Facebook releases query packs for finding possible malware infection by Hacking Team on Mac OS X
The hack and subsequent cache of 415GB of leaks pertaining to HACKING TEAM has reveals that the company tried hack absolutely every machine on the face of the Earth. If the emails are to be believed it also developed technique to deliver malware/spyware by drones.
Facebook announced today it was pushing out some “query packs” on its code page that would enable security researchers to look for signs of Hacking Team infection.
These query packs form part of Facebook’s “osquery”, a free and open source framework that can be used to gather network data and quickly ask questions to uncover potential security threats. It’s part of the social network’s own security defences and was updated recently to protect against some critical Apple Mac and iPhone vulnerabilities.
Whilst query packs can be created to bunch specific, commonly-used sets of questions for datasets, Facebook has released a handful of its own, including ones related specifically for Mac OS X machines.
“The OS X-attacks pack has queries which identify known variants of malware, ranging from advanced persistent threats (APT) to adware and spyware. If a query in this pack produces results, a host in your Mac fleet is compromised with malware. This pack is high signal and should result in near-zero false positives,” said Javier Marcos, security engineer at Facebook, in a blog post, before noting that the query pack includes commands that seek out signs of Hacking Team infiltration.
Facebook told FORBES it hadn’t put together other query packs for other operating systems but noted that users can simply create their own queries to identify other “indicators of compromise”, such as slow performance or daemon processes.