lecture: In-depth Reverse Engineering of HackingTeam's Remote Control System
The Remote Control System (RCS) made by the Italian company "HackingTeam" has been designed to spy/monitor computers. Here is their official description:
"In modern digital communications, encryption is widely employed to protect users from eavesdropping.
Unfortunately, encryption also prevents law enforcement and intelligence agencies from being able to monitor and prevent crimes and threats to the country security.
Remote Control System (RCS) is a solution designed to evade encryption by means of an agent directly installed on the device to monitor. Evidence collection on monitored devices is stealth and transmission of collected data from the device to the RCS server is encrypted and untraceable. For Governmental LEAs and Agencies ONLY."
The RCS software is marketed as a special tool to monitor computers supposedly only sold to Governement and Law Enforcement.
However, it has been used over the past months against human rights activists and political dissidents from Africa, South America and the Middle East.
Interestingly, there are connections between Hacking Team and the shady organization known as -OPM-.
Following the publication of Citizen Lab about another similar software (FinSpy), the U.K. government reaffirmed that existing controls restricting the export of cryptographic systems apply to the Gamma International UK (makers of Finspy) exports of FinSpy. The allegations raise concerns about the export of British technology to oppressive regimes.
The situation with the RCS software is similar, and even if the regulations in some countries prevent exporting such softwares, Those spying programs can be easily sold to anyone through umbrella companies in other countries, such as Panama.
Based on existing evidence, the victims of such attacks are human rights activists in countries with poor human rights records.
It is possible that tools such as FinSpy or RCS lead to the arrest and conviction of people in such countries.
The presentation is a technical in-depth Reverse Engineering of the Remote Control System software including, but not limited to, details of the monitoring features, its rootkit technology, anti debugging, obfuscations used etc.
The RCS program is usually installed using 0days exploits, which execute a special downloader / infostealer, using a valid digital signature.
Our presentation will show how both the signed binaries and the RCS software were written by the same developpers, through code profiling.
Points to be discussed during the presentation:
* Abuse of "legal" spying softwares to spy on human rights activists
* In depth analysis of the malicious code (90% of talk)
* Code profiling of the signed binaries and the RCS software
* Connections between Hacking Team and the shady organization known as OPM
* Use of 0days and signed binaries
Info
Day:
2013-06-21
Start time:
13:00
Duration:
01:00
Track:
Main
Speakers
Nicolas Brulez | |
Marta Janus |