Hacking Team’s RCS: hype or horror; fear or FUD?

Serious threat or marketing hype?

Last week the Sydney Morning Herald ran a story on the Hacking Team’s Remote Control System, stating

DAVID Vincenzetti isn’t your typical arms dealer. He’s never sold a machinegun, a grenade or a surface-to-air missile. But, make no mistake, he has access to a weapon so powerful it could bring a country to its knees. It’s called RCS – Remote Control System – and it’s a piece of computer software.
The one ring to rule them all

We can infect everything!

RCS has been developed by an Italian company calling itself the Hacking Team. Its website claims

Remote Control System is totally invisible to the target. Our software bypasses protection systems such as antivirus, antispyware and personal firewalls.
Hacking Team sales literature

Scary stuff. And on the back of the FBI’s CIPAV, the Dutch police taking over and using a Bredolab botnet, and the German ‘Staatstrojaner’ exposed by the Chaos Computer Club, it is a worrying idea that law enforcement can get hold of software that can ‘bring a country to its knees’.

I don’t know whether to laugh or cry.

David Harley, senior research fellow at ESET; director at AMTSO

First up, David Harley, board member at AMTSO and senior research fellow at ESET: “I only skimmed the Sydney Morning Herald story earlier this week, as the first paragraph tripped my hype detector, padding out some PR for the company with some barely relevant purple prose of variable accuracy about arms dealers and Stuxnet.”

So, hype or horror story?

Luis Corrons, technical director, PandaLabs

“What they advertise in that PDF is a bot,” says Luis Corrons, technical director at PandaLabs, “with the usual functionalities and a command & control panel to manage it – the same thing cybercriminals have been using for years. The main difference here is that those guys are offering their services to law enforcement agencies. That’s it.”

“The Hacking Team brochure suggests some form of RAT,” adds David, “which would almost certainly have to have rootkit functionality to perform as claimed.” Hacking Team’s sales literature also claims to be able to access all platforms, but David has his doubts on “whether it’s really possible, even with direct access to a system, to rootkit ‘any platform’”.

Chester Wisniewski, senior security advisor at Sophos Canada

“Make no mistake,” says Chester Wisniewski, senior security advisor at Sophos. “This software is malware. Software that performs unwanted actions on a victim’s PC is malware, whether it is purchased for use by law enforcement or hand crafted by secret Iranian spies. You could say it is simply attempting to put a legitimate angle on criminal tools…”

So that’s what we’ve got: a nasty little rootkit RAT that tries to look like legitimate software. But let’s face it, rootkits do a lot of damage. And Hacking Team claims that this one is undetectable. But, “putting aside the legal issues involved in what they do,” comments Ram Herkanaidu, education manager at Kaspersky Lab, “the claim that their software is undetectable by security software is, at best, spurious.”

“It should have a footnote under its claim of being undetectable,” adds Luis: “for a limited period only.”

“Most anti-virus vendors will work on detecting it if they come across a sample,” explains Chester.

Ram Herkanaidu

“It will only be a matter of time until it is detected,” adds Luis.

“I have yet to see an undetectable program of any sort, even a rootkit,” says David.

And once it is detected, “We would analyse and treat it in the same manner as any other malware and add detection to our software,” concludes Ram.

That pretty well sums it up: the newspaper story is hype and the software is malware. It is dangerous because it is a rootkit – but it’s no more than that, and all reputable anti-malware companies will eventually discover it and disinfect it. We need worry no more about this than any other malware.

ESET
Panda
Sophos
Kaspersky