Anti Rootkit Blog

We have all heard about Rootkits and how they are aimed mainly at normal users of Windows XP and Linux. I have written about Rootkits in Corporate Espionage and how custom designed and targetted Rootkits will allways be hard to spot. They are carefully  created using undocumented features within the system kernel. If only the creator knows then who can find it? Now if this rootkit is used for one unique purpose, installed on one system, then the chances of it being found soon after it’s installation are small.
 
This is exactly what happened in what is known as The Athens Affair.

From Wikipedia:
“More than 100 mobile phone numbers belonging mostly to members of the Greek government and top-ranking civil servants were found to have been illegally tapped for a period of at least one year. The phones tapped included those of the Prime Minister Kostas Karamanlis and members of his family, the Mayor of Athens, Dora Bakoyannis, most phones of the top officers at the Ministry of Defense, the Ministry of Foreign Affairs, and the Ministry for Public Order, members of the ruling party, ranking members of the opposition the Panhellenic Socialist Movement party (PASOK), the Hellenic Navy General Staff, the previous Minister of Defense and one phone of a locally hired Greek American employee of the American Embassy. The phones of Athens-based Arab businessmen were also tapped.”
 
Basically what happened was someone had installed software to listen in on phone calls on an Ericsson Exchange within Vodafone Greece. The software included a back door to the system. The software and backdoor were hidden for almost one year from detection by an installed rootkit. The rootkit hid all evidence of any breach of security including diverting call audit log entries to its own memory space. The system the software was installed on did not need a reboot after installation helping the attackers to avoid detection. The rootkit also hid the hackers tracks as they infiltrated the system.

The software worked in conjunction with what is called the IMS ( Interception Management System ) section of the Ericsson switch. The IMS can be used by authorities to tap into phone calls. What makes this most interesting is that the switch system called AXE has software written in a language called PLEX.
“PLEX (Programming Language for EXchanges) is a special-purpose, pseudo-parallel, event-based real-time language developed by Ericsson. The language is designed exclusively for telephony systems and is used in central parts of the AXE telephone switches. It has been continuously evolving since the 1970’s when it was originally designed”
 
The breach of security was eventually found because the hacker had updated the software on the switch which in turn had an adverse affect on the text messaging service. Vodafone called in Ericsson who manufactured the switch and they eventually discovered the installed software and rootkit. The malicious software was made up of 1000’s of lines of code.

The attackers were never found. The malicious software was shut down when found and this would have given a signal to the attackers to destroy any evidence they may have like the phones used to listen in on the calls.

If this level of infaltration was carried out and kept hidden for a year then I think that we will see more of it’s type in the future. Rootkits are too good to be true to attackers when it comes to hiding malicious software. The Athens Affair proves that.

Keep Safe
regards
Steo

References:

IEEE Spectrum: The Athens Affair

A Formal Semantics for PLEX

Ericsson Interception Management System Manual

JSharp in a blog entry recently, highlighted the potential of ID-triggered Rootkits, Rootkits that activate when they have reached a “Target” victim. This high profile victim could be a large company with a lot of Intellectual Property and a lot less security.
This does seem far-fetched to the average person but it has happened in the past and it will become more prevalent in the future.

Companies who are in a very competitive environment can only survive if they have the edge over their competitors. This edge can take many forms but information is the key. Information about competitor’s products, techniques, processes and sales are extremely valuable when making decisions about the future.

There would be no problem for an attacker to offer a low paid programmer a lot of money to write a rootkit that is undetectable by any of the current rootkit scanners.  Earlier this year rootkit maker of HackerDefender, an extremely powerful rootkit, had a service whereby an undetectable version of Hacker Defender was made for a price. This super stealth service is now unavailable.

The Attacker could then purchase a zero day exploit, and unknown program vulnerability, from one the many sites offering them.  There is a lot of money to be made from finding holes in software and selling the information or ready to go code for thousands of dollars. 
 
One form of rootkit delivery is via a compromised website. A malware creation kit called Webattacker contains scripts that could check out the version of the visiting user’s browser and send down a rootkit and its payload.  This payload could be a keylogger, perfect for capturing usernames and passwords for later attacks. It could also include file capturing software that could gather up Word documents, Spreadsheets or any other file type that could hold valuable information ready to be sent back via the same route it came in.

Another form of delivery is via email.  Craftily created emails could be sent to employees enticing them to open safe looking attachments and then to release the rootkit and it’s payload.  This happened in May of this year. A large, high profile, unnamed, company in Asia was targeted by an alleged criminal gang.  An email was sent to certain employees in the unnamed company.  The email contained a Word Document that in some way related to the employees area of work.  The Word Document contained exploit code that was unknown to everyone in the world except for the attacker.  The exploit code was then able to give the attack complete control over the employees PC.  This hole in Microsoft Word was patched by Microsoft some months later.  I am sure though that there are many companies out there that are still vulnerable because they have not patched or updated their Office Software.

“Detection is mostly the very hard part in these attacks. This case seems to have been detected by a very alert user detecting a domainname in an email that wasn’t completely right.
That user detected an email coming in that originated from a domain that looked like their own, but wasn’t their own (actually only had an MX record in it). The email was written to look like an internal email, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software.” http://isc.sans.org/diary.php?storyid=1345
 
Arrests were made earlier this year in London and Israel after a company found it had rogue software or malware on their PC’s.  It turned out a married couple in London had written software that collected files that were then sent to a rival competitor. This software was used by “Private Investigators” to retrieve information from the competitors companies.

“Companies probed by the Israeli authorities in connection with the case include mobile phone operators, Cellcom and Pelephone, and satellite television provider YES. All firms have denied any wrong doing. The Trojan horse is said to have spied upon the Rani Rahav PR agency (whose clients include Israel’s second biggest mobile phone operator, Partner Communications), and the HOT cable television group. Mayer, a company which imports Volvo and Honda cars to Israel is suspected of having spied on rival Champion Motors, who import vehicles made by Audi and Volkswagen.” http://www.sophos.com/pressoffice/news/articles/2006/01/israeliesp.html

So there you have it. All an attacker bent on Industrial Espionage for gain has to do is get an undetectable rootkit. Package it with a file gathering payload. Deliver it via an unknown exploit to the target company and wait for all the companies’ information to flowing in.

This is why it is important for companies to have software installed on each machine that will stop software getting on to the machine in the first place.

Keep Safe,

regards
Steo
www.antirootkit.com