New tool helps journalists and activists detect governments’ snooping malware

rook security releases tool to remove hacking team malware

Researchers at Rook Security have created a free tool to scan and detect a malware that is used by oppressive government regimes to spy on journalists and activists, according to Threatpost.

Dubbed Milano, the tool works similarly to your typical virus scanner, with options for a deep scan and quick scan. The difference is that it’s designed to search for one specific type of malware: Italy-based Hacking Team’s intrusion and surveillance platform, Remote Control System. RCS enables governments to monitor the communications of Internet users, decipher their encrypted files and emails, record Skype and other Voice over IP communications, and remotely activate microphones and cameras on target computers.

A security breach at Hacking Team three weeks ago revealed the company has been selling RCS to countries with poor human rights records like Egypt, Ethiopia, and Sudan. Specifically, the data breach showed Hacking Team sold RCS to Sudan for nearly 1 million Euros in 2012, which it used to spy on journalists.

While Hacking Team states RCS is only for law enforcement purposes and can be disabled if used unethically, documents leaked during the breach show authorities use it to target journalists, activists, and other controversial figures.

Since the 2011 uprising, Egypt has sentenced hundreds of political opponents to death or life in prison, and more than a dozen journalists have faced trial since 2013. In Sudan, security forces routinely detain activists and violently suppress protesters, killing over 170 people in 2013, according to Human Rights Watch. And in Ethiopia, arbitrary arrests and politically motivated prosecutions of journalists, bloggers, and protesters is par for the course.

These are clearly not the sort of regimes that should have access to weaponized intrusion and surveillance software.

Uphill battle

The breach also revealed some of the software’s source code, which was used by Indianapolis-based Rook Security researchers to develop the anti-malware tool. Milano — a pun on Hacking Team’s city of origin — searches for about 90 different Hacking Team files.

In addition to the malware scanning tool, Rook also published a set of indicators to help organizations spot signs of infection from the intrusion software. Facebook and Adobe Flash Player have both released updates in the wake of the breach to protect against Hacking Team’s malware.

The breach took a tough toll on Hacking Team, both on its public image and on its competitive edge. But Hacking Team’s COO David Vincenzetti says the company is rebuilding RCS from the ground up and a new version will be released soon. The revamped malware will likely evade Milano. Rook in the meantime has been working with the FBI to analyze Hacking Team’s tools and exploits.

Founded in 2003, Hacking Team’s products are now used in about 30 countries across five continents. Even if Hacking Team never recovers from this incident, a growing number of intrusion and surveillance software vendors will soon take its place. These unscrupulous companies have come under fire from human rights activists, privacy advocates, and security researchers for providing nefarious means to spy on private citizens to the highest bidder.


Featured image: Chepko Danil / Dollar Photo Club