Legal malware and cyber-mercenaries

Hacking and espionage are hardly crimes for the secret service, but rather are a part of their everyday work. But imagine what could happen if their tools end up in wrong hands.

We are living in a fascinating time where PCs and networks are becoming increasingly integrated in our everyday lives. Only a short time ago they were taking over offices and production facilities, then they entered our living rooms and kitchens, and today almost everyone on the planet carries a moderately powerful connected PC right in their pocket. We are now entering a beautiful era of the Internet of Things where almost everything will be connected.

The more we entrust our everyday routines to computers, the more attractive they become for those that love digging into others’ secrets—bad guys (cybercriminals) and good guys (law enforcement officials who use hacking tactics for justified reasons) alike.

If we ignore their presumably contrary motivations, there is another interesting feature that we can use to tell them apart: Hacking and espionage are hardly crimes for the secret service, but instead are a part of their everyday work.

The phenomenon of legal malware

A key trend in today’s world of cybercriminal business is the legalization of cybercrime, which is positioned differently in the infosec market. For instance, selling zero day vulnerabilities (i.e. vulnerabilities with no security solutions put in place) is becoming increasingly prominent.

The legalization of cybercrime is becoming a trend in the world of cybercriminal business.

Now anyone (those that can afford certain vulnerabilities that can have more than five zeros on the price tag) can purchase an exploit and use it when appropriate—ideally, when protecting their assets, but practically, for almost anything. The trading of such vulnerabilities can be compared to the missile or sophisticated explosives trade.

Furthermore, some companies offer full-feature software bundles that can infiltrate networks and, after obtaining control of the victim’s PC, monitor their activities. We have talked about the highest-end spying Trojan – well, this case can be compared to selling fully packed VFs.


The Banner of FinFisher advertises their perfectly legal means of intrusion and remote monitoring.

Companies offering such services range from the largest defense industry conglomerates reporting to governments, to modestly sized independent companies.

 The latter would not, of course, sell malware to anyone, but their customer list is much more diverse: beyond secret service organizations, it includes major corporations. The services of such ‘mercenaries’ are actively purchased by third-world governments like Pakistan and Nigeria.


Galileo is powered by Hacking Team- another legal developer for cyber espionage

Also, it is important to note that the actual buyer of cyber-espionage services is not necessarily the formal one: there was a case in which surveillance and filtering solutions were sold to the UAE but ended up in embargoed Syria.

One way or another, Kaspersky Lab’s experience proves that privately developed legal malware could potentially end up not only in the ‘good’ hands of secret service (how good they actually are is not the main topic of this article), but also in the hands of very pragmatic third parties. In other words, even if you’re are not at all relevant to the criminal world or the political realm, and are just an ordinary person, one of these days you could find yourself in the midst of it all.

How dangerous is it?

Significantly. Malware like this is created for those with a very generous budget. It is at a very advanced level that has nothing to do with teenage misbehaviors or petty criminals trying to steal a hundred bucks from your credit card.

Some insights from the developers of such malware that slipped on Wikileaks, state that a traditional antivirus does not pose even the tiniest threat to their products.

The developers of legal malware use a great deal of advanced technologies in their products that can fool a virus analyst and prevent him from looking under the hood.

What can be done about it?

Practices do prove that such technologies do have their limitations: There is no magic allowing one to break stealthily into any system but, rather, it is a sample of an usual malware.

Consequently, that means heuristic algorithms (a method of detection based on searching for suspicious attributes relevant to malware) employed in Kaspersky Lab’s solutions are very likely able to filtrate the workings of cyber-mercenaries.

For example, our research of products by FinFisher (one of the most prominent players in the legal cyber-weapon market) proved that contrary to FinFisher’s statement, heuristic analyzers that are deployed in our products as of Kaspersky Antivirus 6 (MP4), have successfully dealt with such threats.

That means that one has to resort to an antivirus that employs a set of technologies that can battle highly sophisticated threats, considering the high likelihood that some dubious ‘anti-cybercriminal’ tool could end up in wrong hands.