPECIFICATIONS
12
Version: 1.4 Component Change Description
Installer National language support FinFlyWeb could be installed on a non-Latin letters Windows Operation System.
Module National language / Unicode support
Parameters like description, names etc. could handle non-Latin letters now.
FinFly LAN / ISP Configuration File All FinFlyWeb settings will be written into a special configuration file for FinFly LAN / ISP and can be imported into these products.
FinFly Web / Release Notes
FINUSB SUITE
SPECIFICATIONS
13
Version: 1.3 (Initial Public Version) Component Change Description
Generic Plugin: Mozilla Install a malicious Mozilla Extension
Plugin: Internet Explorer Install a malicious IE Addon
Plugin: Adobe Flash Install a malicious Flash Plugin
Graphical User Interface Point-And-Click Interface for Infection Generation
FinFly Web / Release Notes
FINUSB SUITE
SPECIFICATIONS
14
3 LIMITATIONS This chapter covers current known limitations within the FinFly Web Software.
Feature Description
FinFly Web Full Anti-Virus / Anti-Spyware bypassing cannot be guaranteed
due to regular changes in these products
FinFly Web Configuration Each update must replace the previous configuration file of
FinFly Web, otherwise some new features were not supported.
All previous settings will be gone.
Script Blocker When a script-blocker is installed and configured to block all
sorts of scripts from public websites the generated attack code
will not work.
Iframe / Popup Prevention Some Websites prevent to be loaded in an iframe (e.g. youtube,
google/gmail, facebook) and cannot be bypassed with frame
buster technology.
All Modules Encoding, Obfuscating and Anti-Debugging technology, which
can be combined with each module, can prevent it to be
executed. In this case the options have to be disabled and the
module has to be used plain.
Latest Browser Support Based on the update and development circle of FFWeb, there is
no guarantee, that always the latest browser version can be
supported by each module.
Limited Start Options Each FinFly Web modules, especially Static & Iframe are limited
by the functionality of the Browser. Following different
download and execute possibilities are available:
- Run: Browser will download and start the payload
within one step
- Download: Browser will download the payload. User
has to open the downloaded payload manually.
- Extra Warning: e.g. IE/Chrome will show an extra
warning to the target, if a file will be requested, which
could harm the system. On Windows target systems it
FinFly Web / Release Notes
FINUSB SUITE
SPECIFICATIONS
15
will triggered by:
o File-Extension: each *.exe file will trigger that
warning
o Unsigned Executable: if the *.exe file is not
signed by a trusted root CA, another warning
will be shown.
Signed Java Applet The latest Java version blocks any un-/self-signed Java applet by
default. Please sign the applet with a certificate from a trusted
root CA.
IE Click Once The module is limited to Internet Explorer and Windows target
systems. The module needs an executable/payload, which is
signed with a code signing certificate from a trusted root CA.
Web server Support Currently only Apache web server, which hosted the FinFly Web
output, is tested and supported. The web server needs to have
PHP and CGI support; otherwise IFRAME and Information
Gathering module cannot be used. A setup guide how to get
PHG & CGI support for an Apache web server can be found in
the training slides and user manual.
Payload want be started
automatically
Most of the browsers only allow saving the content. FinFly Web
can only trigger an automatic start/run of the payload via the
Java Applet module. With all other modules the targets needs
to run the delivered payload manually. Payload of a Linux
Targets won’t have an executable permission by default and
cannot be started automatically.
Browser Cache / Cleanup Some operation seem to run only once or always on a target
system. The reason can be:
- Once: FinFly Web creates a cookie on the target system,
which prevents multiple starts against one single target.
The cookie will be stored on the target system, as soon
as the payload is requested by the target. If the
infection will fail, a new/different payload has to be
generated and provided to the target on a different
web server address.
FinFly Web / Release Notes
FINUSB SUITE
SPECIFICATIONS
16
- Always: if the target will clean up his browser/cookie
cache every time, when the browser will be closed,
FinFly Web (standalone version) cannot identify, if the
payload was provided and installed on the target
system or not. Solution: use FinFly LAN/NET/ISP in
combination with FinFly Web.
Missing Plug-in / Browser Not every module can be used against each target. Some
browsers are not available for each platform (e.g. Internet
Explorer). Java Applets cannot be started on Mobile Targets (no
Java Runtime Environment available or pre-installed by
default).
Sandbox / Missing Permission Especially on Mobile Targets payload runs with limited user
permission or inside a sandbox.
iOS Payload Currently only *.app files are supported, which are not
compatible with the FinSpy Trojan.
FinFly Web / Release Notes
FINUSB SUITE
SPECIFICATIONS
17