FINFISHER: FinFly Web 4.0 Release Notes
Contents
1. Cookie Implementation Multi OS Payload Support OS Auto Detection Improve Display Blocking Behavior if browser will be resized Improve Iframe Module New Improved Features Module was completely rewritten Auto Scale Popup Image Frame Buster implementation Session Cookie Implementation Multi OS Payload Support OS Auto Detection Improve Display Blocking Behavior if browser will be resized Improve Java Module New Improved Features Applet Name can be defined Improve Validation Period of Certificate to prevent Warning Module was completely rewritten Multi OS Payload Support OS Auto Detection Improve XPI Plugin Bar New Improved Features Module Frame Buster Support for Iframe Plugin Bar will be shown in OS specific Theme More example screenshots will be installed with the new installer Module was completely rewritten Multi OS Payload Support OS Auto Detection Remove Plugin ID email Address i a Payload More Operating Systems are supported OS Auto detection implemented Session Cookie 7 FinFly LAN ISP File Output and Configuration FinFly Web Release Notes 11 won t be shown displayed any more New Improved Features Same improved XPI functionality like XPI Plugin Bar Customize Popup Message with a Header Image Description and Link Multi OS Payload Support OS Auto Detection Payloads for all three major Target Operating Sys2. FINFISHER WWW GAMMAGROUP COM IT INTRUSION FinFly Web Release Notes aly Copyright 2013 by Gamma Group International UK Date 2013 08 09 Release information intelligence securt FinFly Web Release Notes 3 Table of Content 1 Ve ae spre cette cen even te sensed anne on ieri 4 E D i 1E E E a EE AAE EE nana 5 3 E O e iii ri 14 FinFly Web Release Notes 4 1 OVERVIEW FinFly Web is designed to help Law Enforcement and Intelligence Agencies to covertly install Remote Monitoring software onto Target Systems through Websites which install the software by using the Web browser module functionalities The product can generate a wide range of attack codes that can be implemented into any given Website and which will infect the Target when visiting the website Tactical IT Intrusion Portfolio 3 oy U J amp Infection S Tactical IT Intrusion Portfolio IT Intrusion Training Program GAMMAGROUP 2 CHANGELOG Modules Code Review Modules Update Module New Information Gathering Module Module Replacement New Module Iframe Framebuster Module New Feature Anti Debugging Module New Module IE Click Once Mobile Targets FinFly Web Release Notes N Description Optimize Source Code of different modules Optimize all modules to support latest version of all browsers Each module can be extended by an information gathering module This
3. ame only and will not run any code that involves the actual XPI loading and executing This affected not only Internet Explorer the fix supports all general available web browsers The web browser Seamonkey that is derived from Mozilla Firefox is now supported in the XPI modules XPI Popup and XPI Plugin Bar Handling of the payload was changed These modules don t rely on a cookie and can detect if the XPI is actually installed or not now This fix patch two issues of the past release gt The page now loads after the installation of the XPI but does not attempt to install the XPI again no popup is shown After a de installation of the XPI the module allows new attempts to install the XPI again The popup image for all relevant modules is now un selectable The XPI Popup module supports newlines now Modified the click coordinates of the XPI Plugin Bar module to make it run properly Modified Output Folder and FinFly Lan Settings can be configured FinFly Web Release Notes N o amp Multiple Language Support GUI can be translated into different languages Improvement Rewrite Improve GUI Implement Wizard for an easy creation process Summary Page After a new module was generated a summary page lists all module configurations a supported browser list and a status message Improve Static Module New Improved Features Module was completely rewritten Auto Scale Popup Image Session
4. and not immediately anymore XPI Modules Parameter for XPI Popup and XPI Plugin Bar will be saved in different xml tags Both XPI modules can have their own configuration Bugfix XPI Modules Preview of generated XPI Module in Firefox Browser blocked output folder XPI Popup Modules Change all default values from Realplayer into Flashplayer Plugin Name Vendor Name Vendor URL etc Payload Mac OSX Payload Mac OS X Installer pkg files are also supported now Target Improvements Chrome 11 12 13 14 15 16 17 18 Firefox 3 3 5 4 5 6 7 8 9 10 11 12 13 Internet Explorer 7 8 9 Opera 10 11 Safari 4 5 Seamonkey 2 4 2 5 2 6 2 7 2 8 2 9 FinFly Lan Module Support Bugfix XPI Modules Improvement XPI Modules Improvement XPI Modules Bugfix Improvement XPI Modules Bugfix XPI Popup Bugfix XPI Plugin Bar Improvement Bugfix FinFly Web Release Notes Description Introduced support for the Infection proxy in all modules specifically the modules which make use of Iframes and in the past would fail to load inside the infection proxy New routines were added to the following modules gt XPI Popup gt XPI Plugin Bar gt IFrame gt Java This version fixes a bug where the page wouldn t load if one of the XPI modules xpi_ popup and xpi_bar is loaded in a different web browser than Firefox or Seamonkey Both modules will now load the Ifr
5. d and start the payload within one step Download Browser will download the payload User has to open the downloaded payload manually Extra Warning e g IE Chrome will show an extra warning to the target if a file will be requested which could harm the system On Windows target systems it Signed Java Applet IE Click Once Web server Support Payload want be started automatically Browser Cache Cleanup FinFly Web Release Notes aly will triggered by o File Extension each exe file will trigger that warning Unsigned Executable if the exe file is not signed by a trusted root CA another warning will be shown The latest Java version blocks any un self signed Java applet by default Please sign the applet with a certificate from a trusted root CA The module is limited to Internet Explorer and Windows target systems The module needs an executable payload which is signed with a code signing certificate from a trusted root CA Currently only Apache web server which hosted the FinFly Web output is tested and supported The web server needs to have PHP and CGI support otherwise IFRAME and Information Gathering module cannot be used A setup guide how to get PHG amp CGI support for an Apache web server can be found in the training slides and user manual Most of the browsers only allow saving the content FinFly Web can only trigger an automatic start run of the payload via the Java Applet modu
6. le With all other modules the targets needs to run the delivered payload manually Payload of a Linux Targets won t have an executable permission by default and cannot be started automatically Some operation seem to run only once or always on a target system The reason can be Once FinFly Web creates a cookie on the target system which prevents multiple starts against one single target The cookie will be stored on the target system as soon as the payload is requested by the target If the infection will fail a new different payload has to be generated and provided to the target on a different web server address tell Jel CP SPCI ri Missing Plug in Browser Sandbox Missing Permission iOS Payload FinFly Web Release Notes 16 Always if the target will clean up his browser cookie cache every time when the browser will be closed FinFly Web standalone version cannot identify if the payload was provided and installed on the target system or not gt Solution use FinFly LAN NET ISP in combination with FinFly Web Not every module can be used against each target Some browsers are not available for each platform e g Internet Explorer Java Applets cannot be started on Mobile Targets no Java Runtime Environment available or pre installed by default Especially on Mobile Targets payload runs with limited user permission or inside a sandbox Currently only app files are supported which are not c
7. module will collect information from target PC e g OS Language Timezone IP Address etc The existing IFRAME module was replaced by a new module In previous releases the FFWeb code could be rejected by some webpages to prevent the content can be shown in an IFRAME The new module require php pre installed on the webserver The new version will bypass IFRAME Framebustering technique A special encoder script was written to prevent an easy debugging interception of javascript code A new module was added It runs only in an Internet Explorer browser A click once application will be loaded User has to accept the application only once Code signing with a trusted certificate is integrated New enhanced content check was integrated which detects if all necessary files will be successfully written All modules were tested and optimized for mobile targets FinFly Web Release Notes Module Removal of XPI Plugins The XPI based plugins have been temporary suspended We are working on new functionalities and techniques which work on all common browsers and are not limited to certain vendors GUI Fix Input Validation character can be used inside Java Payload URL FinFly LAN ISP Fix Configuration File HTTP HTTPS protocol will be detected automatically Module Fix All Module Linux Payload without any file extension will generate an output filename without any file extension too Documentation User Ma
8. nual Training Both documents were updated Slides ae Reset previous selected payload is possible now Bugfix Fix update error if FinFly Web was installed with user permission FinFly Lan ISP Module Support Update Support Update for Mobile Targets FinFly Web Release Notes aly Module Code Obfuscating Implementation of Java Script Code Obfuscating Bugfix Java Module Fix UAC bypass to start non UAC payload XPI Module Add possibility to change version number of XPI Add On Java Module Java Applet can be signed with a pfx p12 certificate file Mobile Targets Modules were improved to support Mobile Targets Android iOS Blackberry Windows Mobile Symbian New Browser are supported Opera Mini Mobile Dolphin Skyfire Blackberry Symbian Default Browser IE for Windows Mobile Optimize Source Code of different modules Update for Mobile Targets Improvements Module Selection with Preview Comfortable Payload Selection Add support for more Browser tell Jel CP SPCI ri FinFly Web Release Notes N FinFly Lan ISP Module Support Update Add condition tag which specified the user agent domain and protocol FinFly Lan ISP Module Resource Fix Extensions of resources will be written in lower case FinFly Lan ISP Module Init Fix Remove empty Body Attribute tag for XPI Popup Bugfix Java Modules Java URL will be checked after focus out
9. ompatible with the FinSpy Trojan tell Jel CP SPCI ri GAMMA INTERNATIONAL United Kingdom Tel 44 1264 332 411 Fax 44 1264 332 422 WWW GAMMAGROUP COM info gammagroup com
10. ration e Plugin Adobe Flash Install a malicious Flash Plugin FinFly Web Release Notes amp 3 LIMITATIONS This chapter covers current known limitations within the FinFly Web Software FinFly Web Full Anti Virus Anti Spyware bypassing cannot be guaranteed due to regular changes in these products FinFly Web Configuration Each update must replace the previous configuration file of FinFly Web otherwise some new features were not supported All previous settings will be gone Script Blocker When a script blocker is installed and configured to block all sorts of scripts from public websites the generated attack code will not work Iframe Popup Prevention Some Websites prevent to be loaded in an iframe e g youtube google gmail facebook and cannot be bypassed with frame buster technology AII Modules Encoding Obfuscating and Anti Debugging technology which can be combined with each module can prevent it to be executed In this case the options have to be disabled and the module has to be used plain Latest Browser Support Based on the update and development circle of FFWeb there is no guarantee that always the latest browser version can be supported by each module Limited Start Options Each FinFly Web modules especially Static amp Iframe are limited by the functionality of the Browser Following different download and execute possibilities are available Run Browser will downloa
11. tems are supported Windows MAC and Linux Module can be configured to include payload for different Operating Systems An integrated OS auto detection selects the correct payload which needs to be delivered to the target Session Cookie will be used to unblock the content after the payload was delivered Improve all modules to support Chrome Version 11 12 13 14 15 16 17 Firefox Version 3 3 5 4 5 6 7 8 9 Internet Explorer Version 7 8 9 Opera Version 10 11 Safari Version 4 5 Seamonkey Version 2 4 2 5 2 6 All FinFlyWeb settings will be written into a new special configuration file for FinFly LAN ISP and can be imported into these products Output Filename and Directory can be defined manually intelligence security Component FinFly LAN ISP National language support National language Unicode support Configuration File FinFly Web Release Notes Description FinFlyWeb could be installed on a non Latin letters Windows Operation System Parameters like description names etc could handle non Latin letters now All FinFlyWeb settings will be written into a special configuration file for FinFly LAN ISP and can be imported into these products FinFly Web Release Notes Plugin Mozilla Install a malicious Mozilla Extension Plugin Internet Explorer Install a malicious IE Addon Graphical User Interface Point And Click Interface for Infection Gene
Download Pdf Manuals
Related Search