Trojans for tracking with built-in keylogger and functions to steal critical data are one of the oldest varieties of malvari. In a quarter of a century, spyware has only evolved to provide more and more protection functions against detection. At the same time, were mastered mobile devices, there are varieties of Trojans, designed for targeted attacks. In this article we will consider the most famous representatives of commercial spyware and talk about protective measures. It would seem that the most obvious way to protect yourself from any computer or mobile spyware is to install antivirus and forget about the problem forever. But “obvious” is not synonymous with the word “effective”. The majority of anti-virus programs catches Trojans approximately in the same way as counterspyware calculates the present spies: on fingerprints, that is a method of signature detection.
Signature is a unique identifier of a file stored in a special database, with which you can distinguish it from others. If a sample of this malicious file has not been previously examined in a virus lab and its signature has not been added to the databases, the antivirus will not be able to identify it. There are various ways to bypass the signature detection – we have written about them many times. There’s still heuristics left. But heuristic threat search mechanisms based on behavioral analysis, sandbox execution and other tricks are not a panacea, otherwise antiviruses would not encounter false positives. In other words, even if you have the most advanced protection installed on your computer, it does not mean that you are safe. Which commercial spyware is the most popular now on the market, and how do you calculate their presence in your system?
Trojans for FinFisher
A cyber spy softing- called FinFisher, aka FinSpy, was developed by Gamma Group and was rumoured to be used for political surveillance of journalists and dissidents around the world. The program was leaked to WikiLeaks by Julian Assange in 2011, after which it became anonymous and was scrutinized by information security professionals and other stakeholders.
FinFisher can intercept a victim’s social networking communications, track email messages, work as a keylogger, provide access to files stored on the infected machine, and record video and audio using the built-in microphone and camera. There are builds of FinFisher for Windows, MacOS and Linux. In addition, mobile versions of the Trojan have been created for almost all existing platforms today: Android, iOS, BlackBerry, Symbian and Windows Mobile.
The distribution scheme of FinFisher is typical for Trojans: the spy was distributed by means of downloaders, which were sent by e-mail under the guise of useful applications or came to the computer with updates of a previously installed secure program. One of the attacks investigated by the guys from ESET also used the MITM scheme: when trying to download the right program, the unsuspecting victim was redirected to a phishing site where he downloaded the distribution with the Trojan. In this ESET example FinFisher was built into the distribution of the TrueCrypt utility. The irony is that a user who wanted to protect his data and encrypt the drive to keep it secure would install spyware on his own machine.
The creators tried to make FinFisher’s work as discreet as possible and make it difficult to detect the trojan. Its code has functions to protect the application from debugging, prevent it from running in the virtual machine, counteract disassembling, and the code is obfuscated. Besides, the program tries to act in an infected system without being noticed by the user.
Security from FinFisher
Catching FinFisher manually on a device is quite a difficult task. Known samples are successfully detected and removed by popular antivirus programs, but unknown samples are more difficult to catch.
No matter how trivial it may sound, a properly configured firewall is an obvious (and very effective) means of protection against this spy. While FinFisher is running, it establishes a connection not only to its management server (its address may change from sample to sample), but also to several other hosts from which its components are loaded. If you configure the firewall so that it will paranoidly block application connections to unknown hosts, FinFisher will not be able to operate normally on such a device. Well, in order not to get benevolent software instead of a pure distribution, it is better to download programs via HTTPS and not be lazy to check the digital signature of programs.
Trojans for Adwind
This cross-platform program, which can be classified as a remote control system (RCS, Remote Control Systems) or RAT (Remote Access Tool), became known in 2016 and was identified even earlier – in 2013. This Trojan is known under different names: Sockrat, JSocket, jRat, Unrecom, Frutas and AlienSpy. In fact, all of this is the singing of the same melody.
Since Adwind is written in Java, it focuses on almost all platforms that support it: Windows, Linux, macOS and of course Android. The popularity of Adwind among anonimuses is primarily due to the fact that the Trojan has long been distributed under the scheme SAAS (Software as a Service), that is, by subscription. The developers had their own online store, technical support service and even an advertising channel with videos on RogpN YouTube. The price tag was quite democratic: from 20 to 300 evergreen American dollars, depending on the selected package. The second reason is the relative simplicity of getting a working covered binary, which will not be scorched by antiviruses – at least until someone pour it on VirusTotal.
The main purpose of the Trojan is to give friendly people unauthorized access to the compromised machine. In addition, it can take screenshots, capture keystrokes, steal stored passwords and form data from browsers, and pamper with a camera and microphone.
The main channel for spy distribution is email seasoned with social engineering. Potential victims of the attack were sent emails that either had a .JAR downlayer attached, or contained HTML code with inserts in VBScript and JScript, which was laced with a JRE machine and a trojan dropper. Kaspersky Lab analysts also recorded cases of Adwind distribution using RTF documents containing an exploit for the vulnerability CVE-2012-0158.
Trojan protection Adwind
To protect yourself from the Adwind Trojan, you can turn off Java on your computer or tear down Java Runtime – without waiting, as they say, for peritonitis. And of course, do not organize a competition for high-speed opening of attachments in the e-mail messages received from suspicious senders. If you really need Java, another primitive but effective method of protection against Adwind is changing the association of .JAR files from JRE to, say, notepad.exe.
In Android completely uproot Java for obvious reasons is not possible, but there is enough just do not rutate the device and do not install anything from anywhere, limiting yourself to Google Play as the main source of applications.
Trojan for tracking DroidJack
This is probably the name of the most popular commercial Android remote management trojan, which is based on the Sandroid app. This tool consists of two components: client and server parts. One is installed on your smartphone or tablet as an APK file, the other is implemented as a regular Windows application that allows you to manage your device. A lifetime license for this software costs $210.
DroidJack allows you to transmit the current GPS coordinates of the device, manage incoming and outgoing calls, record phone calls, read and send SMS, messages to WhatsApp, view the history of the browser, a list of running applications, copy contacts, receive images from the built-in camera, control the volume and much more.
Obviously, for the DroidJack to work, you must first install the application on your device. You can do this, either by physically taking possession of it or somehow forcing the user to install the program himself. Most DroidJack samples known today do not have any hidden installation mechanisms.
Trojan is freely sold, but the price is not particularly democratic. That is why good developers have developed cheaper analogues of this program – among them, for example, OmniRAT, which can boast almost the same set of functions, but four times cheaper.
Security from DroidJack
The first thing the user should pay attention to is that both DroidJack and OmniRAT require a lot of permissions during installation. If you’re trying to install a flashlight on your smartphone, it’s worth wondering why they need access to send SMS and address book.
Secondly, even though a spy removes his icon from the list of applications, a running program can still be seen in the list of running processes. Finally, DroidJack is perfectly caught by most modern antivirus for Android, so regular checks of the device is still cherished.
Trojans for Pegasus
Pegasus is known to be a horse with wings. In the case of Android and iOS Pegasus is a Trojan horse, one of the most famous varieties of commercial mobile spies.
Curiously, Pegasus is able to be installed on Apple mobile devices that have not been jailbroken. Several known Pegasus targeted attacks have attempted to deliver to the iPhone via SMS messages containing a malicious link. Trojans use vulnerabilities to install into the system, though for currently outdated versions of iOS (up to 9.3.5). However, no one knows exactly what the more modern editors of Pegasus, the developers of which (and the Israeli company NSO Group is suspected of creating a spy) are still alive.
Trojan consists of several functional modules that are loaded on the infected device as needed. The Pegasus feature set is generally standard for this kind of spyware: it includes keylogging, creating screenshots, reading SMS and email, copying browser history, listening to phone calls, and so on.
The Pegasus Trojan tries to behave as discreetly as possible and does not show up on the compromised device. If it discovers that another SIM card is inserted in the phone, or fails to reach the management server within 60 days, the program will self-destruct. All of this suggests that Pegasus is geared up for targeted attacks, not “weapons of mass destruction”.
Well-known Pegasus for Android does not use vulnerabilities, but to get administrative privileges (without which they can not steal anything from the device, except the name of its model) use the traditional tactic – get the user pesky alerts until he agrees to click on the cherished button.
Protection from the Pegasus trojan
There are several methods of protection against Pegasus: for iPhone and iPad owners – to update the system in time, for Android users – not to give administrative permission to the left applications, even if they ask for it very much.
Commercial Trojans have been, are and will be user systems. Simply because demand, as one smart guy named John Maynard Keynes said, gives birth to supply. Antiviruses, as we have already found out, are not a panacea, so to protect against Trojans for surveillance should use the most powerful analytical tool available today – the brain. Check installed programs with antivirus utilities, watch what network addresses they knock on while working, watch what processes are running in the system, do not forget to update the OS in time, disable unnecessary components like Java Runtime and roll up in the evenings not only zero five unfiltered, but all current security patches.