Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy Security IT Your Rights Online

Free Tools For Detecting Hacking Team Malware In Your Systems 62

An anonymous reader writes: Worried that you might have been targeted with Hacking Team spyware, but don't know how to find out for sure? IT security firm Rook Security has released Milano, a free automated tool meant to detect the Hacking Team malware on a computer system. Facebook has also offered a way to discover if your Mac(s) have been compromised by Hacking Team malware: they have provided a specific query pack for its open source OS analysis tool osquery.
This discussion has been archived. No new comments can be posted.

Free Tools For Detecting Hacking Team Malware In Your Systems

Comments Filter:
  • Hmmm ... (Score:5, Insightful)

    by gstoddart ( 321705 ) on Tuesday July 21, 2015 @10:46AM (#50152967) Homepage

    So how do we know we can trust the hacking tools designed to tell us if the hacking tools have installed hacking tools?

    If this shit isn't proof that giving governments backdoors to security and crypto is a terrible idea, I have no idea what is.

  • Milano is the spyware...
    • by Anonymous Coward

      Milano is the spyware...

      Pepperidge Farm remembers...

  • The Gregory House / Fox Mulder combo: Everybody lies, trust no one.

    As others have said, how do we know that these tools aren't malware themselves?

    • by Archfeld ( 6757 ) *

      Intent is the only difference between much of this "malware" and enterprise wide desktop management tools installed with the /silent option...

  • by sjbe ( 173966 ) on Tuesday July 21, 2015 @11:20AM (#50153259)

    Hmm, some security firm I've never heard of, releases a tool I've never heard of, which is supposed to tell me if I've been got spyware with alleged government ties. Yeah, that sounds super trustworthy...

    Oops, I left the sarcasm bit turned on. Sorry about that...

    • While I wouldn't say Rook Security is a household name, I know I've heard of them before. ( Although I admit, I can't think of where, and I don't exactly know anything about them. It could very well turn out that you're right.)

      • The IOC's are a separate file so that users who were concerned could still utilize the resources we shared if they did not want to trust our code.
  • by Anonymous Coward

    Like I said, those tools would need to be open source, otherwise what's the point, you might end up being jacked through your fear of being jacked...

  • by argStyopa ( 232550 ) on Tuesday July 21, 2015 @11:54AM (#50153533) Journal

    ...so, to see if I have undetected malware buried in my system, I should run an unidentified exe file from a company I've NEVER heard of?

    Well, that sounds like a great idea.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Make sure to run it with elevated privilege. :)

    • by Anonymous Coward on Tuesday July 21, 2015 @12:58PM (#50154033)

      Well, following their own whois information:

      Rook Security is apparently a front for the "Rook Group,"

      Registrant Name: Rook Group
      Registrant Organization: Rook Consulting
      Registrant Street: 560 S. Winchester Blvd
      Registrant Street: Suite 500
      Registrant City: San Jose
      Registrant State/Province: California
      Registrant Postal Code: 95128
      Registrant Country: United States
      Registrant Phone: +1.8887129531
      Registrant Phone Ext:
      Registrant Fax:
      Registrant Fax Ext:
      Registrant Email: info@rookconsulting.net ..of "Rook Consulting." So it's already sounding like a holding company...the interesting part is who's behind all -that- mess, on rooksecurity.com, they list their "PR" contact as twhitman@vocecomm.com...Tim Whitman, who apparently is also the PR contact for another no-name outfit, BeyondTrust:

      http://www.beyondtrust.com/New... [beyondtrust.com]

      One of the few articles I can find advertising their "skills" is one of their own press releases and all the companies involved seem to be awfully vague about what services they're offering exactly...

  • by waspleg ( 316038 ) on Tuesday July 21, 2015 @01:16PM (#50154197) Journal

    2/54, could be false positives [virustotal.com] I've at least heard of Rook Security although I forget in what context ;)

    • 2/54, could be false positives [virustotal.com] I've at least heard of Rook Security although I forget in what context ;)

      It contains the the hashes for what it's looking for, and what virus programs look for, it would show positives. The same thing will happen with a safe key generator, or some debuggers.

  • Facebook's tool (Score:4, Insightful)

    by CanadianMacFan ( 1900244 ) on Tuesday July 21, 2015 @01:32PM (#50154315)

    I'll take my chances with the Hacking Team malware, I trust them more.

  • by Raxxon ( 6291 ) on Tuesday July 21, 2015 @03:17PM (#50155093)

    Figured I'd take a look at the tools. Download what claims to be the software for windows (first link). Get presented with a Zip file, as expected. Open zip file and find.... OSX software. Thinking I clicked on the wrong link I went back to download a second time... Same file.

    So... yeah.. ranking real high on the trust value right now.

    • We'd like to earn trust. We're going to release the source shortly (today). Good point about the mis-match about expectations vs. what you found. I believe you're referring to the .DS_Store file. @tgorup, please address.
      • Absolutely, I have a prepared a blog post (excerpt pasted below) touching on this issue, and others, directly. As JJ said, we are releasing the source code on GitHub. Our developers are working to ensure our README is fully up-to-date.

        "In order to ensure full transparency and growth to the Milano tool we are releasing the source code on GitHub (link below). Our intentions are to give people a way to protect themselves. The executable was created with the lowest technical user in mind and now we want to m
  • The first download link is broken and the second one was flagged by my antivirus. Great article checking, guys.
    • I completely understand executing caution when opening or using new files, especially when they're an executable, from a not so known company, and AV software is recommending you do so. Below are the VirusTotal results for both the Package1_1.zip and HT_Malware_Observations.pdf. The PDF contained within the zip is what is causing the AV to trigger. We believe this is due to string detection. The PDF contains file names like dropper.dll, _d9jaoFG.fXR, etc. It's very likely the AV is searching for these types
  • I have this faith in whatever is posted to /. good or bad, but if it's questionable (How to build weapons, JSTOR) I follow the safety in numbers rule which /. provides.

    Two sites were called and I don't think it was RookMilano, while in hex, Microsoft was prevalent through out
    onesettings-cy2.metron.live.com.nsatc.net ; vortex-cy2.metron.live.com.nsatc.net both are certificate sites.

    It's fairly CPU intensive, something you'd run at night or downtime; yet the same thing as as malware detection, if you don't h

    • Depending on the directory you choose will drive the amount of time the tool will take to execute. Using the Deep Scan, which I recommend, Milano is creating MD5 hashes of every file on your system and comparing against our list of bad files. The process of hashing each file will take quite a few cycles. I think your recommendation of running during downtime is best.
  • Thank you for your comments!

    In order to ensure full transparency and growth to the Milano tool we are releasing the source code on GitHub (link below). Our intentions are to give people a way to protect themselves. The executable was created with the lowest technical user in mind and now we want to make sure we are completely transparent with how our tool operates. In lieu of executing the binary the .py script on GitHub can be leveraged. We have learned a lot during our releases to include, leaving '.DS
  • As requested. Thank you all for the feedback. https://www.rooksecurity.com/s... [rooksecurity.com]

Function reject.

Working...