Rootkit used in Vodafone Phone Tapping Affair
Thursday, July 12th, 2007We have all heard about Rootkits and how they are aimed mainly at normal users of Windows XP and Linux. I have written about Rootkits in Corporate Espionage and how custom designed and targetted Rootkits will allways be hard to spot. They are carefully created using undocumented features within the system kernel. If only the creator knows then who can find it? Now if this rootkit is used for one unique purpose, installed on one system, then the chances of it being found soon after it’s installation are small.
This is exactly what happened in what is known as The Athens Affair.
From Wikipedia:
“More than 100 mobile phone numbers belonging mostly to members of the Greek government and top-ranking civil servants were found to have been illegally tapped for a period of at least one year. The phones tapped included those of the Prime Minister Kostas Karamanlis and members of his family, the Mayor of Athens, Dora Bakoyannis, most phones of the top officers at the Ministry of Defense, the Ministry of Foreign Affairs, and the Ministry for Public Order, members of the ruling party, ranking members of the opposition the Panhellenic Socialist Movement party (PASOK), the Hellenic Navy General Staff, the previous Minister of Defense and one phone of a locally hired Greek American employee of the American Embassy. The phones of Athens-based Arab businessmen were also tapped.”
Basically what happened was someone had installed software to listen in on phone calls on an Ericsson Exchange within Vodafone Greece. The software included a back door to the system. The software and backdoor were hidden for almost one year from detection by an installed rootkit. The rootkit hid all evidence of any breach of security including diverting call audit log entries to its own memory space. The system the software was installed on did not need a reboot after installation helping the attackers to avoid detection. The rootkit also hid the hackers tracks as they infiltrated the system.
The software worked in conjunction with what is called the IMS ( Interception Management System ) section of the Ericsson switch. The IMS can be used by authorities to tap into phone calls. What makes this most interesting is that the switch system called AXE has software written in a language called PLEX.
“PLEX (Programming Language for EXchanges) is a special-purpose, pseudo-parallel, event-based real-time language developed by Ericsson. The language is designed exclusively for telephony systems and is used in central parts of the AXE telephone switches. It has been continuously evolving since the 1970’s when it was originally designed”
The breach of security was eventually found because the hacker had updated the software on the switch which in turn had an adverse affect on the text messaging service. Vodafone called in Ericsson who manufactured the switch and they eventually discovered the installed software and rootkit. The malicious software was made up of 1000’s of lines of code.
The attackers were never found. The malicious software was shut down when found and this would have given a signal to the attackers to destroy any evidence they may have like the phones used to listen in on the calls.
If this level of infaltration was carried out and kept hidden for a year then I think that we will see more of it’s type in the future. Rootkits are too good to be true to attackers when it comes to hiding malicious software. The Athens Affair proves that.
Keep Safe
regards
Steo
References:
rootkit