Mac security firm Intego has turned up a new version of the Remote Control System (RCS) Da Vinci rootkit, a pricey piece of dodgy spyware lawful intercept software sold to governments across the world by Italian security coders Hacking Team.
If Hacking Team’s handiwork sounds benign, Intego has given it the new and rather alarming-sounding name, ‘OSX/Crisis.B. The backdoor was first detected as ‘Crisis’ (officially called ‘Da Vinci’ by its makers) in the summer of 2012 when it was spotted targeting Moroccan journalists sympathetic to the Arab Spring.
Beyond the fact it targets Mac and Windows users and is littered with obviously Italian references (the dropper filename is named biglietta visita or ‘business card’), Crisis.B is currently hard to detect. The 47 antivirus engines it was tested against on VirusTotal returned a result of zero detections, Intego said.
This isn’t surprising. Crisis/Da Vinci goes out of its way to avoid detection using the MPress runtime packer, a technique for compressing the programme to make it harder for antivirus software to detect. This is far from foolproof; Intego’s researchers figured out which packer had been used and ran scripts to unjumble the programme.
The payload victims of Crisis/Da Vinci will find themselves on the receiving end of is not a mystery either; Milan-based Hacking Team has openly described the programme’s design as being to capture emails, passwords, IM sessions including Skype, web browsing, files and control the webcam.
Needless to say, Hacking Team’s Da Vinci is controversial despite its designation as legal dual-use software used legitimately to monitor police and intelligence service targets. Another and better known example of the same type of programme would be Gamma International’s FinFisher that was earlier this year discovered to have infected PCs across the world.
"Here in HackingTeam we believe that fighting crime should be easy: we provide effective, easy-to-use offensive technology to the worldwide law enforcement and intelligence communities. Technology must empower, not hinder," the firm's website states, cheerily.
Security firms treat FinFisher and Da Vinci in the same way they treat any programme that executes as spyware and attempt to block it.
What is known is that Da Vinci is expensive, very expensive. In an interview last month, the firm claimed that customised versions sold for "hundreds of thousands of dollars." Many governments are said to have paid up, lured by its surveilance promise.
“Should you feel concerned by government targeted attacks, or recently received a 200k€ business card, then look for those [named] files in your Home folder and your Startup Disk,” said Intego researcher, Peter James. Mac users be warned.