Find out if your Windows PC is infected with Hacking Team malware
A leak pushed hundreds of Gigabyte of data from Italian based company Hacking Team into the open.
While analysis of the data is still ongoing, it resulted already in the patching of several critical vulnerabilities.
Rook Security, one of the companies that is analyzing the data, discovered 53 git projects during an initial pass of the data which resulted in the identification of 93 binary files of which 40 were identified to have the highest probability for malicious use.
The binary files were filed into four different groups based on the analysis. All files verified as malicious by Virustotal went into group a for instance, while files used in Hacking Team projects went into group c.
The company has updated its tools that Windows users can use to find out whether their systems are compromised with Hacking Team Malware.
If you download Milano, one of the available tools, you get more than just a program to run on your system. Rook Security ships a pdf document with the tool that lists file names, hashes and other valuable information.
This means that you may use the information to run manual scans on the system as well, or to add these files to blacklists to prevent their execution on the system.
The tool itself is easy to use:
- Extract the contents of the zip file to the local computer system after download.
- Open the folder RookMilano and double-click on milano.exe to start the program.
- A command line interface opens that prompts you to select quick scan or deep scan. That's the only selection you need to make.
Milano scans the system afterwards based on the selection. This may take a while depending on it; it took 201 seconds to quick scan a system with a fast Solid State Drive for instance.
Results are displayed in the end but also saved to a text file that is placed in the program folder automatically so that you can open it at any point in time after the scan.
No problematic files are displayed if the system has not been infected by Hacking Team malware or files, but if something is found, it is listed both in the command line interface and text log.
Interested users can check out the source code of the application on Github.
The company plans to improve the detection tool further in the future, and will release updated detection files for other operating systems, Linux and OSX specifically, in the near future as well.
Hello, Martin. Isn’t Malwarebytes Anti Malware enough to protect us from this threat?
I don’t know if Anti-Malware protects against all different files already considering that they have become public knowledge only recently. I suggest to run a scan to make sure nothing slipped by.
How accurate is this tool?
Files requiring review as they match Hacking Team MD5 signatures
Category (A=Detected via VirusTotal B=Detected via manual analysis
C=From malicious project D=Undetermined)
CD: /Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll
CD: /Program Files\Microsoft Office\root\client\concrt140.dll
CD: /Program Files\Microsoft Office\root\Office16\concrt140.dll
CD: /Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\concrt140.dll
But virus total says these files are safe.
Could be a false positive. Maybe contact Rook Security directly for further information?
could be because you’re running the preview version of office 2016.
Avast said the pdf file had a trojan.
Virustotal reported 3 infections of the Milano files downloaded from Rook’s site…
Is this safe to run?
Avast complains about the PDF inside the zip.
The PDF has nothing to do with the actual application. A check on Virustotal reveals that Avast and Qihoo360 are the only two services that have flagged the file.
I don’t know if perhaps the program was updated since the article was published, but the only selection one needs to make is no longer just quick scan or deep scan. After selecting quick scan, for example, one is asked: “Would you like to use the default path for Windows of ‘ / ‘ ? [Y/n]”
What do you recommend here? Thanks!
If you have not modified the path of Windows during installation, select y.
Qihu 360 Total Security version 18.104.22.1684 didn’t detect any malware, I have just scanned the archive manually.
Thanks very much for posting about this, Martin.
By the way, the most recent version of Milano at the time I’m typing this seems to be v. 1.1. It’s pretty easy to accidentally download an earlier version (1 or 1.01) from the Rook Security site, so it’s worth digging around to make sure you have the most recent one. Ultimately, its detections will hopefully find their way to mainstream anti-malware packages like Malwarebytes and Avast, but in the meantime, I intend to check Rook Security’s site for updates to Milano from time to time.
I use Avast and it did indeed complain about the PDF. I let Avast move the PDF to the Virus Chest and then I went into the Virus Chest and selected the “Restore and Add to Exclusion List” option for it. (If there’s a less clumsy way of doing that in Avast, it’s not showing up or working in my Avast interface. Even the “report as false positive” link isn’t working properly.)
The quick scan took a few minutes and yielded a single file: the old installer for 32-bit Java 8 Update 25, which is now three updates old and no longer installed on my system.
The full scan took 4 hours 37 minutes (reported as 16607.xxx seconds!) to completed … and reported the same lone file. I usually keep old installers on hand “just in case” (and it occasionally does come in handy) but in this case, I’m just going to delete it.
Are you the Ricky Martin?
No. Tragically, my vida is far from loca.
I cannot even download the tool, i always get a “Secure Connection Failed” when i try
Is there another place i can get the tool that is safe?
Thanks for this very useful info!
Apparently Emsisoft and only small handful of other AVs were already able to either detect or block Hacking Team’s Galileo trojan:
@”A different Martin”: Thanks for making me laugh out loud this morning! :)
Good tool. Fast and easy.