Archive for May, 2013

h1

Spyware. HackingTeam…..

May 9, 2013

 kaspersky_2

HackingTeam

HackingTeam first caught our attention back in 2011, when WikiLeaks released documents describing the functions of the spyware programs the company offers to government agencies in 2008.

In early 2012, Kaspersky Lab experts detected malicious programs running on Windows that were suspiciously similar to the programs described on WikiLeaks, and with Remote Control System, the description of which was published on the company’s official website www.hackingteam.it. However, at the time, we had no way of knowing about the connections between the threats that were detected (Kaspersky Lab detects them as Korablin) and the HackingTeam spyware program.

 
The program’s description from HackingTeam’s website http://www.hackingteam.it/images/stories/RCS2012.pdf

That all changed in July 2012, when many antivirus companies received an email with an example of malicious code for Mac OS X with the same functions.

Our email address newvirus@kasperksy.com received this email on July 24, 2012 at 05:51:24 MSK. The subject line was empty, and there was no text — just an attachment called AdobeFlashPlayer.zip. The attachment had a self-signed JAR-file containing a program written for Mac OS X.

 
The header of the email was addressed to newvirus@kaspersky.com

Soon, nearly all antivirus companies had added detection of this new malware, and each company named it differently (Crizis, DaVinci, Boychi, etc. — Kaspersky Lab named it ‘Morcut’). Nearly all antivirus companies suspected that the program was developed by HackingTeam, which sells specialized tracking software to law enforcement agencies in a number of countries.

Evidence

The fact that the functions are similar is just one of three circumstantial pieces of evidence linking HackingTeam to the files that were analyzed. Let’s take a look at the other two.

The data overhead in the Mac file contained the names of files and modules that the authors used when writing the program code. These names were also seen several times with “RCS”, which coincides with the abbreviation of the Remote Control System name (this abbreviation is used by HackingTeam in its promotional materials and its own description of the program on their website).

P/s:- This article is an excerpt from Securelist http://www.securelist.com form Kaspersky Lab. Hope you all enjoy reading it…!