Facebook Tool can Spot Hacking Team Malware
· · ·

Facebook Releases Free Tool to Spot Hacking Team Malware on Mac OS X

If the Hacking Team leaks have taught us anything, it’s that the company tried to hack into every machines or network by any means possible, even if it required a specially crafted exploit drone, Hacking Team was up for the challenge. Data leaked from the Italian firm, which was hacked earlier this month leading to the leak of some 415GB of internal data, shows the Hacking Team planned to hack everyone and everything.

For the average business, commercial anti-virus software and upgrading some patches won’t block sophisticated malware from penetrating your system, even more when it’s a government-grade malware developed by the works of the Hacking Team. But another company is taking a stab, trying to rid systems of the Hacking Team, offering a tool to help identify and clean up your system if its found infected with Hacking Team malware.

Facebook announced Monday it was releasing a handful “query packs” on their official code page which will allow IT-pros to easily scan their systems for signs of a Hacking Team intrusion. The query packs released develop part of Facebook’s “osquery”, a free and open source framework that allows professionals to collect network data and ask questions to quickly dismantle potential security threats.

Facebook said the social network even utilizes the osquery for part of their own network defense and just recently updated it to protect against critical Mac OS X and iPhone vulnerabilities.

While query packs can be created for bunching specific sets of questions for datasets, Facebook has released a number of their own, including packs paying specific attention to Apple Mac OS X machines. “The OS X-attacks pack has queries which identify known variants of malware, ranging from advanced persistent threats (APT) to adware and spyware. If a query in this pack produces results, a host in your Mac fleet is compromised with malware. This pack is high signal and should result in near-zero false positives,” said Javier Marcos, a security engineer at Facebook, in a blog post, whilst noting the query packs seek out signs of Hacking Team infection.

Facebook noted it has yet to create additional query packs supporting other operating systems, but encouraged users to create their own queries to identify other “indicators of compromise”, such as monitoring slow machine performance or daemon processes.

Included in the Facebook’s release is a vulnerability management pack that the company promises will help professionals “collect and quickly identify outdated and vulnerable software.” “Whether you’re interested or responsible for the operating system, browsers, browser plugins, particular applications, or packages, you can audit for vulnerable hosts and validate whether an upgrade was successful,” Marcos added.

Facebook’s tool is only the beginning as Hacking Team capabilities range far beyond Mac OS X, including Mircosoft Windows and Linux, as well as mobile platforms including Android and iOS. However, Hacking Team emails show the crew constantly struggled to break into the iOS system and often required the device to be jailbroken, allowing non-Apple software to be installed on the device, bypassing iOS security.

Hacking Team’s Galileo surveillance tool was able to infect Windows 10 clients and Mac OS X machines, where it had the additional abilities to capture iCloud tokens that allow snoops to hijack the targets account, according to leaked emails sent just last month.

However, Hacking Tema’s most concerning piece of malware is the one that can infect the main heart of the computer, the BIOS, which loads before the operating system, giving the malware extreme stealth. Now that Intel and other processing companies have leaked details on how government-grade BIOS rootkits work, companies may be able to implement safeguards hindering this in the future.

[Photo via Spencer E Holtaway/Flickr (CC BY-ND 2.0)]

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *