Rootkits in der griechischen Abhör-Affäre

Die politischen Lektionen aus der Abhöraffäre in Griechenland sind unklar, weil gerade die wichtigsten Beweise verloren gegangen sind, etwa bei der Logrotation. Man weiß immer noch nicht, wer hinter dem Unternehmen steckt und wer mitgehört hat. (Hier im Büro kursiert das Gerücht, dass „bestimmt“ die CIA hinter all dem stecken wird.)
Immerhin sind einige der technischen Fehler, die beim Versuch der Aufklärung begangen wurden, bekannt. Ein ausführlicher Artikel, An Athens Affair, steht im Magazin der IEEE und erläutert, dass in einer handvoll Rechenzentren des betroffenen Mobilfunk-Providers Rootkits installiert wurden:

Dumps are most commonly consulted for recovery and diagnostic purposes, but they can be used in security investigations. So when Ericsson’s investigators were called in because of the undelivered text messages, the first thing they did was look closely at the periodic dumps. They found two areas containing all the phone numbers being monitored and retrieved a list of them.

The investigators examined the dumps more thoroughly and found the rogue programs. What they found though, was in the form of executable code—in other words, code in the binary language that microprocessors directly execute. Executable code is what results when a software compiler turns source code—in the case of the AXE, programs written in the PLEX language—into the binary machine code that a computer processor executes. So the investigators painstakingly reconstructed an approximation of the original PLEX source files that the intruders developed. It turned out to be the equivalent of about 6500 lines of code, a surprisingly substantial piece of software.

The investigators ran the modules in simulated environments to better understand their behavior. The result of all this investigative effort was the discovery of the data areas holding the tapped numbers and the time stamps of recent intercepts.

With this information on hand, the investigators could go back and look at earlier dumps to establish the time interval during which the wiretaps were in effect and to get the full list of intercepted numbers and call data for the tapped conversations—who called whom, when, and for how long. (The actual conversations were not stored in the logs.) […]

Just as we cannot now know for certain who was behind the Athens affair or what their motives were, we can only speculate about various approaches that the intruders may have followed to carry out their attack. That’s because key material has been lost or was never collected. For instance, in July 2005, while the investigation was taking place, Vodafone upgraded two of the three servers used for accessing the exchange management system. This upgrade wiped out the access logs and, contrary to company policy, no backups were retained. Some time later a six‑month retention period for visitor sign-in books lapsed, and Vodafone destroyed the books corresponding to the period where the rogue software was modified, triggering the text-message errors.

Traces of the rogue software installation might have been recorded on the exchange’s transaction logs. However, due to a paucity of storage space in the exchange’s management systems, the logs were retained for only five days, because Vodafone considers billing data, which competes for the same space, a lot more important. Most crucially, Vodafone’s deactivation of the rogue software on 7 March 2005 almost certainly alerted the conspirators, giving them a chance to switch off the shadow phones. As a result investigators missed the opportunity of triangulating the location of the shadow phones and catching the perpetrators in the act.

Eine Ergänzung

Wir freuen uns auf Deine Anmerkungen, Fragen, Korrekturen und inhaltlichen Ergänzungen zum Artikel. Bitte keine reinen Meinungsbeiträge! Unsere Regeln zur Veröffentlichung von Ergänzungen findest Du unter Deine E-Mail-Adresse wird nicht veröffentlicht.