REMOTE MONITORING & INFECTION SOLUTIONS · DTI server software is written in C/C++ for maximum...

REMOTE MONITORING& INFECTION SOLUTIONS

DTI is the Remote Monitoring Solution that enables Governments and Law Enforcement Agencies face current challenges of monitoring Security-Aware

Targets that regularly change location, use encrypted and anonymous communication channels and reside in foreign countries.

Traditional Lawful Interception solutions face new challenges that can only be solved by using active systems like DTI.

Data Not Transmitted Over Any Network | Encrypted Communications | Targets in Foreign Countries

When DTI is installed on a computer system it can be remotely controlled and accessed as soon as it is connected to the internet/network, no matter where in the world the Target System is based.

Feature Overview

Target Computer:

• Evasion of 47 regularly tested Anti-virus Software.

• User Account Control bypass for Privilege Elevation.

• Encrypted Communication with Master Server.

• Process-based Keylogger

• Screen Capture

• Country Tracing and Geo-Location of Target

• Remote Upgrade functionality.

• Supports all common versions of Windows Operating System (XP,

2003, Vista, 7 & 8)

• Remote File Manager allowing to download any file from remote PC

• Audio Recording capabilities

• Session Cookie Extraction for interception of online services

Headquarters:

• Data Encryption using AES-256.

• Graphical User Interface for Data Management

• Activity view of all active infections

• Attack vector factory for preparing infection files in many forms

INFECTION AGENT

The Infection Agent is a small executable file, which main purpose is to be deployed to the Target computer and executed. On execution, Infection Agent will install itself in the Target system and communicate with the Master Server. Installation happens in stealth mode and communication with the server is performed using strong encryption algorithms and persistence is achieved by loading at every launch of the operating system.

The Agent is a multi-stage installer with unique signature. It implements state-of-the-art techniques like reflective DLL injection, hiding inside legitimate and digitally signed software packages, steganography to hide data on disk and in internet traffic to avoid detection.

There are two main operation modes for the Infection Agent:

• Ghost mode

• Full mode

Ghost mode - each Agent after installation will start in this mode. This mode doesn't download the main surveillance module and it will only upload basic computer information to the Master Server. This allows the administrator to figure out if the right Target machine was infected and also provides an additional security measure to not activate DTI's full functionality without administrator's consent.

Full mode - if the administrator determines the Ghost Agent should be activated with full recording capabilities, the Agent can be remotely upgraded to Full Agent. This mode allows Agent to upload recorded data to the Master Server and allows to interact with the Agent remotely to use full capabilities of DTI.

Main features of the Infection Agent include passive and active monitoring. Agent will passively record keystrokes, capture screenshots and passwords to online web services. Active monitoring can be performed in real-time by connecting with the operator's computer running DeepTrack Administration Client and allows the operator to browse, download files on the Target's file system, extract session cookies to online web services, record audio from microphone audio input or see in real-time what happens on Target user's computer screen.

The Infection Agent provides remote access to following information:

• Keystrokes typed in any application running on the computer.

• Captured screenshots.

• Passwords to online web services used on the computer.

• High accuracy geo-location information of computers with attached WiFi adapter.

• File system for browsing or downloading files remotely.

• Session cookies used in online web services that can be extracted and used in order to bypass

two-factor authentication.

• Microphone audio for remotely recording sound from the computer's surroundings.

• Real-time access to activities performed on the computer.

DTI Infection Agent uses advanced antivirus evasion techniques to install and operate on Target machines, without arousing any suspicions that the Target is being monitored. Each Infection Agent is carefully crafted for each operator, providing unique signature and binary footprint, making it untraceable by major security products.


DT ADMINISTRATION CLIENT

The Administration Client is used by the operator to manage all running Agents and retrieve logs recorded from Target computers that reside in encrypted form on the Master Server. It is also used to browse recorded informa-tion and actively retrieve critical data from monitored computers in real-time.

From here you can issue commands to target computers, perform remote updates or view geo-location data for each computer, as well as modify the agents' default and current configurations.

Passively browsing logs from monitored computers

Managing installed Infection Agents - upgrading, geo-location, configuration, uninstalling


Actively accessing computers remotely in real-time:

The Administration Client provides geo-location information data for all monitored computers. For highly accurate coordinates Target computer has to be equipped with any WiFi adapter. Location is determined based on nearby SSID networks and their signal strength. The more densely populated is the area the com-puter is in, the higher accuracy of geo-location data is retrieved. If no WiFi adapter is present on the comput-er, panel will provide the coordinates of the city the Target is in.

EXTRACTOR

DeepTrack implements a very powerful module that allows an on-demand extraction of sensitive data from Target computer. Module is always dynamically downloaded by the Agent from the Master Server, injected and executed in-memory only for advanced anti-forensics.

There are several modules already available that add ability to recover different types of data.


File Manager - allows to retrieve the whole file listing of Target computer's filesystem for offline browsing. Additionally allows to queue multiple files for remote upload. Files will be split into half megabyte chunks and uploaded when Target computer is online. After all chunks have finished uploading to master server, the chunks are reassembled and accessible through SFTP access.

Passwords - gathers all saved passwords on Target computer. Searched password locations include browsers (Internet Explorer, Mozilla Firefox, Google Chrome), network (including network shares) and WiFi networks.

Cookies - extracts all cookies (including session cookies) from major web browsers (Internet Explorer, Mozilla Firefox, Google Chrome) and uploads them to Master Server. Administrator can inject extracted cookies to his own web browser, allowing him to easily use Target's access tokens. That lets Administrator log into web services in context of Target user, while bypassing any forms of security protections implemented by the web service (including two-factor authentication). Another feature allows to clear all cookies from chosen web browser on Target computer, in order to log Target out of all web services, making it possible later to intercept entered login credentials using a keystroke logger.

Key benefits include:

• Easy to use interface for fast response.

• Geo-location information.

• Selective extraction of sensitive data from Target computers.

• Changing configuration of Infection Agents remotely.

• Remotely issuing updates to Infection Agent software.

• Remotely uninstalling Infection Agents from Target computers.

• Multi-threaded architecture allowing for effectively monitoring several computers at the same time.

• Safely downloading recorded encrypted information from the Master Server, previously uploaded by

the Infection Agents.

• Managing lots of information from monitored computers in a single place.

• Securely encrypted storage of downloaded data.

• Real-time access to all monitored computers.


DTI Master Server Software

DTI Server Software is designed for machines running Linux operating system for maximum reliability. Server-side software is installed on client's personal server in order to ensure complete confidentiality of information. At no point will DTI software contact other computers other than designated Master Server owned by the client.

Server Core

DTI server software is written in C/C++ for maximum efficiency and reliability. It was designed with highest security in mind and provides the strong backbone to any operation.

All data uploaded from Infection Agents is stored in encrypted form on the Master Server and handled by server core software. Individual Agent Administrators are never connecting directly to Target computers as all communications are routed through the main Master Server.

Bind-ProxyThe Bind-Proxy component of the server is a special daemon running in background that allows operators, using DTI Administration Clients, to connect to Target computers remotely without revealing their IP addresses. Bind-Proxy pairs two outgoing connections together - an outgoing connection from the Target computer and an outgoing connection from the DTI Administration Client. Pairing is based on a generated unique session key and allows for packet transmission between two computers on the internet through the Master Server, without the need to worry about firewalls. Communication going through the Bind-Proxy is securely encrypted using AES-256 encryption and dynamic key challenge.

Relay ServersRelays are servers set up in between of Infection Agents and the Master Server in order to protect the communication route and to not reveal the IP address of the main server to Infection Agents.Transmission of data is fully encrypted and all Anonymizer servers are fully replaceable allowing to change the routing of packets for each Infection Agent.


DTI Recon

DTI solution provides a wide range of additional tools which were developed to increase the effec-tiveness of operations. One of such tools is DTI Recon which works like a light version of main DTI Agent and Admin.

DTI Recon agent is written purely in Windows scripting languages VBScript and Powershell. Such com-bination allows to bypass any antivirus detection mechanisms by default without the need to expose the main DTI Agent. This makes it a perfect tool for initial infection. DTI Recon works on Windows Vista, Windows 7, Windows 8/8.1 and the most recent Windows 10.After the Recon agent is installed, you can retrieve helpful system information from the target PC.

This information includes a list of installed applications as well as a list of running processes. Using this information, administrator can determine what antivirus software is running on the target PC and make preparations before deploying the main DTI Agent. When ready, DTI agent can be deployed and installed remotely on target PC through DTI Recon admin panel. DTI Recon agent can stay installed on the target PC providing an additional backdoor in case main TI agent goes dark.

Key benefits include:• Easy to use interface for fast response.• Wide selection of Attack Vectors for remote installation.• Highly obfuscated agent scripts for increased Antivirus evasion.• Retrieving useful system information from PC before deploying main DeepTrack Agent to target PC.• Allows to determine what Antivirus software is running on target PC.• Provides additional backdoor just in case main DeepTrack Agent goes dark.• Server software written in PHP, can be easily deployed on any shared hosting server.• Client-server architecture allows to put only the server control code on the server (Admin panel is running on local computer only).• Server PHP code is obfuscated and encrypted to bypass any signature detections that hosting provider may use.• Communication traffic with the server is encrypted.


DTI TrackerBefore the operation, it is important to gather as much intelligence on the target environment as possible. DTI Tracker allows to retrieve useful information about target devices.

Administrator creates a link in DTI Tracker admin that is later sent to the target via any communication chan-nel like email, chat message or SMS. When target clicks the link, the device information will be harvested from target's web browser and the target will be redirected to another page supplied by the administrator.

DTI Tracker can gather following information about a target who clicks on a link:

• Visitor's IP address - allowing to tell what country and city the target currently resides in

• Web browser name and version

• CPU architecture (32 or 64-bit)

• Operating system name and version (including iOS and Android)

• Language preferences set up in the web browser

• Device name and model if target uses a mobile phone

• Screen resolution set up target's device

• Version number of following plugins that may be installed on target device: Flash, QuickTime, SilverLight,

VLC, Windows Media Player (this allows to check if target is vulnerable to any of the publicly available exploits)

• Internal network IP adresses using the new WebRTC feature in modern browsers



• Easy to use interface for fast response.

• Retrieving valuable intelligence on target devices.

• Server software written in PHP, can be easily deployed on any shared hosting server.

• Client-server architecture allows to put only the server control code on the server

(Admin panel is running on local computer only).

• Server PHP code is obfuscated and encrypted to bypass any signature detections that hosting provider may use.

• Communication traffic with the server is encrypted.


DTI InjectIn order to maximize the success rate of any field operation, the solution includes a tactical tool to infect targets using wireless networks.

Using this tool allows the agent to scan for nearby wireless networks and crack their passwords if required. It allows also to fingerprint the clients of any wireless network, making it very easy to pinpoint the device that is to be targeted.

During operation the tool will inject content to every website browsed by the target user, which may appear as the fake browser update page, asking the user to update their browser. The injection tool will not allow to user to browse the internet unless the fake update is installed, which will install the Infection Agent on user's device, without them noticing.

DTI Inject comes as a separate device, which can be carried in the backpack and be controlled remotely and unsuspiciously over the air by other device like a tablet or mobile phone.


• Easy to use and reliable interface for fast deployment in the field.

• Scanning for nearby wireless networks that targets may be connected to.

• Cracking passwords to protected wireless networks.

• Mapping computers on the same network, allowing to find out what operating system is used by each of

the connected devices.

• Injecting content into the HTTP stream for users using any wireless network, while being connected to

the same network.


Attack Vectors SuiteDTI provides a wide range of options for Infection Agent deployment on Target computers. All of the solutions provided are fully reliable and constantly improved. Most of the methods are not actual exploits, but rather tricks that exploit functionality of popular major software packages. Our experience shows that these tech-niques give best results during the operation.

Please note: All Attack Vectors described below apply to deployment of DTI Recon agent.

Binder Software

DTI provides the Binder tool to masquerade the Infection Agent executable file in order to make it look like a non-suspicious document file. You can, for example, make the executable file look like an image file. Such prepared agent will have an icon of an image and when opened, it will display the attached image/document of your choosing, while infecting the target computer in the background.


Vector 1: Executable DeploymentTarget's Requirements: None

Attack Vector: Email Attachment, Physical Installation, DVD/CD/USB Covert Deployment

Executable deployment method is mainly about convincing the target to run the Infection Agent executable file on target computer or launching it manually when physical access is possible. Executable file can be disguised (using DTI Binder) for example as a photo, video or document. As an additional measure to make the file look less suspicious, the extension of the executable file can be concealed using Right-to-Left Override Unicode character. Following screenshots show how the files may look with "Hide extensions for known files" option disabled in Windows folder settings.

Executable files, prepared in such way, can be easily burned to DVD/CD or copied to USB stick. Portable media can then be strategically planted in vicinity of the target to be found and picked up. There is a chance target will double-click the concealed Infection Agent upon inspection of the files on his computer.

The files are prepared to install the Infection Agent in the background and additionally show the legitimate document to the user in order to not raise any suspicions.


Vector 2: Microsoft Office Word/Excel DocumentTarget's Requirements: Microsoft Office Word/Excel 2003/2007/2010/2013

Attack Vector: DOC or XLS document

Microsoft Office is still one of the most commonly used applications around the world. It is the obvious choice for any user who needs to create a spreadsheet or a text document for printing. Word/Excel attack vector allows to attach the Infection Agent in form of a VBA macro to any XLS or DOC document.

When target user opens a specially crafted Word/Excel document, he will be prompted to enable macros for opened document. When user enables macros, the Infection Agent installs itself on the target computer in the background. It is important to create the Word/Excel document in a way the user is convinced to enable the macros by clicking "Enable Macros" button, which shows up after the document is loaded. Still many users are not aware of Office macros posing any security risk, which makes it a very useful attack vector.

At the top of the document, the button to "Enable Content" shows up. When the user clicks on it, the Infec-tion Agent will be installed on the computer.

Like with the Java applet attack it is very important to convince the user to enable macros for the current document. The document can contain fake information to decrypt content or that full contents won't show up if macros are disabled. This attack vector works on every available version of Microsoft Office 2003/2007/2010/2013. The warning message looks slightly different in every version of Office software.

Biggest advantage of this attack is that DOC and XLS documents attached to emails are not rejected by email providers' security filters.

Please Note:Screenshots above show only Microsoft Excel, but the same method works perfectly with Microsoft Word documents as well.


Vector 3: Boot CD/DVD or USB stickTarget's Requirements: ooting from removable media enabled in BIOS

Attack Vector: Physical access to target computer

In situations when operator has physical access to target computer, but doesn't know the Windows password to bypass the logon screen, he can use the boot CD method. This method allows the operator to boot DTI portable operating system from any removable media before the real Windows starts loading.

The DTI solution provides direct infection software, which can be run from DTI bootable operating system, in order to bypass Windows logon screen and gain direct access to computer's hard disk and Windows registry hives. When portable OS loads, the Infection Agent can be directly installed into the target system. From that point Infection Agent will be automatically loaded at every start of target user's Windows.

Operator has to make sure booting from removable media option is enabled in target computer's BIOS settings.

Installation Service

DTI solution offers 3-days of product setup and configuration of Master Server at client's headquarters.

Setup involves:

• Installing Server Software components on client's Master Server.

• Configuring Linux environment.

• Setting up domains and DNS.

• Optimizing the server for best reliability.

• Optional: Setting up and configuring Relay Servers if supplied by the client.

Advanced Training

Our trained security expert is available to give a 7-day full advanced training in using DTIand covering a lot of security subjects, which will prove invaluable in effectively using the product during operations.

Training covers following subjects:

• Effective deployment of DTI Infection Agents.

• Using various Attack Vectors to your advantage.

• Social Engineering.

• Operational Security.

• Using DTI to effectively extract critical information.

• Bypassing computer protections with physical access to the machine.

• Cloning and creating websites for social engineering.

• Psychology of crafting emails with call to action.

• Using DTI Binder for embedding documents into Infection Agents.

• Methods of fingerprinting the Target's system configuration.

• How to safely use extracted information.

• Extracting and using session cookies from online services.


LICENSING

We offer a complex one year support package, which can be renewed every year in order to keep the software up-to-date and maintain access to our personal support services.

Support package includes:

• Updates for DTI Infection Agent Software.

• Updates for DTI Administration Client.

• Updates for DTI Master Server Software.

License System

The DTI solution licenses are distributed per operator basis. Every operator obtains an Operator License allow-ing him to contact the Master Server and manage a limited number of infected computers specified by the number of acquired Target Licenses for this operator. Licenses are loaded and managed by DTI Administration Client. While the licensing model allows for unlimited number of Infection Agents being installed on target computers in Ghost mode, operator will only be able to see the recorded activity from the computers that were upgraded from Ghost to Full Agent. Each upgrade uses one license from the pool of purchased licenses. Agents can be downgraded back to Ghost mode in order to free up licenses that can be used later to upgrade other Agents.

Operator can purchase additional Target Licenses to control more computers or he can renew any of his current Target Licenses by downgrading any of the currently monitored computers to Ghost mode. The Target License used by the deleted computer goes back to the Target Licenses pool and can be activated for another computer.

Example A.

• 5 Operator Licenses are purchased.

• DeepTrack Infection Agents can be installed on unlimited number of target computers, however,

• Only 5 Operators can use DeepTrack Administration Client in order to download and browse recorded activity.

Example B.

• 20 Target Licenses are purchased for Operator A.

• Operator A has installed 25 Infection Agents on target computers.

• All 25 Infection Agents are installed in Ghost mode but Operator can only upgrade 20 of them to Full mode in order to start recording and downloading data from them.• He decides to downgrade 5 target computers to Ghost mode which will stop recording data on these computers.• 5 Target Licenses are added back to the license pool and he can now upgrade other 5 Infection Agents to Full mode in order to start recording data.

Example C.

• 20 Target Licenses are purchased for Operator B.• Operator B has installed 40 Infection Agents on target computers, which he needs to monitor all at the same time.

• Operator B purchases 20 new Target Licenses and loads them into the administration software.

• He successfully enables new licenses for remaining 20 Infection Agents and he can now upgrade all 40 Infection Agents to Full mode.


REMOTE MONITORING & INFECTION SOLUTIONS · DTI server software is written in C/C++ for maximum...

Documents

Transcript of REMOTE MONITORING & INFECTION SOLUTIONS · DTI server software is written in C/C++ for maximum...