Free Tools For Detecting Hacking Team Malware In Your Systems

An anonymous reader writes: Worried that you might have been targeted with Hacking Team spyware, but don't know how to find out for sure? IT security firm Rook Security has released Milano, a free automated tool meant to detect the Hacking Team malware on a computer system. Facebook has also offered a way to discover if your Mac(s) have been compromised by Hacking Team malware: they have provided a specific query pack for its open source OS analysis tool osquery.

Hmmm ...

[gstoddart]

So how do we know we can trust the hacking tools designed to tell us if the hacking tools have installed hacking tools?

If this shit isn't proof that giving governments backdoors to security and crypto is a terrible idea, I have no idea what is.

Re:

[ArchieBunker]

How do you know your EFI BIOS or hard drive firmware is not compromised?

Re:Hmmm ...

[ArcadeMan]

The evil bit is turned off.

Re:

[snookiex]

Yeah, just remove the red jumper.

Re:

[mlw4428]

Nah, it's actually a qubit...it can be on and off simultaneously.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ArcadeMan]

The Pentium 3 was gay?

Re:

[Shadow IT Ninja]

Quis custodiet ipsos custodes? [wikipedia.org]

I seem to be quoting that a lot lately but it is a classic after all.

Re:

[cdrudge]

Lorem ipsum dolor sit amet

I seem to quote that a lot lately too and it's about as classic.

Re:

[Ravaldy]

But I want to run it. The dilemma!!!

Re:

[alvinrod]

If the tools are open source, the code can be manually audited by any interested person or some external group that it capable of ensuring that such is not the case.

Re:

[AmiMoJo]

Wait a few days for other reputable security researchers to check them out and recommend them. Every firm has to start somewhere with zero rep, and as usual it's the web of trust we rely on.

Re:

[Anonymous Coward]

Simple solution:
- download the zip file
- take less than a minute to find two data files in the directory RookMilano/ioc_files
- extract the MD5 sums from those files
- use md5sum to scan your system
- compare

Re:

[Tom Gorup]

Exactly why we also provided the IOC formatted files. We wanted to make sure everyone could consume this information regardless of security teams tools. We are releasing the Python script used to create the executable. We will be sure a link is posted as soon as it's up on our site.

Re:

[SeaFox]

You can't spell crook without "rook".

Plot twist

[donaggie03]

Milano is the spyware...

Re:

[Anonymous Coward]

Milano is the spyware...

Pepperidge Farm remembers...

Obligatory

[ArcadeMan]

The Gregory House / Fox Mulder combo: Everybody lies, trust no one.

As others have said, how do we know that these tools aren't malware themselves?

Re:

[Archfeld]

Intent is the only difference between much of this "malware" and enterprise wide desktop management tools installed with the /silent option...

Re:

[Behrooz Amoozad]

Hate to break it to You, You look so pretty in your small little iSheep bubble. but their malware IS cross-platform and those platforms DO INCLUDE Mac.

Where do I sign up?

[sjbe]

Hmm, some security firm I've never heard of, releases a tool I've never heard of, which is supposed to tell me if I've been got spyware with alleged government ties. Yeah, that sounds super trustworthy...

Oops, I left the sarcasm bit turned on. Sorry about that...

Re:

[cbiltcliffe]

While I wouldn't say Rook Security is a household name, I know I've heard of them before. ( Although I admit, I can't think of where, and I don't exactly know anything about them. It could very well turn out that you're right.)

Re:

[J.J. Thompson]

The IOC's are a separate file so that users who were concerned could still utilize the resources we shared if they did not want to trust our code.

Open source or GTFO

[Anonymous Coward]

Like I said, those tools would need to be open source, otherwise what's the point, you might end up being jacked through your fear of being jacked...

Re:

[J.J. Thompson]

Totally agree. We will release the source shortly. Sitting with dev team now.

Let me see if I understand this

[argStyopa]

...so, to see if I have undetected malware buried in my system, I should run an unidentified exe file from a company I've NEVER heard of?

Well, that sounds like a great idea.

Re:

[Anonymous Coward]

Make sure to run it with elevated privilege. :)

Re:Let me see if I understand this

[Anonymous Coward]

Well, following their own whois information:

Rook Security is apparently a front for the "Rook Group,"

Registrant Name: Rook Group
Registrant Organization: Rook Consulting
Registrant Street: 560 S. Winchester Blvd
Registrant Street: Suite 500
Registrant City: San Jose
Registrant State/Province: California
Registrant Postal Code: 95128
Registrant Country: United States
Registrant Phone: +1.8887129531
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@rookconsulting.net ..of "Rook Consulting." So it's already sounding like a holding company...the interesting part is who's behind all -that- mess, on rooksecurity.com, they list their "PR" contact as twhitman@vocecomm.com...Tim Whitman, who apparently is also the PR contact for another no-name outfit, BeyondTrust:

http://www.beyondtrust.com/New... [beyondtrust.com]

One of the few articles I can find advertising their "skills" is one of their own press releases and all the companies involved seem to be awfully vague about what services they're offering exactly...

I downloaded it and then uploaded to virustotal

[waspleg]

2/54, could be false positives [virustotal.com] I've at least heard of Rook Security although I forget in what context ;)

Re:

[Trax3001BBS]

2/54, could be false positives [virustotal.com] I've at least heard of Rook Security although I forget in what context ;)

It contains the the hashes for what it's looking for, and what virus programs look for, it would show positives. The same thing will happen with a safe key generator, or some debuggers.

Facebook's tool

[CanadianMacFan]

I'll take my chances with the Hacking Team malware, I trust them more.

Not sure I can trust them...

[Raxxon]

Figured I'd take a look at the tools. Download what claims to be the software for windows (first link). Get presented with a Zip file, as expected. Open zip file and find.... OSX software. Thinking I clicked on the wrong link I went back to download a second time... Same file.

So... yeah.. ranking real high on the trust value right now.

Re:

[J.J. Thompson]

We'd like to earn trust. We're going to release the source shortly (today). Good point about the mis-match about expectations vs. what you found. I believe you're referring to the .DS_Store file. @tgorup, please address.

Re:

[Tom Gorup]

Absolutely, I have a prepared a blog post (excerpt pasted below) touching on this issue, and others, directly. As JJ said, we are releasing the source code on GitHub. Our developers are working to ensure our README is fully up-to-date.

"In order to ensure full transparency and growth to the Milano tool we are releasing the source code on GitHub (link below). Our intentions are to give people a way to protect themselves. The executable was created with the lowest technical user in mind and now we want to m

It's a virus

[slashmydots]

The first download link is broken and the second one was flagged by my antivirus. Great article checking, guys.

Re:

[Tom Gorup]

I completely understand executing caution when opening or using new files, especially when they're an executable, from a not so known company, and AV software is recommending you do so. Below are the VirusTotal results for both the Package1_1.zip and HT_Malware_Observations.pdf. The PDF contained within the zip is what is causing the AV to trigger. We believe this is due to string detection. The PDF contains file names like dropper.dll, _d9jaoFG.fXR, etc. It's very likely the AV is searching for these types

I ran it

[Trax3001BBS]

I have this faith in whatever is posted to /. good or bad, but if it's questionable (How to build weapons, JSTOR) I follow the safety in numbers rule which /. provides.

Two sites were called and I don't think it was RookMilano, while in hex, Microsoft was prevalent through out
onesettings-cy2.metron.live.com.nsatc.net ; vortex-cy2.metron.live.com.nsatc.net both are certificate sites.

It's fairly CPU intensive, something you'd run at night or downtime; yet the same thing as as malware detection, if you don't h

Re:

[Tom Gorup]

Depending on the directory you choose will drive the amount of time the tool will take to execute. Using the Deep Scan, which I recommend, Milano is creating MD5 hashes of every file on your system and comparing against our list of bad files. The process of hashing each file will take quite a few cycles. I think your recommendation of running during downtime is best.

Milano v1.0.1 Available on GitHub

[Tom Gorup]

Thank you for your comments!

In order to ensure full transparency and growth to the Milano tool we are releasing the source code on GitHub (link below). Our intentions are to give people a way to protect themselves. The executable was created with the lowest technical user in mind and now we want to make sure we are completely transparent with how our tool operates. In lieu of executing the binary the .py script on GitHub can be leveraged. We have learned a lot during our releases to include, leaving '.DS

Source code to Milano released on GitHub

[J.J. Thompson]

As requested. Thank you all for the feedback. https://www.rooksecurity.com/s... [rooksecurity.com]

Re:

[J.J. Thompson]

https://github.com/RookLabs/mi... [github.com]