resubmitting latest changes

signatures/android.md

@@ -3,3 +3,6 @@
 
 * android exploit writes 'shell' file to /system/bin/ntpsvd
  * source: https://github.com/hackedteam/core-android/blob/master/RCSAndroid/jni/exploit.c#L739
+
+* RCSAndroid second shell binary: /system/bin/rilcap
+  source: https://github.com/hackedteam/core-android/blob/master/RCSAndroid/jni/selinux_suidext/suidext.c#L151

signatures/clamav-HackingTeamLinux.ndb

@@ -0,0 +1,5 @@
+HackingTeam Linux core encrkey marker:0:*:4c494e55580000000000000000000000
+HackingTeam Linux dropper marker:0:*:426d467959354a684f47686f5a6a4e31
+HackingTeam Linux core32:0:*:7f454c460101010000000000000000000200030001000000e098040834000000f8b603000000000034002000090028001c001b00060000003400000034800408348004082001000020010000050000000400000003000000540100005481040854810408130000001300000004000000010000000100000000000000008004080080040830a4030030a4030005000000001000000100000004af0300043f0808043f0808b4060000f031000006000000001000000200000018af0300183f0808183f0808d8000000d80000000600000004000000040000006801000068810408688104084400000044000000040000000400000050e5746430e1020030610708306107081c2600001c260000040000000400000051e574640000000000000000000000000000000000000000060000000400000052e5746404af0300043f0808043f0808fc000000fc00000004000000010000002f6c69622f6c642d6c696e75782e736f2e320000040000001000000001000000474e550000000000020000000600000018000000040000001400000003000000474e55005e110855c0ea72f456ff4a32360920519e4e836b0300000069000000010000000500000008230020690000006a0000006b000000291d8c1cad4be3c07df85a5800000000000000000000000000000000820000000000000000000000
+HackingTeam Linux core64:0:*:7f454c4602010100000000000000000002003e0001000000d022400000000000400000000000000038ea0300000000000000000040003800090040001c001b000600000005000000400000000000000040004000000000004000400000000000f801000000000000f801000000000000080000000000000003000000040000003802000000000000380240000000000038024000000000001c000000000000001c00000000000000010000000000000001000000050000000000000000000000000040000000000000004000000000008cd30300000000008cd30300000000000000200000000000010000000600000008de03000000000008de63000000000008de630000000000e80a000000000000503e0000000000000000200000000000020000000600000030de03000000000030de63000000000030de630000000000b001000000000000b0010000000000000800000000000000040000000400000054020000000000005402400000000000540240000000000044000000000000004400000000000000040000000000000050e57464040000002812030000000000281243000000000028124300000000000c260000000000000c26000000000000040000000000000051e5746406000000000000000000000000000000000000000000000000000000000000000000000000000000
+HackingTeam Linux dropper:0:*:7f454c4601010103000000000000000002000300010000001052c00034000000000000000000000034002000020028000000000001000000000000000010c0000010c000004a0000004a0000050000000010000001000000a4070000a4270508a427050800000000000000000600000000100000a9b1270855505821fc070d0c00000000a4820000a4820000d40000007b000000020000007f3f64f97f454c460100020003000d308904fe6fb3dd0834073c81170b200005002800090008005ffbb5c92d8023034c740a03053d77c77e1310001ff47f030f0508d49f1b6cdb0fb01703061f040613d4837cee733b03240b03045133d800f6e574640000071f5217ac3b305f0c130c1b7b0000008000400200ff787300006e40000002490400ffdf74cb0400140303474e550025c9ab2774d8a9af0aff0ff6ff3a68e34249bb846b70dee600005557565381ec08940100e87ef7f66f360c448d842422900b8904240e198485c00f85d97fd9dd07083c162691c7442404302205081eb7ddffff1a7683f80119d283e22083c2208954241813088c3289c7dad7fcdf0f84348b6808668b580a08698b3e93eddcdb36a83d452a23c41947ee0b20bb101ad0217158337b3fcc751f70061b04cde304130ded93ee58131dec75c60fb7db02f28dfdfded891c2431dbc26c892cca745102acfbdd0eecff00

signatures/linux.md

@@ -14,3 +14,20 @@ Linux Signatures
    * source: https://github.com/hackedteam/vector-offline2/blob/master/offline-linux/offline-install/offline_gui.py#L2604
    * source: https://github.com/hackedteam/vector-offline2/blob/master/offline-linux/offline-install/offline_gui.py#L2716
 
+* config file for linux version is '.cache' (located in the whoopsie directory)
+  * source: https://github.com/hackedteam/core-linux/blob/master/core/src/core.c#L123
+
+* params.h and params.c file contain keys for decrypting config file and watermark information:
+  * source: https://github.com/hackedteam/core-linux/blob/master/core/src/params.h
+
+* config file is encrypted with aes-128-cbc and confkey from params (iv=0)
+  * source: https://github.com/hackedteam/core-linux/blob/master/core/src/config.c#L48
+
+* core-linux agent creates encrypted 'evidence' files (ie: stolen data) with the following format:
+     .tmp-AAAAAAAAAA-BBBBBB-CCCCCC where
+      AAAAAAAAAA : number of seconds since unix epoch from gettimeofday()
+      BBBBBB : microseconds from gettimeofday()
+      CCCCCC : random letters/numbers from mkstemp() function
+  comparing AAAAAAAAAA with the file's modification time from unix stat() function would give high reliability in identifying them
+
+  source: https://github.com/hackedteam/core-linux/blob/master/core/src/evidencemanager.c#L60

signatures/network.md

@@ -5,3 +5,16 @@ Network Signatures
 * User Agent : Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11
 
   * source: https://github.com/hackedteam/vector-recover/blob/master/download_exec.cpp
+
+
+* Windows Soldier & Scout version.h file define different user agents (and urls) for each RCS version:
+
+  source: https://github.com/hackedteam/soldier-win/blob/master/Soldier/version.h#L22
+  source: https://github.com/hackedteam/scout-win/blob/master/core-scout-win32/version.h#L33
+
+* HT client wiki reveals several IP addresses of RCS anonymizers and control servers for a specific install which can be used for network detection 
+
+
+
+
+

signatures/windows.md

@@ -15,4 +15,10 @@ Windows Signatures
     * source: https://github.com/hackedteam/soldier-win/blob/master/Soldier/binpatch.h
   The watermarker is later used to check for presence of existing install via sharedmemory resource
     * source: https://github.com/hackedteam/soldier-win/blob/master/Soldier/utils.cpp#L87
+
+* core-win32 encryption keys/watermark/backdoor_id are defined in common.h 
+    * source: https://github.com/hackedteam/core-win32/blob/master/common.h#L100
 
+* scout for windows creates different batch files for RCS version 9.4/9.5/9.6 might help for detection/version ident
+  source: https://github.com/hackedteam/scout-win/blob/master/core-scout-win32/version.h
+

simplescripts/sweepandroid.py

@@ -0,0 +1,46 @@
+#!/usr/bin/python2.7
+
+# sweepandroid v.01: a simple script to look for signs of HackingTeam RCS Agent on Android devices
+# gsteenss@riseup.net
+#
+# also see: https://github.com/0xPoly/Hacking-Team-Sweeper/blob/master/signatures/android.md
+
+#    android version: RCSAndroid removes a specific file as root when uninstalling: /system/app/StkDevice.apk
+#        source: https://github.com/hackedteam/core-android/blob/master/RCSAndroid/src/com/android/dvci/action/UninstallAction.java#L109
+#
+#    android exploit writes 'shell' file to /system/bin/ntpsvd
+#        source: https://github.com/hackedteam/core-android/blob/master/RCSAndroid/jni/exploit.c#L739
+
+
+
+import glob
+import sys
+from platform import platform,architecture
+import androidhelper
+
+
+app='/system/app/StkDevice.apk'
+shells=('/system/bin/ntpsvd','/system/bin/rilcap')
+
+
+ok=True
+
+#print(sys.version,platform(),architecture())
+
+droid=androidhelper.Android()
+
+if glob.glob(app)!=[]:
+  droid.makeToast('WARNING: HT apk present: Your phone may be infected with a version of HackingTeam RCS Agent!')
+  ok=False
+
+for shell in shells:  
+	if glob.glob(shell)!=[]:
+  		droid.makeToast('WARNING: HT shell present: Your phone may be infected with a version of HackingTeam RCS Agent!')
+  		ok=False
+
+if ok: 
+  droid.makeToast('OK: Nothing strange to report.')
+
+
+
+

simplescripts/sweeplinux.py

@@ -0,0 +1,40 @@
+#!/usr/bin/python2.7
+
+# sweeplinux v0.1: a simple script to look for signs of HackingTeam RCS Linux agent
+# gsteenss@riseup.net
+#
+# based on: https://github.com/0xPoly/Hacking-Team-Sweeper/blob/master/signatures/linux.md
+
+
+import glob
+import sys
+from platform import platform,architecture
+from os.path import expanduser
+
+whoopsie=expanduser('~/.whoopsie*')
+crashreports='/var/crash/.reports-*-*'
+tmpreports='/var/tmp/.reports-*-*'
+
+
+#print(sys.version,platform(),architecture())
+ok=True
+
+if glob.glob(whoopsie)!=[]: 
+  print('WARNING: Detected HT whoopsie file in home directory, Your computer may be infected with a version of HackingTeam RCS Agent!')
+  ok=False
+
+if glob.glob(crashreports)!=[]:
+  print('WARNING: Detected HT crash reports, Your computer may be infected with a version of HackingTeam RCS Agent!')
+  ok=False
+
+if glob.glob(tmpreports)!=[]:
+  print('WARNING: Detected HT tmp reports, Your computer may be infected with a version of HackingTeam RCS Agent!')
+  ok=False
+
+
+if ok: 
+  print('OK: Nothing strange to report.')
+else: 
+  print('Please shutdown your network connection NOW!')
+
+