Anti Rootkit Blog

We have all heard about Rootkits and how they are aimed mainly at normal users of Windows XP and Linux. I have written about Rootkits in Corporate Espionage and how custom designed and targetted Rootkits will allways be hard to spot. They are carefully  created using undocumented features within the system kernel. If only the creator knows then who can find it? Now if this rootkit is used for one unique purpose, installed on one system, then the chances of it being found soon after it’s installation are small.
 
This is exactly what happened in what is known as The Athens Affair.

From Wikipedia:
“More than 100 mobile phone numbers belonging mostly to members of the Greek government and top-ranking civil servants were found to have been illegally tapped for a period of at least one year. The phones tapped included those of the Prime Minister Kostas Karamanlis and members of his family, the Mayor of Athens, Dora Bakoyannis, most phones of the top officers at the Ministry of Defense, the Ministry of Foreign Affairs, and the Ministry for Public Order, members of the ruling party, ranking members of the opposition the Panhellenic Socialist Movement party (PASOK), the Hellenic Navy General Staff, the previous Minister of Defense and one phone of a locally hired Greek American employee of the American Embassy. The phones of Athens-based Arab businessmen were also tapped.”
 
Basically what happened was someone had installed software to listen in on phone calls on an Ericsson Exchange within Vodafone Greece. The software included a back door to the system. The software and backdoor were hidden for almost one year from detection by an installed rootkit. The rootkit hid all evidence of any breach of security including diverting call audit log entries to its own memory space. The system the software was installed on did not need a reboot after installation helping the attackers to avoid detection. The rootkit also hid the hackers tracks as they infiltrated the system.

The software worked in conjunction with what is called the IMS ( Interception Management System ) section of the Ericsson switch. The IMS can be used by authorities to tap into phone calls. What makes this most interesting is that the switch system called AXE has software written in a language called PLEX.
“PLEX (Programming Language for EXchanges) is a special-purpose, pseudo-parallel, event-based real-time language developed by Ericsson. The language is designed exclusively for telephony systems and is used in central parts of the AXE telephone switches. It has been continuously evolving since the 1970’s when it was originally designed”
 
The breach of security was eventually found because the hacker had updated the software on the switch which in turn had an adverse affect on the text messaging service. Vodafone called in Ericsson who manufactured the switch and they eventually discovered the installed software and rootkit. The malicious software was made up of 1000’s of lines of code.

The attackers were never found. The malicious software was shut down when found and this would have given a signal to the attackers to destroy any evidence they may have like the phones used to listen in on the calls.

If this level of infaltration was carried out and kept hidden for a year then I think that we will see more of it’s type in the future. Rootkits are too good to be true to attackers when it comes to hiding malicious software. The Athens Affair proves that.

Keep Safe
regards
Steo

References:

IEEE Spectrum: The Athens Affair

A Formal Semantics for PLEX

Ericsson Interception Management System Manual

There is another Storm Worm outbreak at the moment. The attackers are using the same social engineering tactic that was used last April, see Forecast - Massive Storms clouded by Rootkits
The way it works is that after a Storm Worm outbreak such as the 4th of July E-card outbreak users get an emails saying they are infected and should download a patch to fix it or their account will be suspended.

On the 4th of July emails were spammed out to millions of users with a link pretending to be an E-card for the 4th of July celebrations.
The subjects included:

4th Of July Celebration
American Pride, On The 4th
America’s 231st Birthday
Americas B-Day
America the Beautiful
Celebrate Your Independence
Celebrate Your Nation
Fireworks on The 4th
Fourth of July Party
God Bless America
Happy 4th of July
Happy B-Day USA
Happy Birthday America
Happy Fourth of July
Independence Day At The Park
Independence Day Celebration
Independence Day Party
July 4th B-B-Q Party
July 4th Family Day
July 4th Fireworks Show
Your Nations Birthday

If a user clicked on the link they would have downloaded Troj/JSEcard-A and this would have in turn downloaded a Nuwar variant ( WORM_NUWAR.HC )

The same attacking spammers have sent out millions of emails warning users that their PC is infected and they should download a patch file to fix the PC.
The email looks like this below ( thanks Dan ).

Worm Alert!
Dear Customer,Our robot has detected an abnormal activity
from your IP adress on sending e-mails. Probably it is connected with the
last epidemic of a worm which does not have official patches at the
moment.We recommend you to install this patch
to remove worm files and stop email sending, otherwise your account will be
blocked.
Administrator

The attackers are playing on the publicity the 4th of July worm got. Many users may have this in the back of their mind as they read the latest email. Many will think that it is a legitimate email and “install” the patch only to be added to the massive bot net that has arisen from these spamming campaigns.
If you feel that you have downloaded your 4th of July Ecard or installed the patch to correct it then you should download some anti-rootkit software from our software page and check your system out as NUWAR is known to contain a rootkit to hide it’s suspicious activity.

Keep Safe
regards
Steo
www.antirootkit.com

References:
4th of July Ecard
Postcards or patches?

With so many mobile devices around these days and so many running Windows Mobile or Windows CE it is no wonder the boys at the top are already thinking about how these devices can be hacked and Rootkits installed

The rootkit could be used to hide a keylogger ( or would that be stylus presslogger ) and send the  valuable information back to the author.

The article on the Symantec Blog today shows us that their researchers have already looked into the possibilities of rootkits hiding keyloggers and they have produced an Internal Whitepaper ( no doubt it will be leaked:-) )

 ”The results were, in short, not surprising. There are publicly known methods of API hooking on Windows CE. There is a publicly released keyboard logger in the compact .NET framework and there are numerous ways to load/inject DLLs into other processes. And, of course, direct kernel object modification is also possible.”

What we are left with now is not a case of “if” we will have Windows CE/Mobile Rootkit, it is a case of when. From their research it shows that rootkits are possible on Windows CE/Mobile devices it is just a matter of when it will become profitable for a malware author to actually actually create and put one into practice.

At some stage in the future we could get to the stage where if you answer a phone call on your Windows Mobile device you could get a keylogger and rootkit installed via some vulnerability.

Keep Safe,
regards

Steo
www.antirootkit.com

Referances: Windows CE/Mobile Rootkits

Secure Computing has released information about a new Spammed email telling users that they have won a new iPhone from an online store. The email has a link that promises the email reader a free iPhone and when the user clicks on the link they are brought to a website that then downloads a Spam Bot and a Rootkit.

The subject of the message is “Congratulations, you have won a new iPhone from our store!”

“Should the victim fall for the social engineering attack, clicking on a link directs the user’s browser to a web page that contains malware that exploits 10 Active X vulnerabilities in order to install a malicious payload including an MSODataSourceControl vulnerability.”

There  is also website analysis on the servers that host the malware. If a person is seen to revisit the malware site then they are being redirected to the correct authentic site. This is to make it hard for researchers to have a good look at the site.

This technique of infecting websites and in turn getting them to infect PC’s is being used more and more by hackers and malware authors. Using social engineering and spam techniques malware authors have a great platform to spawn their creations.

Take Care,

regards

Steo

References:
http://www.itpro.co.uk/news/118791/new-malware-exploits-iphone-popularity.html

http://www.itwire.com.au/content/view/13268/53/