The Hacking Team, RCS, Qatif Today, and Lawful Interception Malware

22473494_sIs malware still malware if it’s used by legal authorities to track down criminals? How about when it’s used by governmental agencies to monitor citizens’ computers and keep an eye on political dissent? Is it malware if it’s sold by a legitimate software development company and marketed strictly for use in instances of lawful interception? What if there are currently no clear-cut, legal guidelines to determine exactly what lawful interception is? New research from University of Toronto’s Citizen Lab begs all of these questions, and reveals that present-day Internet activity monitoring technology is much more comprehensive, affordable, and user-friendly than any Big-Brother-fearing netizen had ever feared or thought.

They Call Themselves The Hacking Team

And they have a website, too. The Hacking Team is a legitimate software development company based in Italy that makes a product called RCS – Remote Control System. RCS is a full blown computer and mobile device monitoring kit, capable of infecting, controlling, monitoring, and exfiltrating data from a target device. How is this legal? Well, it is legal mostly because it is unprecedented (at least in the commercial sector) – and also because The Hacking Team enforces a strict user policy:

We will refuse to provide or we will stop supporting our technologies to governments or government agencies that:

  • We believe have used HT technology to facilitate gross human rights abuses.
  • Who refuse to agree to or comply with provisions in our contracts that describe intended use of HT software, or who refuse to sign contracts that include requirements that HT software be used lawfully.
  • Who refuse to accept auditing features built into HT software that allow administrators to monitor how the system is being used.

However – and this is a big however – recent research from academics at Citizen Lab has revealed that The Hacking Team’s technology may be being used by the Saudi Arabian government to monitor and suppress political activists who utilize social media to voice their dissent. Of course, there is really no way of ever proving this, as one of RCS’s most potent capabilities is a remote wipe module that allows users to permanently remove the application from an infected device and leave no trace – more on this later – but the evidence presented by Citizen Lab is strong; and, even if it is circumstantial it raises important questions that the future of Internet Security must ask.

A News App Called Qatif Today

Saudi Arabia has long been in the cross hairs of human rights activists. Long story short: they have a reputation for controlling the way their citizens access and use the Internet. Since most people enjoy freedom, this control, combined with numerous other injustices Citizen Lab outlines in part one of their latest post, has caused not a small amount of political dissent amongst Saudi Arabian citizens. Ironically, this has also made the Internet prime territory for dissenters – as in any country with limited free speech, protesting in the streets is a good way to get fire-hosed, thrown in jail, or, sadly, even shot. In this latest development, Citizen Lab found that someone posted a news app called Qatif Today on a third party app market and in a Twitter post. Research revealed that instead of a mobile app that provided news stories relevant to the eastern Saudi Arabian province, this Qatif Today was actually a Trojan that contained technology strikingly similar to The Hacking Team’s RCS. Interestingly enough, there is actually a real Qatif Today app as well. What is particularly relevant about the Saudi’s choice of Trojan, is that the Qatif province has a strong history of active protest against the Saudi Arabian government. This protest still continues to this day, and despite governmental restrictions on Internet usage, Saudi Internet journalists comprise a strong portion of the protest’s voice – Saudi Internet journalists being exactly the type of people who would download a news app called Qatif Today. At this point, nothing has been proven, but Citizen Lab’s rigorous analysis of the malware is about as close to an accusation as one can get. The lab is of course not directly saying that The Hacking Team sold RCS to the Saudi government knowing full well that the software would be abused; but, they are strongly hinting that said government somehow got their hands on RCS – and that since is the case, stronger regulations of RCS and software like it need to be imposed. Citizen Lab was also kind enough to show us exactly how scary and powerful this RCS type stuff is.

Malware Monitoring at Your Service

Again, for the full effect, we recommend setting aside about an hour of your day and diving deep into the official article. There is some very fine journalism and malware analysis going on at the Citizen Lab blog. Important note though: There is no solid proof that what Citizen Lab analyzed was actually RCS. What they found was malware that bore a striking resemblance to what they know about RCS, based on previous analysis and investigation. Nonetheless, it’s still pretty scary what this kind of stuff can do. Here is a list of point-and-click ways through which a Technician – one of the malware kit’s assignable, privilege-based roles – can craft an installer:

  • Network Injection:  via injected malicious traffic in cooperation with an ISP
  • Tactical Network Injection: on LAN or WiFi
  • Melted Application: bundling a Hacking Team dropper alongside a bait application
  • Installation Package: a mobile installer
  • Exploit: document-based exploit for mobile and desktop
  • Local Installation: mobile installation via USB or SD card
  • Offline Installation: create an ISO for a bootable SDHC, CD, or USB. This option includes the ability to infect hibernated and powered off devices
  • QR Code:  a mobile link that, when pictured, will infect the target
  • Applet Web: likely a malicious website (depreciated after v. 8.4)
  • Silent Installer: a desktop executable that will install the implant
  • Infected U3 USB: an auto-infecting U3 USB
  • WAP Push Message: the target will be infected if the user accepts the message (works on all mobile operating systems apart from iOS)

Once infected, here is a list of things someone with Analyst privileges can analyze, or someone with Admin rights can tell the infected device to do:

  • Accessed files
  • Address Book
  • Applications used
  • Calendar
  • Contacts
  • Device Type
  • Files Accessed
  • Keylogging
  • Saved Passwords
  • Mouse Activity (intended to defeat virtual keyboards)
  • Record Calls and call data
  • Screenshots
  • Take Photographs with webcam
  • Record Chats
  • Copy Clipboard
  • Record Audio from Microphone with additional Voice and silence detection to conserve space
  • Realtime audio surveillance (“live mic:” module is only available for Windows Mobile)
  • Device Position
  • URLs Visited
  • Create conference calls (with a silent 3rd party)
  • Infect other devices (depreciated since v. 8.4)

On top of all this, and perhaps most frighteningly, it was found that this Trojan Qatif Today – a malware, mind you, that could be RCS, a legitimate, proprietary software marketed and sold to governments around the world – can:

  • Send a “scout” infection agent to “pre-infect” a device, to ensure that the real malware won’t get detected
  • Permanently destroy itself if it fails to install or if someone tries to analyze it
  • “Define events that trigger particular actions, sub-actions, modules, and sequences.” I.e., you go to a political website, it wakes up and starts recording your screen.

Lawful Interception Malware

Now, before we or anyone else points the finger cursor at The Hacking Team, there is still one very important counterpoint to consider. This is a counterpoint that is largely ignored by a post-Snowden media looking for and loving all things digital that bleed. The counterpoint is: Lawful Interception. Like most nascent legal concepts, what lawful interception is is still open to debate, but in essence it means that legal authorities pursuing criminals should be given the right to employ the usage of technologies like RCS. At an glance and on paper, this definition seems reasonable enough, but laws in a world and for a world of infinite connections legal definitions are never so simple.

  • Question one: Can, or rather, should a legal agency use tools like RCS against criminals and terrorists, even if it means they can monitor innocent citizens as well?
  • Question two: Should a global, free market economy allow a company to respond to demand by creating malicious software and selling it to anyone who can prove legitimate usage and cash?
  • Question three: Is the government watching you… right now?

All of these are important questions – the answers to which have important implications for the future of the web. Because they are complex, these are also answers that extend way beyond the scope of any one blog post that has already exceeded 1400 words. But this is why blogs have comment sections. More importantly, and seriously however, this is why we as company do what we do. Which is this: Protect people from malware by making anti-malware – no matter who’s making the malware and no matter who’s using it too. Have a Great (You know what free) Day!

  • Legend

    Thank you for this very well written Blog article. This subject is truly materiale to fuel a paranoia. You ask ” Is malware still malware if it’s used by legal authorities to track down criminals? ” For those who have never heard, or thought about the word malware, then a definition could sound like this ” malware refers to software designed to damage or do other unwanted actions on a computer system “. Some will argue that, the end justifies the means, but the really troubling issue is, as you also has mentioned in your Blog Stan, that it is extremely hard to control that such refined malware is only used to track down bad guys, when it is released in the wild ( The wild = the multiple connection on the internet ). Or sold to those who seems to have good intentions. How can you truly know a buyers true intentions ? Even if the sign, beautifully crafted contracts with the right words? But the first important steps is already taken, and that is to release such a subject to open debate, for the public. Now we just have to shout high enough for the politicians to hear is. Silence moves nothing. This hard and constantly push on privacy and security, will lead to growing wish for a new type of OS (Operating system) platforms, and security. Privacy will be a important sales vector in the future. Those companies who can see that, will be one step ahead of the pack. Number one is the man you always remember. Number two is just the man that came to late… =))

  • Elle

    Right. And “the bad guys” will never get nukes either….

  • WhyMeLord

    he question comes: Does Emsisoft applications detect, report and remove this malware?

    • qazwiz

      of course not

  • qazwiz

    the liberal says “Outlaw it, a few trampled rights are worth it” the conservative “My rights are paramount… trample others before you trample me.”

    but what does the law breaker say?…. and this applies equally to any “My rights vs Public safety” argument be it internet safety gun safety or even Nuclear arms…

    does he quiver in his boots “Oh no, I can’t illegally use this gun/bomb/malware anymore for my illegal desires” or does he say “GOOD, now no one can stop me from using my illegal gun/bomb/malware because to overpower/overpower/detect me is illegal”

    Just as gun laws only prevent law abiding citizens from using guns… laws against malware will have no effect on the status quo, criminals who already cannot legally own a gun use them in their crimes (posted no gun areas are actually saying “come rob us, we cannot protect ourselves without going to jail longer than you will go IF you are caught. we WILL be caught but you got a 80% chance of getting away with robbing and even harming us”) and the only way to get evidence against malware users is that very malware that if illegal will mean only law breakers will have the tools needed to catch the law breakers

    now the way it is implimented has a great deal to be desired but because it is a moral issue, a mind set issue, we need to go to a time when the dollar wasn’t the get out of jail card that it is today. when integrity meant something and cronyism was nonexistent. there was a time when a committee would say, look there – that is a person we would like to lead our country!… George Washington was offered to be King of the United States of America… but his own integrity prevented him from accepting. now days offer a politician $100 thousand dollars and you got his ear… unless that politician already has way more than you are offering… thus the reason that millionaires are such a threat to the political machine…. you cant bribe a billionaire with a couple million dollars

    we should be looking for integrity instead of new laws. we need leaders with a moral compass not new laws that law breakers are already breaking. Don’t ask me to be your leader, I’m so on the verge of saying let them kill each other. the only good perv is a dead perv. and so many other cliches

    but i say give everyone the malware and then tell me how many people will be able to get away with using it for nefarious reasons!

    • LodeHere

      On top of using Emsisoft Anti-Malware and the Online Armor firewall I always surf in a virtual space which gets emptied when I close my browser. Only what I choose to save gets transferred to my hard drive, the rest is gone.

      The program can be used for free, but upgrading to the paid version lets you have it do a few things automatically which makes it a bit easier, even though both offer the same protection.

      This works so well that some users of it don’t even have any anti-malware on their machines, but the developer does not recommend that because sporadically a malware appears that is capable of escaping the virtual space -the sanbox as it is called- and gets on your hard disk anyway. But rarely, and he always finds a solution to it. It might happen a few times a year that such a particular malware appears, so chances that you get infected by just that particular malware out of the zillion are nearly nil. But just to make sure he recommends using anti-malware anyway,

      The program -which I have used for some 8 years now, always having kept my laptops clean- is called Sandboxie. They have a very helpful and active forum as well.

      Check it out: Sandboxie.

  • ashley

    This was very informative. Well written and reasonably accessible to the lay person. Thank you!

  • Pingback: You Are Being Tracked Online By A Sneaky New Technology()