Slashdot Mirror

← Back to Stories (view on slashdot.org)

Leaked Demo Video Shows How Government Spyware Infects a Computer (vice.com)

Posted by BeauHD on from the never-before-seen dept.

An anonymous reader quotes a report from Motherboard: Motherboard has obtained a never-before-seen 10-minute video showing a live demo for a spyware solution made by a little known Italian surveillance contractor called RCS Lab. Unlike Hacking Team, RCS Lab has been able to fly under the radar for years, and very little is known about its products, or its customers. The video shows an RCS Lab employee performing a live demo of the company's spyware to an unidentified man, including a tutorial on how to use the spyware's control software to perform a man-in-the-middle attack and infect a target computer who wanted to visit a specific website. RCS Lab's spyware, called Mito3, allows agents to easily set up these kind of attacks just by applying a rule in the software settings. An agent can choose whatever site he or she wants to use as a vector, click on a dropdown menu and select "inject HTML" to force the malicious popup to appear, according to the video. Mito3 allows customers to listen in on the target, intercept voice calls, text messages, video calls, social media activities, and chats, apparently both on computer and mobile platforms. It also allows police to track the target and geo-locate it thanks to the GPS. It even offers automatic transcription of the recordings, according to a confidential brochure obtained by Motherboard. The company's employee shows how such an attack would work, setting mirc.com (the site of a popular IRC chat client) to be injected with malware (this is shown around 4:45 minutes in). Once the fictitious target navigates to the page, a fake Adobe Flash update installer pops up, prompting the user to click install. Once the user downloads the fake update, he or she is infected with the spyware. A direct link to the YouTube video can be found here.

49 of 116 comments (clear)

  1. Authenticity? by Anonymous Coward · · Score: 1

    Why should the purported "spyware" be able to do anything real, when tax payer money is easier to grab than ever before?

    1. Re: Authenticity? by Anonymous Coward · · Score: 1

      You just dont get it, son

  2. Re: Why are you people so worried about this? by Anonymous Coward · · Score: 3, Insightful

    Sir, your stupidity is pegged off, scale high.

  3. Info on how access is obtained? by Anonymous Coward · · Score: 5, Interesting

    In the video it shows that the fake flash installation is to avoid the certificate warnings about the mitm attack. Yet how is the mitm set up? Have they gained access to network devices or another section of this network

    1. Re:Info on how access is obtained? by 110010001000 · · Score: 1

      They probably do, or they have a MITM proxy setup that all the traffic is redirected to. This is trivial to do, and there are lots of companies that do this for other reasons (like performance monitoring). This is only shocking if you don't understand how networks actually work. They aren't secure, period.

    2. Re:Info on how access is obtained? by freeze128 · · Score: 1

      It seems like a lot of trouble to go through just to hope that the computer user is dumb enough to click on your adobe update link. They would probably have better luck if they just joined an advertising network and delivered their malware through an ad.... or sent an email with a spearfishing attack. Heck, if you have a warrant for this through a FISA court, why not then just sneak into the target's house and plant the malware directly?

    3. Re:Info on how access is obtained? by nitehawk214 · · Score: 1

      On my computer? Not bloody well.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    4. Re:Info on how access is obtained? by AHuxley · · Score: 1

      The smarter version that gets all people using that site would attract too much attention.
      All kinds of heuristic and behaviour tests are sold by different AV brands globally. So its best to just attempt to look like random expected malware and go after one silly click happy user.
      If the AV detects the intrusion, its just random malware. No other AV detection is escalated, nobody starts looking as the AV brands know.
      Often the users must be ready to click or it would not be offered as is?
      Re 'sneak into the target's house and plant the malware directly?"
      Thats getting hard in Western nations as the traditional closed communities that need that kind of 24/7 watch are very inward looking and would see a strange van, car, people at a door, down the side of a home or entering a home. The contractor or ex mil people with the skills are kind of stand out in most nations vs a closed society that is on watch for just such gov intrusions.
      Sneak and peak works well if a lot of people are making deliveries, working on a renovation, selling, renting, new renters next door...
      Most people would recall the first fake and second real arrival of a tradesperson over a few hours walking around their home.
      That can be hard to arrange or induce for the security services given staffing and skill sets needed to blend into a community packed with very well protected interesting people.
      So contractors sell govs on renting malware and remote server grade solutions.

      --
      Domestic spying is now "Benign Information Gathering"
  4. Re: Why are you people so worried about this? by tal_mud · · Score: 1

    Ah, I think you missed the sarcasm in the parent post.

  5. really? by Anonymous Coward · · Score: 2, Interesting

    it relies on popups to work?

    1. Re:really? by Opportunist · · Score: 1

      Why not? People are stupid and click everything.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. Re: Why are you people so worried about this? by mwvdlee · · Score: 5, Insightful

    That's probably because a lot of people say the exact same thing without being sarcastic at all.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  7. Re:Why are you people so worried about this? by Anonymous Coward · · Score: 1

    So no one has ever used or would ever use their position/knowledge for person gain or personal reasons? Would you trust your neighbor with this or anyone you went to highschool with this? The government is made of people and people make mistakes... a lot of mistakes.

  8. YFN super secret spyware == social engineering by Anonymous Coward · · Score: 1

    Slick tricks to trick user to downloading and installing malware.

    1. Re:YFN super secret spyware == social engineering by Opportunist · · Score: 1

      Aka Redneck-Virus. Please click here for infection.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  9. Government? by hyperar · · Score: 2

    All i see is a supposed "hacker" that doesn't even know that by clicking "Advanced" link button on the Chrome security warning page you can proceed, don't know how they set up the MITM attack on the users PC, and Avira is off as you can clearly see the umbrella is closed.

    1. Re:Government? by Anonymous Coward · · Score: 5, Informative

      This was intentionally leaked. People who watch this video are going to think the govt hackers are some retards. They aren't showing you the Microsoft backdoor that NSA uses to access Microsoft's CEIP data, or the one to access any windows PC. MS has in the legal fine print they are allowed to enter your computer remotely and even run programs. This would also include anyone MS wishes to also give access to.

    2. Re:Government? by war4peace · · Score: 1

      Yeah, I was looking for that too.
      It's a standard malware app (badly) arranged to look good.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
  10. Re:Why are you people so worried about this? by Opportunist · · Score: 1

    Mmm.... 5/10 on the troll scale. Good effort, lots of triggers, but overused.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  11. Re:Why are you people so worried about this? by phantomfive · · Score: 3, Insightful

    If it weren't for the abuses we've already seen (look up LOVEINT for just a simple example), if it weren't for secret courts that approve warrants and perform trials with hidden evidence, then maybe you would have a point.

    We've already seen too many abuses of these powers.

    --
    "First they came for the slanderers and i said nothing."
  12. So you're saying... by Afty0r · · Score: 1

    Once the user downloads the fake update, he or she is infected with the spyware.

    ...That this won't affect me. Or anyone that matters?

  13. How Government Spyware Infects Microsoft Windows by khz6955 · · Score: 2, Informative

    "Once the fictitious target navigates to the page, a fake Adobe Flash update installer pops up, prompting the user to click install. Once the user downloads the fake update, he or she is infected with the spyware"

    The article forgot to mention the malware only 'infects' Microsoft Windows desktops.

  14. Defendable by KClaisse · · Score: 1

    Someone correct me if I'm wrong, but if a website uses both SSL and HSTS this attack becomes much more difficult, if not impossible (depending on how your browser handles HSTS) as long as its not your first time visiting the website. If you have visited the website before and HSTS is enabled on the site a forged certificate will not work and the victim will not be able to continue. Still scary but its just further reason that more sites, even those that don't transmit critical information, should use HTTPS and HSTS.

    1. Re:Defendable by KClaisse · · Score: 5, Interesting

      Hmm just did some testing on my own server and even with HSTS and HPKP I was able to MITM a secure connection using fiddler as long as the forged certificate's root CA was in my browsers trusted key store. I am a bit alarmed firefox v48.0.2 didn't seem to complain that the certificate passed wasn't the same as the certificates my site has pinned. I wonder if this is a configuration issue on my end or if I'm misunderstanding the way key-pinning should work.

    2. Re:Defendable by strikethree · · Score: 1

      I am a bit alarmed firefox v48.0.2 didn't seem to complain that the certificate passed wasn't the same as the certificates my site has pinned. I wonder if this is a configuration issue on my end or if I'm misunderstanding the way key-pinning should work.

      This is the comment that deserves +6 Informative this year. Thank you.

      --
      "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
    3. Re:Defendable by michael_wojcik · · Score: 2

      HSTS isn't relevant in this case (HTTPS using the Fiddler certificate is still HTTPS), but it does seem like HPKP isn't working correctly there. Assuming you'd previously visited your site without Fiddler interpositioning, within the pinning max-age interval.

      Oh, wait: I should have checked the docs first. Mozilla says:

      Firefox (and Chrome) disable Pin Validation for Pinned Hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor). This means that for users who imported custom root certificates all pinning violations are ignored.

      (https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning, emphasis in original)

      The Fiddler root certificate was installed by you, so it's a user-defined trust anchor, so any chain that terminates in it is ignored for HPKP.

      I understand this is convenient for developers and web admins, but it is something of a hole in HPKP. Just use a little of the ol' social engineering to get the victim to install your certificate, and you can bypass HPKP entirely. Still, HPKP prunes some significant branches of the attack tree, so it remains useful.

  15. As usual the attacks should not work by aepervius · · Score: 5, Insightful

    "a fake Adobe Flash update installer pops up, prompting the user to click install. Once the user downloads the fake update, he or she is infected with the spyware."

    The problem as usual is that people are not educated in security. Anybody being a minimum of paranoid would refuse to install a plugin like that froma random web page. Heck flash would probably not work from a random web page.

    --
    C. Sagan : A demon haunted world:
    http://www.amazon.com/gp/product/0345409469/
    visit randi.org
    1. Re:As usual the attacks should not work by Zontar_Thing_From_Ve · · Score: 1

      The problem as usual is that people are not educated in security. Anybody being a minimum of paranoid would refuse to install a plugin like that froma random web page.

      You'd hope, but most of my friends and all of my family are not IT people and they cover the spectrum from "skeptical about random popups" to "likely to click on anything that pops up with a dire warning telling them they need to click on it immediately". In general people that don't work in IT just don't care about security on their PCs and they grossly underestimate the danger. My brother is a pretty smart guy but he works in sales and over a decade ago he ran an old Win 98 PC at home that he made no attempt to protect with a firewall because he said it was so old that nobody would want to hack it. That's a lot more typical of the non-IT person's thinking than "Wow. I need to be careful because bad people are out there."

    2. Re:As usual the attacks should not work by bill_mcgonigle · · Score: 2

      The problem as usual is that people are not educated in security.

      We could blame the victims, or we actually point the finger at the company making the computer intrusion tools and the government agencies that fail to prosecute them for aiding and abetting crimes.

      Hey, Adobe - how about you destroy this company in court for misappropriation of trademark and willful destruction of reputation? It would be small penance for never doing a massive security audit of flash-plugin.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  16. Would this infect a Chromebook? by InterGuru · · Score: 1

    Would this infect a Chromebook? I am told they are virus proof.

  17. Re:Why are you people so worried about this? by fgouget · · Score: 5, Insightful

    Unless you're clearly up to no good, you don't have to worry about spyware like this.

    You mean up to no good like Angela Merkel, Chirac, Sarkozy and Hollande the last three French presidents, and 35 world leaders?

    But of course you don't need to be a celebrity or a politician to be up to no good. You could be trying to help people through a humanitarian organization like the Red Cross, Doctors Without Borders, , or you could just have said something bad about the government of a minor island, etc.

    And even if you're not one of the above 'bad people', you could simply be one of the 90% of people who are collateral surveillance victims. So no, you don't need to be up to no good to be under surveillance and that's something to be concerned about.

  18. False! by Anonymous Coward · · Score: 1

    Flash updates, that look exactly like that, are notorious for "randomly" popping up and requesting installation when trying to work, whether on a web page or not. These Falsh updates are so frequent that even I would not give much thought to one randomly popping up after I opened a browser.

    I've seen many fake Flash install attempts and this one is flawless. The Flash install pop-up looks entirely real. The source URL for the Flash install shows Adobe. This source URL is not quite normal behavior, but only those very familiar with Flash installs would realize that this isn't quite right, otherwise it looks perfectly legit. The installation progress looks perfectly legit, right down to the infuriating and unnecessary slowness of Flash update installs.

    I could not blame a user for falling for this trick.

    This is a MITM attack. The rest is just fancy window dressing. The important and difficult part, that is not discussed, is how the MITM session was established in the first place. That is the key! The entire rest of it is simply a user installed trojan. Clearly, this attack could also be launched from a compromised website, but that's not what the story is talking about.

    1. Re:False! by innocent_white_lamb · · Score: 1

      Thumbnails are stored in your home directory, in a subdirectory named, appropriately enough, .thumbnails.

      If you get a popup in bash (whatever that is; bash is text-only terminal so are you talking about some kind of a window made out of text characters) that asks you for root access to deal with some kind of thumbnails, there's something that either nefarious or really unusual happening and I would be giving a lot of thought to how to proceed before entering the root password at that point.

      --
      If you're a zombie and you know it, bite your friend!
  19. Flash is reason why I use Chrome... by cant_get_a_good_nick · · Score: 1

    Chrome has a built in Flash player. Always updated.

    So when I see a "you must update Flash" i know it's bogus, since I'm already updated. I tell my family this, since they're non-techies and wouldn't be able to tell a legit popup from a fake. (Im not going to be 100% either).

    Oh and Chrome sandboxes its built-in flash better than the plugin can.

    1. Re:Flash is reason why I use Chrome... by 110010001000 · · Score: 1

      Smart. Plus with Chrome the spying is built-in too, and always on.

  20. Re:How Government Spyware Infects Microsoft Window by nomadic · · Score: 5, Funny

    Linux has a built-in security feature in that things like flash hardly ever work correctly, so it's less likely to be installed.

  21. government! by nomadic · · Score: 3, Funny

    How dare the government...be a small Italian company.

  22. Re:Why are you people so worried about this? by cs96and · · Score: 5, Insightful

    "If you have nothing to hide you have nothing to fear". If you had nothing to hide you would be perfectly willing to wander round naked all the time and have no curtains on your windows. You'd be willing to install microphones in all the rooms in your house and let any passer-by listen in. You'd be willing to give me your online banking details. I could go on. Yes I have something to hide. We all do.

  23. Re:Why are you people so worried about this? by HBI · · Score: 2

    I reject the premise that there was an excuse for the surveillance in the first place. People were stupid enough to buy into the idea that it would protect them from terrorism, but how many terrorist attacks in the US in the last 8 years....something like 8 or so last time I looked. "Well the numbers of dead are small" isn't an argument. The fact that the attacks happened invalidates the justification for the surveillance and the Patriot Act. If people are going to die anyway, most would prefer to be free from government surveillance.

    The sad part is that once you lose a freedom, getting it back has a price in blood. The retards who cheered on the Patriot Act failed to think about this.

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
  24. Re:Why are you people so worried about this? by Impy+the+Impiuos+Imp · · Score: 1

    The government doesn't have time to investigate most people. Unless you're clearly up to no good, you don't have to worry about spyware like this. I've never understood why Slashdot users are so paranoid about this type of surveillance. What exactly are you hiding? Terrorism? Illegal porn? Money laundering with Bitcoins? If you weren't breaking the law, you wouldn't have anything to be concerned about.

    You assume the only thing it might be used for is terrorism or crime. What if it is a political faction listening in to another one?

    That is what happens in most of the world, and why the bulk of the US Constitution was formulated around not giving the king the tools to root through the stuff of their political opponents.

    With no tracking or logging, and little more than a checkbox for getting a warrant, it is trivial to bypass this. That is the problem.

    And even if the US didn't have this problem with 100% honest officials, what about Putin or China or that newborn dictator in Turkey? Or the entire mideast?

    We need to stop building these tools.

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  25. Re:Why are you people so worried about this? by Nemyst · · Score: 1

    While it is arguable that yes, the NSA's job is to spy on other countries, it still invalidates the claim that "Unless you're clearly up to no good, you don't have to worry about spyware like this."

    All you have to do to be the target of spyware like this is "be interesting", or an unfortunate collateral in the quest towards someone who is interesting. "Interesting" here is rather loosely defined and can basically encompass most of the world population.

  26. A Hack for Darwinism.. by theinfamousgeek · · Score: 1

    Would be the best description for this post. Yes I get the overall message. Sadly this his how a low of "end-users" get pwned.

  27. Re:Social Engineering? by degantyll · · Score: 1

    I never thought this actually worked, then a week ago I got a concerned call from an old time customer that her computer was BSODing. Turns out, the AV license ran out and she got one of this ads and promptly downloaded the "Fix program". Cleaned the program away and the computer ran with no problem. Damn

  28. Re:How Government Spyware Infects Microsoft Window by degantyll · · Score: 1

    I really really hope you're wrong.

  29. Re:Why are you people so worried about this? by Burz · · Score: 2

    yes and the parent to this comment ignores the fact that those governments also spy on the USA.

    And you ignore the fact that they're not bugging the phones of our highest elected officials. But its 'OK' for the US to do it to them.

    American Exceptionalism is largely about treating even your allies like vassal states.

  30. Re: Why are you people so worried about this? by interstellarsurfer · · Score: 1

    NSA = National Security Agency, not National Surveilance Agency. If this shit was coming out of the CIA, I would be wholly unsurprised and a little less concerned. The NSA was supposed to be limited in scope to protecting American territory from organized terrorism. The reason all these espionage programs are under the NSA's jurisdiction now, is because of the Patriot Act's funding, and Executive Orders giving them carte blanch to circumvent the law.

  31. Re: Why are you people so worried about this? by lsatenstein · · Score: 1

    I think it's time for are computers so I have the open-source bias software. At least with the open source software we have a chance of ensuring that there is no hacked code to usurp our privacy.
    I am more concerned about hacking the Intel or AMP CPU.

    --
    Leslie Satenstein Montreal Quebec Canada
  32. Re:Why are you people so worried about this? by lsatenstein · · Score: 1

    "If you have nothing to hide you have nothing to fear".

    If you had nothing to hide you would be perfectly willing to wander round naked all the time and have no curtains on your windows. You'd be willing to install microphones in all the rooms in your house and let any passer-by listen in. You'd be willing to give me your online banking details.

    I could go on. Yes I have something to hide. We all do.

    What I legitimately have to fear is unauthorized access to the notes I keep for my needs, such as bank account numbers, insurance policies, driver permit info, etc. Data that I suppose should not reside within a cellphone.

    Here is something I would like to address about security. Since I believe that there is no stopping government invasion of privacy.

    We should be able to get an open-source computer bios. A bios that is trimmed down severely, and where the major half of the bios is open source code residing within your USB flash drive, cellphone, tablet or desktop boot partition.

    But my major fear is the introduction of the backdoor into the Intel and AMD cpu's. Yes, as each release of a CPU eventually gets a microcode update, that backdoor is required. Currently it is used as a microcode update to correct a faulty instruction that needs a tweak. There is enough space within the CPU to in fact add a few extra instructions -- instructions that are currently NO-OPS but can be revised to work around any data or program security that is normally installed. If the government sends Intel the patch, it gets into your operating system as a kernel microcode update, and voila, your system is contaminated without your finding any extra software software clandestinely.
    That is also why foreign countries (China, Russia, India)are justifying the design and marketing of their own cpu chips.
    All I can forecast is that in the future, it will be easier to hack your computer chip in each appliance that you own.

    --
    Leslie Satenstein Montreal Quebec Canada
  33. Re:Why are you people so worried about this? by peawormsworth · · Score: 1

    Of course we, the honest citizens have nothing to worry about from software like this.

    People who believe that monitoring occurs in the manner shown in this video are the same people who think we have nothing to worry about regarding mass surveillance. Those who are aware are concerned about something else. This is not how we lose our freedoms on mass.