Are you 100% sure your devices aren’t infected by Hacking Team surveillance malware whether that means you might be a target of some government or a victim of some cyber scum-sucker who re-purposed Hacking Team’s malware? Sure Adobe and Microsoft have issued emergency patches in response to the leaked Hacking Team exploits, but wouldn’t it be wise to scan your computer and make sure it’s not infected? Now you can check if your computer is compromised by Hacking Team’s spyware as Rook Security released a free detection tool, dubbed ‘Milano,’ to help individuals and organizations find out if their machines are infected.
Rook Security has been collaborating with the FBI Indianapolis Cyber Task Force over the “malicious and weaponizable” exploits found in the leaked Hacking Team files. To reduce the potential impact to critical infrastructure, they worked together to identify malicious files that could be weaponized. Their objectives were also to “create IOCs and briefs for the affected vendors, clients, critical infrastructure, FBI, U.S. Secret Service, DHS, ISPs and others;” to examine if any clients were impacted, and to “create a capability that can be used to determine if they were compromised by Hacking Team files.”
The newest version of Milano was improved from 40 file hashes to 312 malicious or weaponizable file hashes, Rook Security’s Tom Gorup said yesterday when announcing the release of Milano v1.0.1. The updated IOC’s (Indicators of Compromise) are bundled with the new Milano version. “It is not necessary to download both Milano and the IOC files. We provided both to allow users to leverage this information with any tool in their arsenal.”
Up to this point we have focused our efforts on a Windows executable and DLL files. We have completed analysis of over 800 windows, exe, and dll files resulting in 312 total executable files tagged as malicious or that have the ability to be utilized to support espionageware.
Additionally, our analysis continues and is focused on Linux and OSX specific files. We have identified 126 files specific to Linux at this point. As we complete the analysis of these files we will be releasing new IOC files, so please check back here on our blog for more information.
Milano features will be enhanced in the “near future” to include “auto OS detection, auto ICO update, and OpenIOC formatted files as an input. Once released, these features will provide Milano with the ability to run as a script with the functionality to identify which operating system is running and search for the OS specific IOC’s. The auto update feature will update the IOC’s it is hunting for every time it executes. This will ensure that future updates of IOC’s will be automatically applied each time Milano is executed.”
You can use Milano to perform a quick scan or a deep scan to find Hacking Team associated files. Hacking Team’s Unified Extensible Firmware Interface (UEFI) BIOS rootkit is particularly worrisome; it can keep its Remote Control System (RCS) agent installed on its targets’ systems by surreptitiously reinstalling. That's “even if the user formats the hard disk, reinstalls the OS, and even buys a new hard disk, the agents are implanted after Microsoft Windows is up and running.” Just in case Milano can catch that, a deep scan would seem like the best option even though it takes a while to run.
After downloading and unzipping Milano v1.01, you will see a document with Rook’s Hacking Team data review as well as a folder called “RookMilano.” Open the RookMilano folder to see:
After extracting the Milano file contents, clicking on milano.exe should run the program...unless you are on a 64-bit machine. Rook Security told me the program is for 32-bit boxes, but Windows 8.1. 64-bit users can run the program by using command prompt and changing directories to where milano.exe is located.
When Milano opens, you’ll see a logo; press Enter. After you see the legal limitation of liability statement, then press Enter again. After you see a limitation of software services as-is statement, press Enter again. Then you are given the option to select “q” for quick scan or “d” for deep scan; select one and then hit Enter. You may be asked if you would like to use the default path for Windows; you can select either yes or no, but if you don’t know then try “y” for yes and press Enter.
As it scans each item, you will hopefully see “file clean.” After the scan is completed, any files that require review will be marked with A for detected via VirusTotal, B for detected via manual analysis, C for from malicious project, or D for undetermined. The results are saved as a text file. If you don’t see any file marked with the above notations, then happy day for it’s all good and clean.
Rook’s Hacking Team data review includes a table with data from the GitHub HackingTeam Repository; Rook flagged some of the files with a “W” meaning it could be weaponized.
Previously the free surveillance malware detection tool Detekt could find traces of remote control system toolkits created by FinFisher and the Hacking Team. But it was only a matter of time before the spyware was tweaked by the vendors and that tool became obsolete. It would be wise to scan and know for sure that your machines aren’t infected, but if you need convincing to try Milano then consider what Amnesty International said when Detekt was released. “Imagine never being alone. Someone looking over your shoulder, recording every computer keystroke; reading and listening to your private Skype conversations; using your phone’s microphone and camera to monitor you and your colleagues, without you even knowing it.”
If you think that is unlikely, then think again as researcher Collin Mulliner found out the Hacking Team – “scumbags” who “sell to repressive governments”— had taken his open source exploit tools and rolled them into its Android surveillance software which it sold to spy-happy governments worldwide. “I'm pretty angry and sad to see my open source tools being used by Hacking Team to make products to spy on activists,” Mulliner said. In one example, Mulliner pointed at his Android voice call interception tool which Hacking Team took to capture audio such as conversations within earshot of infected Android phones.
Protection from Hacking Team malware for Android and iOS mobile devices
If that makes you concerned about the possibility of your phone being infected with Hacking Team’s surveillance malware, then Lookout sent an email saying its “customers, on both Android and iOS platforms, are protected from all current forms of Hacking Team spyware products.”
Detection of Hacking Team spyware for OS X
Lastly, Facebook released new osquery query packs to detect Hacking Team’s Remote Control System on OS X. “Attackers continue to develop and deploy Mac OS X backdoors. We've seen this with Flashback, IceFog, Careto, Adwind/Unrecom, and most recently, HackingTeam. The OS X-attacks pack has queries that identify known variants of malware, ranging from advanced persistent threats (APT) to adware and spyware. If a query in this pack produces results, it means a host in your Mac fleet is compromised with malware. This pack is high signal and should result in close to zero false positives.”