Slashdot Mirror

← Back to Stories (view on slashdot.org)

Free Tools For Detecting Hacking Team Malware In Your Systems

Posted by timothy on from the just-checking dept.

An anonymous reader writes: Worried that you might have been targeted with Hacking Team spyware, but don't know how to find out for sure? IT security firm Rook Security has released Milano, a free automated tool meant to detect the Hacking Team malware on a computer system. Facebook has also offered a way to discover if your Mac(s) have been compromised by Hacking Team malware: they have provided a specific query pack for its open source OS analysis tool osquery.

62 comments

  1. Hmmm ... by gstoddart · · Score: 5, Insightful

    So how do we know we can trust the hacking tools designed to tell us if the hacking tools have installed hacking tools?

    If this shit isn't proof that giving governments backdoors to security and crypto is a terrible idea, I have no idea what is.

    --
    Lost at C:>. Found at C.
    1. Re:Hmmm ... by ArchieBunker · · Score: 1

      How do you know your EFI BIOS or hard drive firmware is not compromised?

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    2. Re:Hmmm ... by ArcadeMan · · Score: 4, Funny

      The evil bit is turned off.

      --
      Get free satoshi (Bitcoin) and Dogecoins
    3. Re:Hmmm ... by Anonymous Coward · · Score: 0

      If it's open source at least you can determine that it isn't malicious to your computers.

      You can never know if it isn't (intentionally) incomplete/"malicious to you, as a person," designed to give people a false sense of security by truthfully identifying most but not all of the things it claims to identify.

    4. Re:Hmmm ... by snookiex · · Score: 1

      Yeah, just remove the red jumper.

      --
      Open Source Network Inventory for the masses! Kuwaiba
    5. Re:Hmmm ... by Anonymous Coward · · Score: 0

      But I'm evil, so my ifcfg-eth0 file has EVIL_BIT_FORCE = YES for compliance.

    6. Re:Hmmm ... by Shadow+IT+Ninja · · Score: 1

      Quis custodiet ipsos custodes?

      I seem to be quoting that a lot lately but it is a classic after all.

    7. Re:Hmmm ... by Anonymous Coward · · Score: 0

      Yeah, just remove the red jumper.

      ... and make sure to only set the phaser to stun, right?

    8. Re:Hmmm ... by Ravaldy · · Score: 1

      But I want to run it. The dilemma!!!

    9. Re:Hmmm ... by Anonymous Coward · · Score: 0

      Yeah, about that. Avast doesn't like Package_1.zip

    10. Re:Hmmm ... by alvinrod · · Score: 1

      If the tools are open source, the code can be manually audited by any interested person or some external group that it capable of ensuring that such is not the case.

    11. Re:Hmmm ... by cdrudge · · Score: 0

      Lorem ipsum dolor sit amet

      I seem to quote that a lot lately too and it's about as classic.

    12. Re:Hmmm ... by ArylAkamov · · Score: 1

      I knew there was a reason I kept that PIII toaster in the closet!

    13. Re:Hmmm ... by AmiMoJo · · Score: 1

      Wait a few days for other reputable security researchers to check them out and recommend them. Every firm has to start somewhere with zero rep, and as usual it's the web of trust we rely on.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    14. Re:Hmmm ... by Anonymous Coward · · Score: 0

      That's what she said.

    15. Re:Hmmm ... by mlw4428 · · Score: 1

      Nah, it's actually a qubit...it can be on and off simultaneously.

    16. Re:Hmmm ... by Anonymous Coward · · Score: 1

      Simple solution:
      - download the zip file
      - take less than a minute to find two data files in the directory RookMilano/ioc_files
      - extract the MD5 sums from those files
      - use md5sum to scan your system
      - compare

    17. Re:Hmmm ... by ArcadeMan · · Score: 1

      The Pentium 3 was gay?

      --
      Get free satoshi (Bitcoin) and Dogecoins
    18. Re:Hmmm ... by Anonymous Coward · · Score: 0

      and to quote Cicero properly: "Prudentia est enim locata in dilectu bonorum et malorum officium"

    19. Re:Hmmm ... by Anonymous Coward · · Score: 0

      REALLY no, we don't want to see what's under it, really.

    20. Re:Hmmm ... by SeaFox · · Score: 1

      You can't spell crook without "rook".

    21. Re:Hmmm ... by TGorup · · Score: 1

      Exactly why we also provided the IOC formatted files. We wanted to make sure everyone could consume this information regardless of security teams tools. We are releasing the Python script used to create the executable. We will be sure a link is posted as soon as it's up on our site.

  2. Plot twist by donaggie03 · · Score: 1

    Milano is the spyware...

    --
    Three days from now?? Thats tomorrow!! ~Peter Griffin
    1. Re:Plot twist by Anonymous Coward · · Score: 1

      Milano is the spyware...

      Pepperidge Farm remembers...

  3. How do I know... by Anonymous Coward · · Score: 0

    How do I know that Milano isn't a trojan that will install the very thing I am trying to avoid?

  4. Obligatory by ArcadeMan · · Score: 0

    The Gregory House / Fox Mulder combo: Everybody lies, trust no one.

    As others have said, how do we know that these tools aren't malware themselves?

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:Obligatory by Archfeld · · Score: 1

      Intent is the only difference between much of this "malware" and enterprise wide desktop management tools installed with the /silent option...

      --
      errr....umm...*whooosh* *whoosh* Is this thing on ?
  5. Linux..eerrmm mmmuuhh gawd by Anonymous Coward · · Score: 0

    C'mon guys don't be stingy, share your scripts for the linux

  6. Re:Zero need is always free by Anonymous Coward · · Score: 0, Redundant

    Thank you Apple Mac!

    you dipshit

  7. osquery by Anonymous Coward · · Score: 0

    Without trolling about Facebook, OSX (or CentOS or the other OS's listed on the osquery page and omitted in the summary), or any form of relational or non-relational database, can someone explain to me the advantages of an abstraction layer that presents the operating system as a database to be queried by SQL? Is it to provide cross-compatibility to checks that need be written only once for many operating systems that differ in minor regards? Why use SQL instead of creating a programmatic API like virus scanners usually do?

  8. Stupid by Anonymous Coward · · Score: 0

    ...a way to discover if your Mac(s) have been compromised

    Everyone knows that Macs are impervious to viruses/malware. Duh!

  9. Where do I sign up? by sjbe · · Score: 4, Funny

    Hmm, some security firm I've never heard of, releases a tool I've never heard of, which is supposed to tell me if I've been got spyware with alleged government ties. Yeah, that sounds super trustworthy...

    Oops, I left the sarcasm bit turned on. Sorry about that...

    1. Re:Where do I sign up? by cbiltcliffe · · Score: 1

      While I wouldn't say Rook Security is a household name, I know I've heard of them before. ( Although I admit, I can't think of where, and I don't exactly know anything about them. It could very well turn out that you're right.)

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
    2. Re:Where do I sign up? by j_j_thompson · · Score: 1

      The IOC's are a separate file so that users who were concerned could still utilize the resources we shared if they did not want to trust our code.

  10. Open source or GTFO by Anonymous Coward · · Score: 1

    Like I said, those tools would need to be open source, otherwise what's the point, you might end up being jacked through your fear of being jacked...

    1. Re:Open source or GTFO by j_j_thompson · · Score: 1

      Totally agree. We will release the source shortly. Sitting with dev team now.

  11. Let me see if I understand this by argStyopa · · Score: 5, Insightful

    ...so, to see if I have undetected malware buried in my system, I should run an unidentified exe file from a company I've NEVER heard of?

    Well, that sounds like a great idea.

    --
    -Styopa
    1. Re:Let me see if I understand this by Anonymous Coward · · Score: 2, Funny

      Make sure to run it with elevated privilege. :)

    2. Re:Let me see if I understand this by Anonymous Coward · · Score: 0

      Just format C: and start over. Hopefully you use simple data formats that aren't capable of having malware embedded in them, or when you bring your data back you will re-infect yourself.

    3. Re:Let me see if I understand this by Anonymous Coward · · Score: 5, Informative

      Well, following their own whois information:

      Rook Security is apparently a front for the "Rook Group,"

      Registrant Name: Rook Group
      Registrant Organization: Rook Consulting
      Registrant Street: 560 S. Winchester Blvd
      Registrant Street: Suite 500
      Registrant City: San Jose
      Registrant State/Province: California
      Registrant Postal Code: 95128
      Registrant Country: United States
      Registrant Phone: +1.8887129531
      Registrant Phone Ext:
      Registrant Fax:
      Registrant Fax Ext:
      Registrant Email: info@rookconsulting.net ..of "Rook Consulting." So it's already sounding like a holding company...the interesting part is who's behind all -that- mess, on rooksecurity.com, they list their "PR" contact as twhitman@vocecomm.com...Tim Whitman, who apparently is also the PR contact for another no-name outfit, BeyondTrust:

      http://www.beyondtrust.com/New...

      One of the few articles I can find advertising their "skills" is one of their own press releases and all the companies involved seem to be awfully vague about what services they're offering exactly...

  12. Re:Zero need is always free by behrooz0az · · Score: 3, Insightful

    Hate to break it to You, You look so pretty in your small little iSheep bubble. but their malware IS cross-platform and those platforms DO INCLUDE Mac.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
  13. Re:Going to Lancaster County by Anonymous Coward · · Score: 0

    Getting away from it all. Raise a few barns. Marry a few relatives. Have me a good old time. I'll be the one with the purple triangle on the back of the buggy.

    When did the triangle stop being reflective orange?

    Ohh, it's THAT kind of purple triangle.

  14. Macs? by Anonymous Coward · · Score: 0

    Why would I check my Mac? Macs don't get malware, pshaw!

    (derp)

  15. I downloaded it and then uploaded to virustotal by waspleg · · Score: 3, Informative

    2/54, could be false positives I've at least heard of Rook Security although I forget in what context ;)

    1. Re:I downloaded it and then uploaded to virustotal by Trax3001BBS · · Score: 1

      2/54, could be false positives I've at least heard of Rook Security although I forget in what context ;)

      It contains the the hashes for what it's looking for, and what virus programs look for, it would show positives. The same thing will happen with a safe key generator, or some debuggers.

  16. Facebook's tool by CanadianMacFan · · Score: 3, Insightful

    I'll take my chances with the Hacking Team malware, I trust them more.

  17. Re:Zero need is always free by Anonymous Coward · · Score: 0

    "Zero need...Thank you Apple..." The author believes he has zero need for malware detecting software, thanks to his use of Apple Macintosh.

  18. Not sure I can trust them... by Raxxon · · Score: 3, Informative

    Figured I'd take a look at the tools. Download what claims to be the software for windows (first link). Get presented with a Zip file, as expected. Open zip file and find.... OSX software. Thinking I clicked on the wrong link I went back to download a second time... Same file.

    So... yeah.. ranking real high on the trust value right now.

    1. Re:Not sure I can trust them... by j_j_thompson · · Score: 1

      We'd like to earn trust. We're going to release the source shortly (today). Good point about the mis-match about expectations vs. what you found. I believe you're referring to the .DS_Store file. @tgorup, please address.

    2. Re:Not sure I can trust them... by TGorup · · Score: 1

      Absolutely, I have a prepared a blog post (excerpt pasted below) touching on this issue, and others, directly. As JJ said, we are releasing the source code on GitHub. Our developers are working to ensure our README is fully up-to-date.

      "In order to ensure full transparency and growth to the Milano tool we are releasing the source code on GitHub (link below). Our intentions are to give people a way to protect themselves. The executable was created with the lowest technical user in mind and now we want to make sure we are completely transparent with how our tool operates. In lieu of executing the binary the .py script on GitHub can be leveraged. We have learned a lot during our releases to include, leaving '.DS_Store' within the zip, consistent folder/file names, etc.

      This is the first time we have released tools to the public for free. We will continue to develop, improve, and grow our processes as these opportunities are identified. We truly appreciate the feedback and suggestions and will continue to take them into account with every release."

  19. Detekt is promising by Anonymous Coward · · Score: 0

    https://github.com/botherder/d...
    https://github.com/botherder/d...
    https://resistsurveillance.org...

    A shame their latest release was Dec 4, 2014.

    This software has the potential for doing good, but it looks quite limited in scope at the moment. Someone needs to give the developer some cookies or something to push further development.

  20. It's a virus by slashmydots · · Score: 1

    The first download link is broken and the second one was flagged by my antivirus. Great article checking, guys.

    1. Re:It's a virus by TGorup · · Score: 1
      I completely understand executing caution when opening or using new files, especially when they're an executable, from a not so known company, and AV software is recommending you do so. Below are the VirusTotal results for both the Package1_1.zip and HT_Malware_Observations.pdf. The PDF contained within the zip is what is causing the AV to trigger. We believe this is due to string detection. The PDF contains file names like dropper.dll, _d9jaoFG.fXR, etc. It's very likely the AV is searching for these types of files/libraries being packaged within a malicious payload.

      Scan results:
      Package1_1.zip
      VT Results: https://www.virustotal.com/en/...

      HT_Malware_Observations.pdf
      Under the File detail tab and Contained files the PDF is flagged by 2 vendors.
      VT results for the PDF https://www.virustotal.com/en/...
      • 1. This PDF document has 8 pages, please note that most malicious PDFs have only one page.
      • 2. This PDF document has 74 object start declarations and 74 object end declarations.
      • 3. This PDF document has 29 stream object start declarations and 20 stream object end declarations.
      • 4. This PDF document has a cross reference table (xref).
      • 5. This PDF document has a pointer to the cross reference table (startxref).
      • 6. This PDF document has a trailer dictionary containing entries allowing the cross reference table, and thus the file objects, to be read.
  21. I ran it by Trax3001BBS · · Score: 1

    I have this faith in whatever is posted to /. good or bad, but if it's questionable (How to build weapons, JSTOR) I follow the safety in numbers rule which /. provides.

    Two sites were called and I don't think it was RookMilano, while in hex, Microsoft was prevalent through out
    onesettings-cy2.metron.live.com.nsatc.net ; vortex-cy2.metron.live.com.nsatc.net both are certificate sites.

    It's fairly CPU intensive, something you'd run at night or downtime; yet the same thing as as malware detection, if you don't have any, you don't know what it's suppose to do when it finds it.

    For windows it's a command window so a redirect to a text file is easy to do; as the only thing reported was "file fine" after each and every file.

    1. Re:I ran it by TGorup · · Score: 1

      Depending on the directory you choose will drive the amount of time the tool will take to execute. Using the Deep Scan, which I recommend, Milano is creating MD5 hashes of every file on your system and comparing against our list of bad files. The process of hashing each file will take quite a few cycles. I think your recommendation of running during downtime is best.

  22. Milano v1.0.1 Available on GitHub by TGorup · · Score: 2

    Thank you for your comments!

    In order to ensure full transparency and growth to the Milano tool we are releasing the source code on GitHub (link below). Our intentions are to give people a way to protect themselves. The executable was created with the lowest technical user in mind and now we want to make sure we are completely transparent with how our tool operates. In lieu of executing the binary the .py script on GitHub can be leveraged. We have learned a lot during our releases to include, leaving '.DS_Store' within the zip, consistent folder/file names, etc.

    This is the first time we have released tools to the public for free. We will continue to develop, improve, and grow our processes as these opportunities are identified. We truly appreciate the feedback and suggestions and will continue to take them into account with every release.

    GitHub Repo: https://github.com/RookLabs/mi...
    Blog Post: https://www.rooksecurity.com/w...

  23. Source code to Milano released on GitHub by j_j_thompson · · Score: 1

    As requested. Thank you all for the feedback. https://www.rooksecurity.com/s...

    1. Re:Source code to Milano released on GitHub by j_j_thompson · · Score: 1

      https://github.com/RookLabs/mi...