Are Macs and iPhone infected by FinSpy?

according to this you can check at first - do you have open connections to 4111 port, if no - disable internet connection (physically, switch off router or plug the cables) and take a look - will there be attempts to install connections with target ports as below

When running the Bahraini FinSpy sample, especially now that the server is not responding, it attempts the following connections:

13:02:43.747370 IP 10.0.2.15.1035 > 77.69.140.194.22: tcp 0

13:03:05.968816 IP 10.0.2.15.1036 > 77.69.140.194.53: tcp 0

13:03:28.100628 IP 10.0.2.15.1037 > 77.69.140.194.80: tcp 0

13:03:50.332553 IP 10.0.2.15.1038 > 77.69.140.194.443: tcp 0

13:04:21.517231 IP 10.0.2.15.1039 > 77.69.140.194.4111: tcp 0

As you can see the last one is port 4111.

We believe this is the standard FinSpy port and that all the other ones are probably just forwarded to 4111. The FinSpy "demo" sample contacted port 3111 totiger.gamma-international.de and ff-demo.blogdns.org, close enough.

or use signature analysis of external traffic with rules from same article.

Sorry, but if you don't understand what I'm talking about - only way for you - search what AW software can detect the thing, if exists.

virustotal tells us that ClamAV can detect thingy since 2012 09 17

There are no reports of this malware on OS X. There are no reports of any malware on iOS unless jailbroken.

Cseng wrote:

I want to know if the Macs and iPhone infected with this creapy disease?

Have not read of it appearing on an OS X platform, but there was some speculation last fall that it could be used with iOS. Derek Currie blogged about it in September 'Legal' Spyware Abuse In World Dictatorships. And Elsewhere? ->The FinFisher Spyware.

dmdimon wrote:

virustotal tells us that ClamAV can detect thingy since 2012 09 17

Actually, there were two signatures added on 2012 08 02 (Trojan.FinSpy and Trojan.FinSpy-1) and one more on 2012 08 20 (Trojan.FinFisher). From everything I read about them on VirusTotal, they are all Portable Executable files for Windows only. The third signature appears to be a different format of the Trojan.FinSpy sample. One of the submissions appears to have been masquerading as firefox.exe.

If anybody needs to know more I can point you to the VT analysis.

yes, but software is clearly stated as Windows, Linux, MacOS, iOS and Android compatible. It is undetectable without special hunt - it have randomised executable filenames, directory names and so on.

MadMacs0 wrote:

hey are all Portable Executable files for Windows only. The third signature appears to be a different format of the Trojan.FinSpy sample.

yes, but due to essence of signature almost 100% probability it'll be same for any Intel-based OS. Not 100%, but near that.

MadMacs0 wrote:

Actually, there were two signatures added on 2012 08 02 (Trojan.FinSpy and Trojan.FinSpy-1) and one more on 2012 08 20

you're right, I found just latest update

Are Mac's and iPhones infected by FinSpy?

The truth is they can be.

A security flaw in Apple's iTunes allowed unauthorized third parties to use iTunes online update procedures to install unauthorized programs.^[6][7] Gamma International offered presentations to government security officials at security software trade shows where they described to security officials how to covertly install the FinFisher spy software on suspect's computers using iTunes' update procedures.

The security flaw in iTunes that FinFisher is reported to have exploited was first described in 2008 by security software commentator Brian Krebs.^[6][7][14] Apple did not patch the security flaw for more than three years, until November 2011. Apple officials have not offered an explanation as to why the flaw took so long to patch.

https://en.wikipedia.org/wiki/FinSpy

The head of Apple product security is a ex-top-NSA guy so it stands to reason to assume they and Microsoft (likely Ubuntu Linux now too), always allow backdoors into all computers and phones for the sake of national security and law enforcement purposes.

With FinSpy it was widely abused by many governments and discovered, the fact is they ALWAYS have had a way to get inside our machines because we have to trust the maker of our operating systems and hardware,, they in turn have to obey the wishes of the government who holds power over them.

Governments are extremely paranoid because human population is getting out of hand and terrorists are unseen enemies so they will always try to have some sort of secret card up their sleeve, which the bad guys like hackers often find out about and invade people's machines with.

So there is this little game that has been going on for decades, the operating system and hardware makers leave a backdoor, the bad guys find it and spread malware, the good guys tell the world of the problem, they close the hole and clean up infected machines and then leave another backdoor to start the cycle all over again.

What can you do when you can't win?

Don't use their rigged machines or don't have anything on them or do anything with them that they will bother about.

Use a brand new machine, out of the box inside a Faraday Cage room and never connect it to the Internet or trade files, have a instant way of physically destroying all data at a moments notice, even if your on the toilet or taking a shower, that's long enough for them to break in and stop you.

Encryption is only going to make them mad and bust your will somehow in order to give up the password.

Getting software is a problem because now a lot of it is being downloaded online instead of coming on disks and requires copy protection to be updated online.

It's still possible to have a machine 100% secure and offline, but you will have to cut off a lot of features to do it.

Read the Paranoid section here

How do I securely delete data from the machine?