
Wikileaks releases copies of FinFisher surveillance software - dpina
https://wikileaks.org/spyfiles4/index.html
======
Strom
See yesterday's discussion
[https://news.ycombinator.com/item?id=8317358](https://news.ycombinator.com/item?id=8317358)

------
q3k
So, how long until finds RCE bugs in the Proxy, Relay and Master? There is
possibly quite a bit of these to be found via Shodan...

------
JetSpiegel
That ggi file is a self-extracting bash script.

    
    
        #!/bin/bash
        echo ""
        echo " FInstaller 1.0"
        echo "-----------------------"
     
        export TMPDIR=`mktemp -d /tmp/selfextract.XXXXXX`
     
        ARCHIVE=`awk '/^__ARCHIVE_BELOW__/ {print NR + 1; exit 0; }' $0`
     
        echo ""
        echo "Extracting Installation Files..."
        echo ""
     
        tail -n+$ARCHIVE $0 | tar xzv -C $TMPDIR
     
        echo ""
        echo "Launching Installer..."
        echo ""
     
        CDIR=`pwd`
        echo CDIR
        echo $CDIR
        echo TMPDIR
        echo $TMPDIR
        cd $TMPDIR
        ./installer
     
        cd $CDIR
        rm -rf $TMPDIR
     
        exit 0
     
        __ARCHIVE_BELOW
    

And then the data.

~~~
JetSpiegel
The installer is an even messier piece of code.

    
    
        #!/bin/bash
     
        TOP_INSTALL_DIR=/
     
        echo "Stopping FFRelay"
     
        monit stop ffrelay
        sleep 3
        killall -9 -q ffrelay
        echo "Extracting Software Files..."
        tar --directory $TOP_INSTALL_DIR  -xvf ./*relay*.tar
     
        echo ""
        echo "Running Post-Installation Steps..."
     
        SECONDS=1
        MAX_SECONDS=10
     
        while [ "$SECONDS" -lt "$MAX_SECONDS" ]
          do
               if [ -e "/var/run/ffrelay.pid" ]; then
                   sleep 1
               else
                   SECONDS=$MAX_SECONDS
               fi
          done
     
     
        echo "Starting FFRelay"
     
        monit start ffrelay
     
        echo ""
        echo "FFRelay Installer done."
        echo ""
    

They should have just used a .deb

------
markvdb
I wonder why they use MD5 hashes and not something more collision attack
resistant.

~~~
arturventura
Because it would be very hard to find a collision of a file that behaves
exactly like a ZipFile.

To make a collision work, you would need to inject the payload into the
program, and find a specific blob to put into the zip file, that once
compressed and hashed would cause a collision. This isn't computationally
efficient.

~~~
hrjet
I am not familiar with zip file format, but if zip files allow comments or
other meta-data (in uncompressed form) then it is an easier path. I suspect
even file-names could be an opportunity.

~~~
fluidcruft
Zip even allows individual file members to be not-compressed. So it's
extremely trivial.

------
billyboar
Too shame that they're using so much of money, which is basically tax money of
Mongolian people, on surveillance tool when Mongolians living their like hell.
shame on them.

------
andy_ppp
So, anyone planning to install it?

~~~
DennisP
Now that it's publicly released, it seems like a good idea to install it just
to make sure your own systems aren't vulnerable to it.

------
D4AHNGM
Interestingly, Sophos on OS X immediately identifies the .zip as
Malware/Generic-Spyware and blocks access to it:

finspy_master.zip: Permission denied

