Leaked Demo Video Shows How Government Spyware Infects a Computer

An anonymous reader quotes a report from Motherboard: Motherboard has obtained a never-before-seen 10-minute video showing a live demo for a spyware solution made by a little known Italian surveillance contractor called RCS Lab. Unlike Hacking Team, RCS Lab has been able to fly under the radar for years, and very little is known about its products, or its customers. The video shows an RCS Lab employee performing a live demo of the company's spyware to an unidentified man, including a tutorial on how to use the spyware's control software to perform a man-in-the-middle attack and infect a target computer who wanted to visit a specific website. RCS Lab's spyware, called Mito3, allows agents to easily set up these kind of attacks just by applying a rule in the software settings. An agent can choose whatever site he or she wants to use as a vector, click on a dropdown menu and select "inject HTML" to force the malicious popup to appear, according to the video. Mito3 allows customers to listen in on the target, intercept voice calls, text messages, video calls, social media activities, and chats, apparently both on computer and mobile platforms. It also allows police to track the target and geo-locate it thanks to the GPS. It even offers automatic transcription of the recordings, according to a confidential brochure obtained by Motherboard. The company's employee shows how such an attack would work, setting mirc.com (the site of a popular IRC chat client) to be injected with malware (this is shown around 4:45 minutes in). Once the fictitious target navigates to the page, a fake Adobe Flash update installer pops up, prompting the user to click install. Once the user downloads the fake update, he or she is infected with the spyware. A direct link to the YouTube video can be found here.

Authenticity?

[Anonymous Coward]

Why should the purported "spyware" be able to do anything real, when tax payer money is easier to grab than ever before?

Re: Authenticity?

[Anonymous Coward]

You just dont get it, son

Info on how access is obtained?

[Anonymous Coward]

In the video it shows that the fake flash installation is to avoid the certificate warnings about the mitm attack. Yet how is the mitm set up? Have they gained access to network devices or another section of this network

Re:

[110010001000]

They probably do, or they have a MITM proxy setup that all the traffic is redirected to. This is trivial to do, and there are lots of companies that do this for other reasons (like performance monitoring). This is only shocking if you don't understand how networks actually work. They aren't secure, period.

Re:

[nitehawk214]

On my computer? Not bloody well.

Re:

[freeze128]

It seems like a lot of trouble to go through just to hope that the computer user is dumb enough to click on your adobe update link. They would probably have better luck if they just joined an advertising network and delivered their malware through an ad.... or sent an email with a spearfishing attack. Heck, if you have a warrant for this through a FISA court, why not then just sneak into the target's house and plant the malware directly?

Re:

[AHuxley]

The smarter version that gets all people using that site would attract too much attention.
All kinds of heuristic and behaviour tests are sold by different AV brands globally. So its best to just attempt to look like random expected malware and go after one silly click happy user.
If the AV detects the intrusion, its just random malware. No other AV detection is escalated, nobody starts looking as the AV brands know.
Often the users must be ready to click or it would not be offered as is?
Re 'sneak i

really?

[Anonymous Coward]

it relies on popups to work?

Re:

[Opportunist]

Why not? People are stupid and click everything.

YFN super secret spyware == social engineering

[Anonymous Coward]

Slick tricks to trick user to downloading and installing malware.

Re:

[Opportunist]

Aka Redneck-Virus. Please click here for infection.

Government?

[hyperar]

All i see is a supposed "hacker" that doesn't even know that by clicking "Advanced" link button on the Chrome security warning page you can proceed, don't know how they set up the MITM attack on the users PC, and Avira is off as you can clearly see the umbrella is closed.

Re:Government?

[Anonymous Coward]

This was intentionally leaked. People who watch this video are going to think the govt hackers are some retards. They aren't showing you the Microsoft backdoor that NSA uses to access Microsoft's CEIP data, or the one to access any windows PC. MS has in the legal fine print they are allowed to enter your computer remotely and even run programs. This would also include anyone MS wishes to also give access to.

Re:

[war4peace]

Yeah, I was looking for that too.
It's a standard malware app (badly) arranged to look good.

Re:

[degantyll]

I never thought this actually worked, then a week ago I got a concerned call from an old time customer that her computer was BSODing. Turns out, the AV license ran out and she got one of this ads and promptly downloaded the "Fix program". Cleaned the program away and the computer ran with no problem. Damn

So you're saying...

[Afty0r]

Once the user downloads the fake update, he or she is infected with the spyware.

...That this won't affect me. Or anyone that matters?

How Government Spyware Infects Microsoft Windows

[khz6955]

"Once the fictitious target navigates to the page, a fake Adobe Flash update installer pops up, prompting the user to click install. Once the user downloads the fake update, he or she is infected with the spyware"

The article forgot to mention the malware only 'infects' Microsoft Windows desktops.

Re:How Government Spyware Infects Microsoft Window

[nomadic]

Linux has a built-in security feature in that things like flash hardly ever work correctly, so it's less likely to be installed.

Re:

[degantyll]

I really really hope you're wrong.

Defendable

[KClaisse]

Someone correct me if I'm wrong, but if a website uses both SSL and HSTS this attack becomes much more difficult, if not impossible (depending on how your browser handles HSTS) as long as its not your first time visiting the website. If you have visited the website before and HSTS is enabled on the site a forged certificate will not work and the victim will not be able to continue. Still scary but its just further reason that more sites, even those that don't transmit critical information, should use HTTPS

Re:Defendable

[KClaisse]

Hmm just did some testing on my own server and even with HSTS and HPKP I was able to MITM a secure connection using fiddler as long as the forged certificate's root CA was in my browsers trusted key store. I am a bit alarmed firefox v48.0.2 didn't seem to complain that the certificate passed wasn't the same as the certificates my site has pinned. I wonder if this is a configuration issue on my end or if I'm misunderstanding the way key-pinning should work.

Re:

[strikethree]

I am a bit alarmed firefox v48.0.2 didn't seem to complain that the certificate passed wasn't the same as the certificates my site has pinned. I wonder if this is a configuration issue on my end or if I'm misunderstanding the way key-pinning should work.

This is the comment that deserves +6 Informative this year. Thank you.

Re:

[michael_wojcik]

HSTS isn't relevant in this case (HTTPS using the Fiddler certificate is still HTTPS), but it does seem like HPKP isn't working correctly there. Assuming you'd previously visited your site without Fiddler interpositioning, within the pinning max-age interval.

Oh, wait: I should have checked the docs first. Mozilla says:

Firefox (and Chrome) disable Pin Validation for Pinned Hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor). This means that

As usual the attacks should not work

[aepervius]

"a fake Adobe Flash update installer pops up, prompting the user to click install. Once the user downloads the fake update, he or she is infected with the spyware."

The problem as usual is that people are not educated in security. Anybody being a minimum of paranoid would refuse to install a plugin like that froma random web page. Heck flash would probably not work from a random web page.

Re:

[Zontar_Thing_From_Ve]

The problem as usual is that people are not educated in security. Anybody being a minimum of paranoid would refuse to install a plugin like that froma random web page.

You'd hope, but most of my friends and all of my family are not IT people and they cover the spectrum from "skeptical about random popups" to "likely to click on anything that pops up with a dire warning telling them they need to click on it immediately". In general people that don't work in IT just don't care about security on their PCs and they grossly underestimate the danger. My brother is a pretty smart guy but he works in sales and over a decade ago he ran an old Win 98 PC at home that he made no at

False!

[Anonymous Coward]

Flash updates, that look exactly like that, are notorious for "randomly" popping up and requesting installation when trying to work, whether on a web page or not. These Falsh updates are so frequent that even I would not give much thought to one randomly popping up after I opened a browser.

I've seen many fake Flash install attempts and this one is flawless. The Flash install pop-up looks entirely real. The source URL for the Flash install shows Adobe. This source URL is not quite normal behavior, but only t

Re:

[innocent_white_lamb]

Thumbnails are stored in your home directory, in a subdirectory named, appropriately enough, .thumbnails.

If you get a popup in bash (whatever that is; bash is text-only terminal so are you talking about some kind of a window made out of text characters) that asks you for root access to deal with some kind of thumbnails, there's something that either nefarious or really unusual happening and I would be giving a lot of thought to how to proceed before entering the root password at that point.

Re:

[bill_mcgonigle]

The problem as usual is that people are not educated in security.

We could blame the victims, or we actually point the finger at the company making the computer intrusion tools and the government agencies that fail to prosecute them for aiding and abetting crimes.

Hey, Adobe - how about you destroy this company in court for misappropriation of trademark and willful destruction of reputation? It would be small penance for never doing a massive security audit of flash-plugin.

Would this infect a Chromebook?

[InterGuru]

Would this infect a Chromebook? I am told they are virus proof.

Flash is reason why I use Chrome...

[cant_get_a_good_nick]

Chrome has a built in Flash player. Always updated.

So when I see a "you must update Flash" i know it's bogus, since I'm already updated. I tell my family this, since they're non-techies and wouldn't be able to tell a legit popup from a fake. (Im not going to be 100% either).

Oh and Chrome sandboxes its built-in flash better than the plugin can.

Re:

[110010001000]

Smart. Plus with Chrome the spying is built-in too, and always on.

government!

[nomadic]

How dare the government...be a small Italian company.

A Hack for Darwinism..

[theinfamousgeek]

Would be the best description for this post. Yes I get the overall message. Sadly this his how a low of "end-users" get pwned.

Re: Why are you people so worried about this?

[Anonymous Coward]

Sir, your stupidity is pegged off, scale high.

Re:

[tal_mud]

Ah, I think you missed the sarcasm in the parent post.

Re: Why are you people so worried about this?

[mwvdlee]

That's probably because a lot of people say the exact same thing without being sarcastic at all.

Re:

[Godwin O'Hitler]

An excellent illustration of Poe's Law in fact. https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[Anonymous Coward]

So no one has ever used or would ever use their position/knowledge for person gain or personal reasons? Would you trust your neighbor with this or anyone you went to highschool with this? The government is made of people and people make mistakes... a lot of mistakes.

Re: Why are you people so worried about this?

[lsatenstein]

I think it's time for are computers so I have the open-source bias software. At least with the open source software we have a chance of ensuring that there is no hacked code to usurp our privacy.
I am more concerned about hacking the Intel or AMP CPU.

Re:

[Opportunist]

Mmm.... 5/10 on the troll scale. Good effort, lots of triggers, but overused.

Re:Why are you people so worried about this?

[phantomfive]

If it weren't for the abuses we've already seen (look up LOVEINT for just a simple example), if it weren't for secret courts that approve warrants and perform trials with hidden evidence, then maybe you would have a point.

We've already seen too many abuses of these powers.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Why are you people so worried about this?

[fgouget]

Unless you're clearly up to no good, you don't have to worry about spyware like this.

You mean up to no good like Angela Merkel [theguardian.com], Chirac, Sarkozy and Hollande the last three French presidents [liberation.fr], and 35 world leaders [theguardian.com]?

But of course you don't need to be a celebrity or a politician to be up to no good. You could be trying to help people through a humanitarian organization like the Red Cross, Doctors Without Borders [nella.org], [dailykos.com], or you could just have said something bad about the government of a minor island [theintercept.com], etc.

And even if you're not one of the above 'bad people', you could simply be one of the 90% of people [mashable.com] who are collateral surveillance victims. So no, you don't need to be up to no good to be under surveillance and that's something to be concerned about.

Re:

[Burz]

yes and the parent to this comment ignores the fact that those governments also spy on the USA.

And you ignore the fact that they're not bugging the phones of our highest elected officials. But its 'OK' for the US to do it to them.

American Exceptionalism is largely about treating even your allies like vassal states.

Re:

[Nemyst]

While it is arguable that yes, the NSA's job is to spy on other countries, it still invalidates the claim that "Unless you're clearly up to no good, you don't have to worry about spyware like this."

All you have to do to be the target of spyware like this is "be interesting", or an unfortunate collateral in the quest towards someone who is interesting. "Interesting" here is rather loosely defined and can basically encompass most of the world population.

Re: Why are you people so worried about this?

[interstellarsurfer]

NSA = National Security Agency, not National Surveilance Agency. If this shit was coming out of the CIA, I would be wholly unsurprised and a little less concerned. The NSA was supposed to be limited in scope to protecting American territory from organized terrorism. The reason all these espionage programs are under the NSA's jurisdiction now, is because of the Patriot Act's funding, and Executive Orders giving them carte blanch to circumvent the law.

Re:Why are you people so worried about this?

[cs96and]

"If you have nothing to hide you have nothing to fear". If you had nothing to hide you would be perfectly willing to wander round naked all the time and have no curtains on your windows. You'd be willing to install microphones in all the rooms in your house and let any passer-by listen in. You'd be willing to give me your online banking details. I could go on. Yes I have something to hide. We all do.

Re:

[lsatenstein]

"If you have nothing to hide you have nothing to fear".

If you had nothing to hide you would be perfectly willing to wander round naked all the time and have no curtains on your windows. You'd be willing to install microphones in all the rooms in your house and let any passer-by listen in. You'd be willing to give me your online banking details.

I could go on. Yes I have something to hide. We all do.

What I legitimately have to fear is unauthorized access to the notes I keep for my needs, such as bank account numbers, insurance policies, driver permit info, etc. Data that I suppose should not reside within a cellphone.

Here is something I would like to address about security. Since I believe that there is no stopping government invasion of privacy.

We should be able to get an open-source computer bios. A bios that is trimmed down severely, and where the major half of the bios is open source code residing

Re:

[Impy the Impiuos Imp]

The government doesn't have time to investigate most people. Unless you're clearly up to no good, you don't have to worry about spyware like this. I've never understood why Slashdot users are so paranoid about this type of surveillance. What exactly are you hiding? Terrorism? Illegal porn? Money laundering with Bitcoins? If you weren't breaking the law, you wouldn't have anything to be concerned about.

You assume the only thing it might be used for is terrorism or crime. What if it is a political faction listening in to another one?

That is what happens in most of the world, and why the bulk of the US Constitution was formulated around not giving the king the tools to root through the stuff of their political opponents.

With no tracking or logging, and little more than a checkbox for getting a warrant, it is trivial to bypass this. That is the problem.

And even if the US didn't have this problem with 100%

Re:

[peawormsworth]

Of course we, the honest citizens have nothing to worry about from software like this.

People who believe that monitoring occurs in the manner shown in this video are the same people who think we have nothing to worry about regarding mass surveillance. Those who are aware are concerned about something else. This is not how we lose our freedoms on mass.