Hacking Team stealthy spyware rootkit stays entrenched through hard disk removal

Scrubbing simply isn't going to work with Hacking Team's virulent rootkit.

ghostshellcredsymantec.jpg
Symantec

A rootkit used by Hacking Team avoids destruction even in the cases of hard disk scrubbing and removal.

It's been an interesting few weeks for the security scene, after a treasure trove of data belonging to Milan-based Hacking Team, which provides surveillance tools and spyware to government agencies and law enforcement globally, blew apart the firm's operations in a recent cyberattack which led to a 400GB corporate data leak online.

While the CEO of Hacking Team David Vincenzetti spoke out against the cyberattack, claiming his company was misunderstood and "they are the good guys," a number of security firms may beg to differ.

The 400GB cache is being rapidly assessed by researchers as it contains source code and proof-of-concept exploits of previously unknown zero-day vulnerabilities which could be used to spy upon victims and hijack their machines.

Trend Micro is one such company on the case. The firm's security team revealed this week that Hacking Team has not only developed exploits and flaws, but also uses a ‬Unified Extensible Firmware Interface (UEFI) BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets' systems.

The use of this type of rootkit means that even if a victim's infected machine undergoes a hard drive format, buys a new HD or reinstalls the Windows operating system, the tools are once again implanted to resume their tasks.

The rootkit has primarily been designed for Insyde BIOS, a popular BIOS vendor for laptops, however, Trend Micro speculates the code is likely to work on AMI BIOS as well.

A slideshow produced by Hacking Team and available to view through leaked emails claims that infection requires physical access to the target machine. If an attacker gains access to the machine, they must reboot the system into the UEFI shell, dump the BIOS, install the rootkit, reflash the BIOS and then reboot once more to complete installation. Files have to be copied from an external source, such as a USB key loaded with the UEFI shell.

As explained by the researchers:

"Three modules are first copied from an external source [..] to a file volume (FV) in the modified UEFI BIOS. Ntfs.mod allows UEFI BIOS to read/write NTFS file. Rkloader.mod then hooks the UEFI event and calls the dropper function when the system boots.

The filedropper.mod contains the actual agents, which have the file name scout.exe and soldier.exe. This means that when the BIOS rootkit is installed, the existence of the agents are checked each time the system is rebooted."

If the agent does not exist, the scout.exe agent is reinstalled.

A tall order, but once the rootkit is in place -- with or without the technical support provided by Hacking Team -- standard scrubbing methods and even replacing the hard drive simply won't work.

While the materials say physical access is needed, Trend Micro's researchers "cannot rule out the possibility of remote installation." The company recommends that users set up BIOS passwords, enable UEFI SecureFlash and update the BIOS when security patches are available to limit the risk of infection.

In related news, this week Adobe patched two zero-day vulnerabilities in Flash Player discovered due to the Hacking Team data leak. The two flaws, deemed critical, could allow cyberattackers to take control of infected machines through the exploitation of use-after-free and valueOf trick security flaws.

Read on: Top picks