Finfisher and the Ethics of Detection

In response to Cameron Camp’s blog on FinSpy and FinFisher spy on you via your cellphone and PC, for good or evil? a blog comment asked “Does ESET detect Finfisher?” As an update to that blog makes clear, yes, it does, as Win32/Belesak.D. However, the commenter also remarked that ” I think that it is clear in our days that laws are not so citizen friendly. ”

Let’s be clear about this. ESET not only obeys the law but, like other security companies, actively cooperates with law enforcement agencies.

But detection or non-detection of ‘policeware’ is a more complex issue than that, and in many countries, it has nothing to do with obeying the law. In general, law enforcement – let alone other government agencies (and I’m not referring to any particular government) – doesn’t ask for cooperation from AV companies in terms of non-detection. (There are stories that the biggest players have been approached and even agreed not to detect a government Trojan, but if there’s any truth in that, it hasn’t leaked out into the research community.)

After all, some researchers have publicly stated that that particular form of cooperation would not be forthcoming. Not that we want to be nice to crooks and terrorists, but it would endanger the community in general if government Trojans were misused by bad actors (or even the ‘good guys’)   – and in any case, the information wouldn’t reach all AV companies.

There are too many AV companies  (far too many, some would say), and too dispersed – geographically and politically – for a government (any government) agency to trust all of them. No doubt if agencies were able to insist on such cooperation, they would, but only the most draconian regimes can do that, and even then, only locally.

That doesn’t mean AV always detects this stuff, of course. Apart from the fact that highly targeted attacks often stay under the radar for long periods because we don’t see a sample, we don’t always know whether we detect a state-sponsored trojan that’s known to exist. The FinFisher/FinSpy  case is unusual because someone recently published the relevant file hashes.

Craig Johnston and I covered quite a few of these issues (notably with reference to earlier policeware like Magic Lantern) in an AVAR paper in 2009: Please Police Me. And Robert Lipovsky and I also wrote about it in relation to the so-called Bundestrojaner  Win32/R2D2.A and even referred to FinFisher:  German Policeware: Use the Farce…er, Force…Luke.

ESET Senior Research Fellow

Author David Harley, ESET

  • Jay

    It's a bit of a weird situation when it comes to government involvement with this kind of thing. I really think a cooperative effort to dwindle the ability to profit off malware between companies would be far better than relying on government involvement (at least for now).
    You also said that some say there are far too many AV companies – why would they say this? Surely a large pool would be more beneficial to users than a few major players as far as detection.

    • David Harley

      Law enforcement has powers that AV vendors don’t. Unfortunately, we don’t get to arrest people, we can’t make people talk to us, and so on: on the other hand, we have a lot of practice in malware forensics. There is engagement between the security industry and other agencies because (1) it’s not just about malware (2) it’s not just the gangs using malware for reasons of fraud.

      I was referring to the fact that there is widespread dislike and mistrust of all AV companies. But I agree that there are advantages to having a large pool of players, as long as they cooperate: without the sharing of samples and information between established companies (and not just the big names), no single product would be anywhere near as effective.

  • Mr. MJ

    If I paid for the eset smart security for protect my pc from trojan, I hope do not permit the trojan infecting my machine, with Government trojan or not, because  all  company that uses Trojans to spy on ordinary citizens are terrorists no matter if is sponsored by the Government.

  • cghera

    I don't know if I should be feeling flattered by the fact that I triggered a blog post referring to my comment, probably not. I surely was not expecting it however. Thank you for the answer and the new post anyways. When I asked if the FinFisher was detected I was not in a mood of implying that you deliberately omitted detection of the tool. I was just wondering if I was protected, just in case. I am surely supportive on your government cooperation choices. However this kind of info-war happening in our days (part of which are these "softwares") really makes me feel a little worried of what may be coming in the near future. My worry is that todays law abiding citizens may be considered law brakers in a few years. Maybe this talk should have happened in a different forum. Thanks again for your time.

    • David Harley

      @cghera, you weren’t actually the only person to ask about this, and in any case it was a fair (and interesting) question. And as I indicated in this post, it’s a recurring topic of concern in the security industry. And I have to agree that the ethical aspects are likely to become more complex rather than less. It could be said that this is the wrong forum in that while AV can (sometimes) detect a ‘state Trojan’ programmatically, assessing the ‘legitimacy’ of the tool is much harder. It depends on context and motivation, and there isn’t a reliable algorithm for that. But that doesn’t make the security industry any less obliged to re-examine its own role and ethical responsibility now that spyware – should I call it software monitoring, to acknowledge the possibility of legitimate use, for example in law enforcement? – has become a part of all our online lives.

Follow us

Copyright © 2018 ESET, All Rights Reserved.