Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Media Security Government Privacy

Leaked Demo Video Shows How Government Spyware Infects a Computer (vice.com) 116

An anonymous reader quotes a report from Motherboard: Motherboard has obtained a never-before-seen 10-minute video showing a live demo for a spyware solution made by a little known Italian surveillance contractor called RCS Lab. Unlike Hacking Team, RCS Lab has been able to fly under the radar for years, and very little is known about its products, or its customers. The video shows an RCS Lab employee performing a live demo of the company's spyware to an unidentified man, including a tutorial on how to use the spyware's control software to perform a man-in-the-middle attack and infect a target computer who wanted to visit a specific website. RCS Lab's spyware, called Mito3, allows agents to easily set up these kind of attacks just by applying a rule in the software settings. An agent can choose whatever site he or she wants to use as a vector, click on a dropdown menu and select "inject HTML" to force the malicious popup to appear, according to the video. Mito3 allows customers to listen in on the target, intercept voice calls, text messages, video calls, social media activities, and chats, apparently both on computer and mobile platforms. It also allows police to track the target and geo-locate it thanks to the GPS. It even offers automatic transcription of the recordings, according to a confidential brochure obtained by Motherboard. The company's employee shows how such an attack would work, setting mirc.com (the site of a popular IRC chat client) to be injected with malware (this is shown around 4:45 minutes in). Once the fictitious target navigates to the page, a fake Adobe Flash update installer pops up, prompting the user to click install. Once the user downloads the fake update, he or she is infected with the spyware. A direct link to the YouTube video can be found here.
This discussion has been archived. No new comments can be posted.

Leaked Demo Video Shows How Government Spyware Infects a Computer

Comments Filter:
  • by Anonymous Coward

    Why should the purported "spyware" be able to do anything real, when tax payer money is easier to grab than ever before?

  • by Anonymous Coward on Thursday September 08, 2016 @02:34AM (#52846325)

    In the video it shows that the fake flash installation is to avoid the certificate warnings about the mitm attack. Yet how is the mitm set up? Have they gained access to network devices or another section of this network

    • They probably do, or they have a MITM proxy setup that all the traffic is redirected to. This is trivial to do, and there are lots of companies that do this for other reasons (like performance monitoring). This is only shocking if you don't understand how networks actually work. They aren't secure, period.
    • It seems like a lot of trouble to go through just to hope that the computer user is dumb enough to click on your adobe update link. They would probably have better luck if they just joined an advertising network and delivered their malware through an ad.... or sent an email with a spearfishing attack. Heck, if you have a warrant for this through a FISA court, why not then just sneak into the target's house and plant the malware directly?
      • by AHuxley ( 892839 )
        The smarter version that gets all people using that site would attract too much attention.
        All kinds of heuristic and behaviour tests are sold by different AV brands globally. So its best to just attempt to look like random expected malware and go after one silly click happy user.
        If the AV detects the intrusion, its just random malware. No other AV detection is escalated, nobody starts looking as the AV brands know.
        Often the users must be ready to click or it would not be offered as is?
        Re 'sneak i
  • really? (Score:2, Interesting)

    by Anonymous Coward

    it relies on popups to work?

  • Slick tricks to trick user to downloading and installing malware.

  • by hyperar ( 3992287 ) on Thursday September 08, 2016 @03:32AM (#52846463)
    All i see is a supposed "hacker" that doesn't even know that by clicking "Advanced" link button on the Chrome security warning page you can proceed, don't know how they set up the MITM attack on the users PC, and Avira is off as you can clearly see the umbrella is closed.
    • Re:Government? (Score:5, Informative)

      by Anonymous Coward on Thursday September 08, 2016 @05:18AM (#52846759)

      This was intentionally leaked. People who watch this video are going to think the govt hackers are some retards. They aren't showing you the Microsoft backdoor that NSA uses to access Microsoft's CEIP data, or the one to access any windows PC. MS has in the legal fine print they are allowed to enter your computer remotely and even run programs. This would also include anyone MS wishes to also give access to.

    • Yeah, I was looking for that too.
      It's a standard malware app (badly) arranged to look good.

  • Once the user downloads the fake update, he or she is infected with the spyware.

    ...That this won't affect me. Or anyone that matters?

  • by khz6955 ( 4502517 ) on Thursday September 08, 2016 @04:45AM (#52846663)
    "Once the fictitious target navigates to the page, a fake Adobe Flash update installer pops up, prompting the user to click install. Once the user downloads the fake update, he or she is infected with the spyware"

    The article forgot to mention the malware only 'infects' Microsoft Windows desktops.
  • Someone correct me if I'm wrong, but if a website uses both SSL and HSTS this attack becomes much more difficult, if not impossible (depending on how your browser handles HSTS) as long as its not your first time visiting the website. If you have visited the website before and HSTS is enabled on the site a forged certificate will not work and the victim will not be able to continue. Still scary but its just further reason that more sites, even those that don't transmit critical information, should use HTTPS
    • Re:Defendable (Score:5, Interesting)

      by KClaisse ( 1038258 ) on Thursday September 08, 2016 @05:21AM (#52846761)
      Hmm just did some testing on my own server and even with HSTS and HPKP I was able to MITM a secure connection using fiddler as long as the forged certificate's root CA was in my browsers trusted key store. I am a bit alarmed firefox v48.0.2 didn't seem to complain that the certificate passed wasn't the same as the certificates my site has pinned. I wonder if this is a configuration issue on my end or if I'm misunderstanding the way key-pinning should work.
      • I am a bit alarmed firefox v48.0.2 didn't seem to complain that the certificate passed wasn't the same as the certificates my site has pinned. I wonder if this is a configuration issue on my end or if I'm misunderstanding the way key-pinning should work.

        This is the comment that deserves +6 Informative this year. Thank you.

      • HSTS isn't relevant in this case (HTTPS using the Fiddler certificate is still HTTPS), but it does seem like HPKP isn't working correctly there. Assuming you'd previously visited your site without Fiddler interpositioning, within the pinning max-age interval.

        Oh, wait: I should have checked the docs first. Mozilla says:

        Firefox (and Chrome) disable Pin Validation for Pinned Hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor). This means that

  • by aepervius ( 535155 ) on Thursday September 08, 2016 @05:27AM (#52846779)
    "a fake Adobe Flash update installer pops up, prompting the user to click install. Once the user downloads the fake update, he or she is infected with the spyware."

    The problem as usual is that people are not educated in security. Anybody being a minimum of paranoid would refuse to install a plugin like that froma random web page. Heck flash would probably not work from a random web page.
    • The problem as usual is that people are not educated in security. Anybody being a minimum of paranoid would refuse to install a plugin like that froma random web page.

      You'd hope, but most of my friends and all of my family are not IT people and they cover the spectrum from "skeptical about random popups" to "likely to click on anything that pops up with a dire warning telling them they need to click on it immediately". In general people that don't work in IT just don't care about security on their PCs and they grossly underestimate the danger. My brother is a pretty smart guy but he works in sales and over a decade ago he ran an old Win 98 PC at home that he made no at

    • by Anonymous Coward

      Flash updates, that look exactly like that, are notorious for "randomly" popping up and requesting installation when trying to work, whether on a web page or not. These Falsh updates are so frequent that even I would not give much thought to one randomly popping up after I opened a browser.

      I've seen many fake Flash install attempts and this one is flawless. The Flash install pop-up looks entirely real. The source URL for the Flash install shows Adobe. This source URL is not quite normal behavior, but only t

    • The problem as usual is that people are not educated in security.

      We could blame the victims, or we actually point the finger at the company making the computer intrusion tools and the government agencies that fail to prosecute them for aiding and abetting crimes.

      Hey, Adobe - how about you destroy this company in court for misappropriation of trademark and willful destruction of reputation? It would be small penance for never doing a massive security audit of flash-plugin.

  • Would this infect a Chromebook? I am told they are virus proof.

  • Chrome has a built in Flash player. Always updated.

    So when I see a "you must update Flash" i know it's bogus, since I'm already updated. I tell my family this, since they're non-techies and wouldn't be able to tell a legit popup from a fake. (Im not going to be 100% either).

    Oh and Chrome sandboxes its built-in flash better than the plugin can.

  • government! (Score:4, Funny)

    by nomadic ( 141991 ) <nomadicworld@ g m a i l . com> on Thursday September 08, 2016 @08:18AM (#52847477) Homepage
    How dare the government...be a small Italian company.
  • Would be the best description for this post. Yes I get the overall message. Sadly this his how a low of "end-users" get pwned.

Two can Live as Cheaply as One for Half as Long. -- Howard Kandel

Working...