Gamma Group

It is one of the more elusive commercial cyberespionage tools available. It is marketed as a way for governments to spy on criminals. And for over a year, virus hunters unsuccessfully tried to track it down. Now it is popping up across the globe, from Qatar to an Amazon server in the United States.

FinFisher is a spyware product manufactured by the Gamma Group, a British company that sells surveillance technology. It says its spyware offers “world-class offensive techniques for information gathering.” According to FinFisher’s promotional materials, the spyware can be “used to access target systems, giving full access to stored information with the ability to take control of the target system’s functions to the point of capturing encrypted data and communications.”

Security researchers who studied the spyware last month said it can grab images of users’ computer screens, record their Skype chats, remotely turn on cameras and microphones, and log keystrokes. The Gamma Group markets FinFisher as a way for government law enforcement and intelligence agencies to keep track of criminals, but the researchers’ findings suggested that it was being used more broadly.

The spyware first attracted attention in March 2011 after protesters in Egypt raided the country’s state security headquarters and found an offer to buy FinFisher for 287,000 euros, or $353,000. Then in May of this year, pro-democracy Bahraini activists, one in London, another in Washington and one in the Bahraini capital, Manama, started receiving suspicious e-mails, which they passed to a Bloomberg reporter.

Bill Marczak, a computer science graduate student, and Morgan Marquis-Boire, a security researcher with the Citizen Lab of the Munk School of Global Affairs at the University of Toronto, analyzed the e-mails and found evidence that they contained FinSpy, part of the FinFisher spyware tool kit. The term “FinSpy” itself appeared in the malware’s code.

The findings, published last month, suggested FinFisher technologies were being used for surveillance beyond suspected criminal activity. Martin J. Muench, the managing director of Gamma International, who develops the FinFisher line of products from Munich, did not respond to a request for comment, and a Gamma Group representative did not respond to e-mailed questions. Mr. Muench told Bloomberg that his company did not sell FinFisher spyware to Bahrain, and said the malware might have been a stolen demonstration copy or reverse-engineered by criminals.

But last week, security researchers at Rapid7, a security firm, took the earlier findings a step further. They studied the communication structure of the spyware and found that when they probed the I.P. address of a FinFisher-infected machine with unexpected data, it responded with a unique message: “Hallo Steffi.”

Rapid7 scanned the Internet to see if any other I.P. addresses returned the same message and found 11 I.P. addresses in 10 other countries: Indonesia, Australia, Qatar, Ethiopia, the Czech Republic, Estonia, Mongolia, Latvia, the United Arab Emirates and the United States.

The I.P. address tied to FinFisher in the United States is hosted by EC2, Amazon’s cloud storage service. Amazon did not respond to a request seeking further information about which customer was using its service to disperse the spyware. As of Monday afternoon, the spyware was still active on Amazon’s service.

Security researchers say their findings contradict Mr. Muench’s suggestion that the FinSpy samples they found were stolen demonstration copies or had been repurposed by criminals. For one thing, the researchers say the samples are too fully featured to be demonstration versions. For another, they questioned why a company that licenses its product at such a high cost would not have the ability to disable unauthorized copies remotely.

The researchers also said that the imbalance between the sophistication of the spyware and its distribution techniques contradicts Mr. Muench’s version of events. The spyware, researchers say, is highly sophisticated, particularly in its obfuscation, which circumvents more than 40 antivirus products on the market. But the unsophisticated way in which it is distributed — in suspicious e-mails rather than through sophisticated or even well-known security exploits, and from easily traceable command-and-control servers — suggests that those who engineered the spyware are much more sophisticated than those who distributed it.

“To steal a malware sample and re-engineer it with this level of encryption requires a set of skills that didn’t show up in the infection methods,” said Claudio Guarnieri, a researcher from Rapid7 who studied the samples.

Researchers said it was still unclear whether the spyware was being distributed by governments. The I.P. addresses hosting FinSpy in Australia and Bahrain can be traced to Canberra and Manama, their respective capital cities, which would seem to support that claim. But the I.P. addresses in Latvia and Indonesia, for example, are not located in their capital cities.

Mr. Marquis-Boire and Mr. Marczak said they were continuing to study the Bahraini samples and look for more. “I suspect we will find a lot more,” Mr. Marquis-Boire said.