!"#$%"&'$(%!$)&*+*%"#&V5.

1
,&*-./0-12&*345/6.78/9.:&*49-.;&<=6&,--/>?@AB2&CA<.>-@AB&
/A:&#=A@-=6@AB&'=;3D-.69&/A:&*;/6-31=A.9E&FD00&
@A-.00@B.A>.&=A&-/6B.-&D9.69&.G.A&<=6&.A>643-.:&
>=;;DA@>/-@=A9 H*?43. IJI 9.>D6. 5.K ;/@0 .-> L
>=;;DA@>/-@=A9&H*?43.2&IJI2&9.>D6.&5.K&;/@02&.->EL
ME&N@A>.AO.--@2&NE&8.:.9>1@
M
N@A>.AO.--@ N 8.:.9>1@
555E1/>?@AB-./;E@P

Offensive security technology

RCS - Remote Control System tool for Law Enforcement Agencies
David Vincenzetti
HT Srl - Italy
Q

R&S/>?@AB&%./;
,00&!@B1-9&!.9.6G.:

R&S/>?@AB&%./;
,00&!@B1-9&!.9.6G.:

R&S/>?@AB&%./;
,00&!@B1-9&!.9.6G.:

R&S/>?@AB&%./;
,00&!@B1-9&!.9.6G.:

Introduction

S ?@ %
S/>?@AB&%./;
!

S% *60 @9 / PYYZ C-/0@/A >=;3/A4 <=DA:.: @A QYYT

K4 N/0.6@/A= 8.:.9>1@ /A: M/G@: N@A>.AO.--@E
N.A-D6. K/>?.: @A QYYX K4 -5= C-/0@/A N' <DA:9
N.A-D6.7K/>?.:

%1. >=;3/A4 @9 /A />-@G. 30/4.6 @A -1. C% 9.>D6@-4

;/6?.- /A: @- =<<.69 "-1@>/0 S/>?@AB H3.A-.9-L
9.6G@>.92 9.>D6@-4 -==09 /A: @A-.00@B.A>. @A9-6D;.A-9
<=6 B
B=G.6A;.A-/0 @A9-@-D-@=A9

S% 1/9 :.G.0=3.: / 1@B104 @AA=G/-@G. =<<.A9@G. C%

9.>D6@-44 949-.;
4
51@>122 @A 93.>@<@>
3
>@6>D;9-/A>.922
/00=59 )/5 "A<=6>.;.A- ,B.A>@.9 -= /--/>? /A:
>=A-6=0 -/6B.- I'9 from a remote location
R&S/>?@AB&%./;
,00&!@B1-9&!.9.6G.:

\1 - - 00 1
\1/-&/>-D/004&1/33.A9
!
!
!
!

C% =<<.A9@G. 9.>D6@-4 6.36.9.A-9 / A.5 /A: 1@B104

@AA=G/-@G. -.>1A=0=B4
C-]9 B6=5@AB G.64 </9- K.>/D9. =< 31.A=;.A/ 9D>1
/9 -.66=6@9;2 @A:D9-6@/0 .93@=A/B. /A: @A9@:.6 -6/:@AB
,:G/A>.: D9. =< -1. CA-.6A.- K4 -.66=6@9-9 ;/?.9
)",9 @A>6./9@AB04 A.6G=D9
"
"^/;30._
0 -1.
-1 .^3=A.A-@/0
-@ 0 B6=5-1
-1 =<< .A>643-.:
- : N=CI
N CI
>=;;DA@>/-@=A9 HSkype >0/@;9 TYY` ;@00@=A9 =<
D9.69L K4 6.9@:.A-@/0 /A: KD9@A.99 D9.692
D9.69 is a
nightmare for LEAs
R&S/>?@AB&%./;
,00&!@B1-9&!.9.6G.:

\1 - - 00 1
\1/-&/>-D/004&1/33.A9
!

C<b
*?43. .A>643-9 =A0@A. >=AG.69/-@=A9 K4 :.</D0! *?43.
*?
@ ubiquitous
@9
bi it
H
H9/;.
31=A.
1
AD;K.62
K
0
0=>/-@=A
-@
@A:.3.A:.A-L
! *?43.
43 @9 0@?.04
4 -= K. =A. =< -1. </G=D6@-. 5/49
4 =<
>=;;DA@>/-@=A K4 -.>179/GG4 >6@;@A/09
!

%1.AEEE
Governments should use spyware-based wiretapping
technologies (that is, offensive technologies) to foil
tech-savvy
y criminals communications
! H*=;. >=DA-6@.9 9-@00 0/>? / 0/5 -1/- 5=D0: /00=5 -1.
/D-1=6@-@.9 -= 934 =A 9D93.>-.: >6@;@A/09 K4 9.>6.-04
@A9.6-@AB cremote
remote forensic software
softwared @A-= -1.@6 >=;3D-.69L
!

R&S/>?@AB&%./;
,00&!@B1-9&!.9.6G.:

PY

I/99@G.&;=A@-=6@AB&@9&
D9.0.99&/B/@A9-&;=9-&
.A>643-.:&>=;;DA@>/-@=A&
949-.;9&H9D>1&/9&*?43.L
4
H
43 L
R&S/>?@AB&%./;
,00&!@B1-9&!.9.6G.:

PP

$<<.A9@G.&9.>D6@-4&
;=A@-=6@AB&@9&1@B104&
.<<.>-@G.&=A&;=9-&
>=;;DA@>/-@=A&949-.;9
4
R&S/>?@AB&%./;
,00&!@B1-9&!.9.6G.:

PQ

$<<.A9@G.&9.>D6@-4&
;=A@-=6@AB&@9&1@B104&
.<<.>-@G.&=A&;=9-&
>=;;DA@>/-@=A&949-.;9
4
NYXEYaEQV&R&S/>?@AB&%./;
,00&!@B1-9&!.9.6G.:

PT

\1 C% <<
\14&C%&=<<.A9@G.&9.>D6@-4
@
@!

'4K.6 93/>. @9 / G.64 /--6/>-@G. 30/>. <=6 >6@;@A/09_

C-]9 >1./32
32 e
eD@>? /A: ./944 -= />>.99

C%
=<<.A9@G.
9.>D6@-4
949-.;9
>/A
K.
>=;30.;.A-/64 -= ;=6. -6/:@-@=A/0 3/99@G. C%
;=A@-=6@AB 9=0D-@=A9

J=G.6A;.A-9 A..: -= 1/G. K=-1 defensive /A:

offensive (IT) capabilities

R&S/>?@AB&%./;
,00&!@B1-9&!.9.6G.:

PU

C% <<
C%&=<<.A9@G.&9.>D6@-4
@
@!

$3.6/-@=A/0 9>.A/6@=9_
! c*-/A:/6:d
*-/A:/6: >6@;@A/0 @AG.9-@B/-@=A H.G@:.A>.
B/-1.6@ABL
3.6<=6;.:
K4
J=G.6A;.A-/0
$6B/A@O/-@=A9 9D>1 /9 I=0@>. /A: %/^ I=0@>.E
!

CA-.00@B.A>. B/-1.6@AB />-@G@-@.9 3.6<=6;.: K4

*.>D6@-4 ,B.A>@.9 51.A >6/>?@AB7:=5A
>6/>?@AB :=5A
-.66=6@9; /A: 9.6@=D9 =6B/A@O.: >6@;.9E

H'=63=6/-. 9>.A/6@=_ 51.A <@B1-@AB 51@-. >=00/6

>6@;.92 CEIE -1.<-2 @A9@:.6 -6/:@ABL
R&S/>?@AB&%./;
,00&!@B1-9&!.9.6G.:

PV

!
!.;=-.&'=A-6=0&*49-.;
- ' - 0* !

Remote Control System is an IT stealth

investigative tool for LEAs.
LEAs (It is offensive security
technology. It is spyware. It is a trojan horse. It is a
bug. It is a monitoring tool. It is an attack tool. It is a
tool for taking control of the endpoints, that is, the
PCs)
C- 3.6;@-9 3/99@G. ;=A@-=6@AB /A: active >=A-6=0 =<
/00 :/-/ /A: 36=>.99.9 =A 9.0.>-.: -/6B.>=;3D-.69E
>=;3D-.69
*D>1 >=;3D-.69 ;@B1- =6 ;@B1- A=- K. >=AA.>-.: -=
-1. CA-.6A.-E
CA-.6A.R&S/>?@AB&%./;
,00&!@B1-9&!.9.6G.:

PW

Functionalities

PX

# @- @
#=A@-=6@AB&/A:&)=BB@AB&
:)
@
Remote Control System >/A ;=A@-=6 /A: 0=B /A4
/>-@=A 3.6<=6;.: K4 ;./A9 =< / personal computer
"
"
"
"
"
"
"
"
"

\.K K6=59@AB
$3.A.:f'0=9.:fM.0.-.: <@0.9
g.49-6=?.9
4
HH/A4
4 h(C'$M" 0/ABD/B.L
B B L
I6@A-.: :=>D;.A-9
'1/-2 .;/@02 @A9-/A- ;.99/B@AB
!.;=-. ,D:@= *34
'/;.6/ 9A/391=-9
Skype HN=CIL >=AG.69/-@=A9
b
R&S/>?@AB %./;
,00&!@B1-9&!.9.6G.:

P[

I'
I'&/6>1@-.>-D6.9
1@- !
!
!
!
!

\@A:=59&iI
\@A:=59&QYYT
\@A:=59&N@9-/
jPYa_&#,'&$*
jPYa
#,' $*
jUYa_&)@AD^

R&S/>?@AB&%./;
,00&!@B1-9&!.9.6G.:

Pa

# @- @
#=A@-=6@AB&/A:&)=BB@AB&
:)
@
Remote Control System >/A ;=A@-=6 /A: 0=B /A4
/>-@=A 3.6<=6;.: K4 ;./A9 =< / smartphone
"
"
"
"
"
"
"
"
"
"
"

'/00 1@9-=644
,::6.99 K==?
'/0.A:/6
";/@0 ;.99/B.9
'1/-fC# ;.99/B.9
*#*f##* @A-.6>.3-@=A
)=>/0@O/-@=A H>.00 9@BA/0 @A<=2 JI* @A<=L
!.;=-. ,D:@= *34
34
'/;.6/ 9A/391=-9
N=@>. >/009 @A-.6>.3-@=A
b
R&S/>?@AB&%./;
,00&!@B1-9&!.9.6G.:

QY

*
*;/6-31=A.9&/6>1@-.>-D6.9
- 1
1@- !
!
!
!
!

\@A:=59&#=K@0.&V
\@A:=59&#=K@0.&W
jPYa_&@I1=A.
jUYa !C#f80 ?8
jUYa_&!C#f80/>?8.664
jUYa_&*4;K@/A
4

R&S/>?@AB&%./;
,00&!@B1-9&!.9.6G.:

QP

C @ @K@0@CAG@9@K@0@-4
!
!

,00=59 ;=A@-=6@AB H/00L I' D9.6]9 />-@G@-@.9

,<-.6 -1. @A9-/00/-@=A2 !.;=-. '=A-6=0 *49-.; >/AA=K :.-.>-.:
K.
: - - : K4
K /A4 KDBB.:
K
: >=;3D-.6
- D9.6
"
"
"
"
"

"^@9-@AB <@0.9 /6. A=- ;=:@<@.:

(= A.5 <@0.9 /33./6 =A -1. >=;3D-.6
>=;3D-.6]9
9 1/6: :@9?
(= A.5 36=>.99.9 /6. .^.>D-.:
(= A.5 A.-5=6? >=AA.>-@=A9 /6. .9-/K0@91.:
Antivirus, antispyware, anti-key-loggers cannot
detect our bug
!

E g Gartner Endpoint Security Magic Quadrant

E.g.,

R&S/>?@AB&%./;
,00&!@B1-9&!.9.6G.:

QQ

F0 @K@0@F0.^@K@0@-4
"
"

J=.9 K.4=A: 0=BB@AB /A: ;=A@-=6@AB

,00=59 3.6<=6;@AB />-@=A9 =A / KDBB.:
>=;3D-.6
! *./6>1 /A: G@.5 :/-/ =A -1. 1/6: :@9?
! "^.>D-. >=;;/A:9 6.;=-.04
! I=99@K04 ;=:@<4 1/6: :@9? >=A-.A-9
! Trigger actions in response to events
k *-/6- 9.A:@AB :/-/ =A04 51.A -1. 9>6..A9/G.6
@9 />-@G.2
/>-@ . 6.;=G.
6.;= . @-9.0< =A / 36.>=A<@BD6.:
36.>=A<@B 6.:
:/-.2 .->E
R&S/>?@AB&%./;
,00&!@B1-9&!.9.6G.:

QT

,-- ?fC < -@

,--/>?fCA<.>-@=A&G.>-=69
!

!.;=-.&'=A-6=0&*49-.;&@9&9=<-5/6.2&A=-&/&
3149@>/0&:.G@>.
" \1@>1&>/A&K.&@A9-/00.:&remotely
! '=;3D-.6&>/A&K.&KDBB.:&K4&;./A9&=<&9.G.6/0&
3
BB
4

@A<.>-@=A&G.>-=69
! CA-.00@B.A>.&@A<=6;/-@=A&/K=D-&6.;=-.&-/6B.-&
;/A:/-=64
"

b&KD- local @A9-/00/-@=A 6.;/@A9&/&&=3-@=A

! h9D/004&G.64&.<<.>-@G.

R&S/>?@AB&%./;
,00&!@B1-9&!.9.6G.:

QU

!
!.;=-.&@A9-/00/-@=A
- @ - 00 -@
!

!.;=-.&@A<.>-@=A&G.>-=69
"^.>D-/K0.&;.0-@AB&-==0
" S%%I&CAl.>-@=A&I6=^4
" S%&m.6=7:/4&"^30=@-9&0@K6/64&H0@K6/64&@9&
c@A:@6.>-04d
@A:@6.>-04 &/>>.99.:&K4&>D9-=;.6L
/>>.99.: K4 >D9-=;.6L
" S%&>=A9D0-/A>4_&/A=A4;=D9&/--/>?&
9>.A/6@= /A/049@9 /--/>? >==?K==?
9>.A/6@=&/A/049@92&/--/>?&>==?K==?
"

! "EBE2&#=G@AB&-/6B.-&D9@AB&*?43.

R&S/>?@AB&%./;
,00&!@B1-9&!.9.6G.:

QV

)
)=>/0&H3149@>/0L&@A9-/00/-@=A
0 H 1 @ 0L @ - 00 -@
!

)=>/0&@A<.>-@=A&G.>-=69
H8==-/K0.L&'M7!$#
H8==-/K0.L
'M7!$#
" H8==-/K0.f,D-=6DAL&h*8&3.A&:6@G.
" M@6.>-&1/6:&:@9?&@A<.>-@=A&K4&;./A9&=<&
M@ - 1 : :@ ? @ < -@ K
<
-/;3.6@AB&5@-1&>=;3D-.6&>/9.
" F@6.5/6.&I=6-fI'#'C,&/--/>?9
" S%&>=A9D0-/A>4_&/A=A4;=D9&/--/>?&
4
4
9>.A/6@=&/A/049@92&/--/>?&>==?K==?
"

! "EBE2&CA-.6A.-&'/<n&D9@AB&M..3F6..O.
B 2 -. .- '/ n D9 B ..3 .. .
R&S/>?@AB&%./;
,00&!@B1-9&!.9.6G.:

QW

' @-@ 0 @
'6@-@>/0&@99D.9
!.;=-.&'=A-6=0&*49-.;&>=D0:&A=-&5=6?&
5@-1=D-&-1.&<=00=5@AB&<./-D6.9
1.
2
2.
TE
UE
5.

Invisibility2&/-&949-.;&/A:&A.-5=6?&0.G.0
Flexibility Hevent-based logicL
CA<.>-@=A&>/3/K@0@-@.9&Hattack vectorsL
! K !=KD9-A.99&o&*>/0/K@0@-4&HK.@AB&D9.:&K4&
o * 0 K@0@- HK @
:K
;/A4&>0@.A-9&@A&6./0&9.>D6@-4&9>.A/6@=9L
Centralized management of unlimited
HETEROGENEUS targets
R&S/>?@AB&%./;
,00&!@B1-9&!.9.6G.:

QX

www.hackingteam.it
g

R&S/>?@AB&%./;
,00&!@B1-9&!.9.6G.:

Q[