IEEE Spectrum July, 2007 - 19

location L." The software goes to location L
and executes the instructions it finds there,
that is, Z. In other words, a software patch
works by replacing an instruction at the
area of the code to be fixed with an instruc-
tion that diverts the program to a memory
location in the correction area containing
the new version of the code.
The challenge faced by the intruders was
to use the RES's capabilities to duplicate
and divert the bits of a call stream without
using the dialog-box interface to the IMS,
which would create auditable logs of their
activities. The intruders pulled this off by
installing a series of patches to 29 separate
blocks of code, according to Ericsson offi-
cials who testified before the Greek par-
liamentary committee that inves-
tigated the wiretaps. This rogue
software modified the central
processor's software to directly
initiate a wiretap, using the RES's
capabilities. Best of all, for them,
the taps were not visible to the
operators, because the IMS and its
user interface weren't used.
The full version of the software
would have recorded the phone
numbers being tapped in an offi-
cial registry within the exchange.
And, as we noted, an audit could
then find a discrepancy between
the numbers monitored by the
exchange and the warrants active
in the IMS. But the rogue software
bypassed the IMS. Instead, it cleverly stored
the bugged numbers in two data areas that
were part of the rogue software's own mem-
ory space, which was within the switch's
memory but isolated and not made known
to the rest of the switch.
That by itself put the rogue soft-
ware a long way toward escaping detec-
tion. But the perpetrators hid their own
tracks in a number of other ways as well.
There were a variety of circumstances by
which Vodafone technicians could have
discovered the alterations to the AXE's
software blocks. For example, they could
have taken a listing of all the blocks, which
would show all the active processes run-
ning within the AXE-similar to the task
manager output in Microsoft Windows
or the process status (ps) output in Unix.
They then would have seen that some pro-
cesses were active, though they shouldn't
have been. But the rogue software appar-
ently modified the commands that list
the active blocks in a way that omitted
certain blocks-the ones that related to
intercepts-from any such listing.
In addition, the rogue software might
have been discovered during a software

upgrade or even when Vodafone techni-
cians installed a minor patch. It is stan-
dard practice in the telecommunications
industry for technicians to verify the
existing block contents before performing
an upgrade or patch. We don't know why
the rogue software was not detected in this
way, but we suspect that the software also
modified the operation of the command
used to print the checksums-codes that
create a kind of signature against which
the integrity of the existing blocks can be
validated. One way or another, the blocks
appeared unaltered to the operators.
Finally, the software included a back
door to allow the perpetrators to control
it in the future. This, too, was cleverly
constructed to avoid detec-
tion. A report by the Hellenic
Authority for the Information
and Communication Security
and Privacy (the Greek abbre-
viation is ADAE) indicates
that the rogue software modi-
fied the exchange's command
parser-a routine that accepts
commands from a person with
system administrator status-
so that innocuous commands
followed by six spaces would
deactivate the exchange's
transaction log and the alarm
associated with its deactiva-
tion, and allow the execution
of commands associated with
the lawful interception subsystem. In effect,
it was a signal to allow operations associ-
ated with the wiretaps but leave no trace of
them. It also added a new user name and
password to the system, which could be
used to obtain access to the exchange.
Software that not only alters operat-
ing system code but also hides its tracks
is called a "rootkit." The term is known
to the public-if at all-because of one
that the record label Sony BMG Music
Entertainment included on some music
CDs released in 2005. The Sony rootkit
restricted copying of CDs; it burrowed into
the Windows operating system on PCs and
then hid its existence from the owner. (Sony
stopped using rootkits because of a gen-
eral public outcry.) Security experts have
also discovered other rootkits for general-
purpose operating systems, such as Linux,
Windows, and Solaris, but to our knowl-
edge this is the first time a rootkit has been
observed on a special-purpose system, in
this case an Ericsson telephone switch.

the rogue
software
stored
bugged
phone
numbers
in its own
memory
space

www.spectrum.ieee.org

wiTh all of This sophisTicaTed subterfuge,
how then was the rogue software finally
discovered? On 24 January 2005, the perpe-

trators updated their planted software. That
upgrade interfered with the forwarding of
text messages, which went undelivered.
These undelivered text messages, in turn,
triggered an automated failure report.
At this point, the hackers' abilities to
keep their modifications to the switch's
AXE software suite secret met their limits,
as it's almost impossible to hide secrets in
somebody else's system.
The AXE, like most large software sys-
tems, logs all manner of network activity.
System administrators can review the log
files, and any events they can't account for
as ordinary usage can be investigated.
It's impossible to overstate the impor-
tance of logging. For example, in the 1986
Cuckoo's Egg intrusion, the wily network
administrator, Clifford Stoll, was asked
to investigate a 75 U.S. cents account-
ing error. Stoll spent 10 months looking
for the hacker, who had penetrated deep
into the networks of Lawrence Livermore
National Laboratory, a U.S. nuclear weap-
ons lab in California. Much of that time
he spent poring over thousands of log
report pages.
The AXE, like most sophisticated sys-
tems nowadays, can help operators find
the nuggets of useful information within
the voluminous logs it generates. It is pro-
grammed to report anomalous activity on
its own, in the form of error or failure
reports. In addition, at regular intervals
the switching center generates a snapshot
of itself-a copy, or dump, of all its pro-
grams and data.
Dumps are most commonly consulted
for recovery and diagnostic purposes, but
they can be used in security investigations.
So when Ericsson's investigators were called
in because of the undelivered text messages,
the first thing they did was look closely at
the periodic dumps. They found two areas
containing all the phone numbers being
monitored and retrieved a list of them.
The investigators examined the dumps
more thoroughly and found the rogue pro-
grams. What they found though, was in the
form of executable code-in other words,
code in the binary language that micro-
processors directly execute. Executable
code is what results when a software
compiler turns source code-in the case
of the AXE, programs written in the PLEX
language-into the binary machine code
that a computer processor executes. So the
investigators painstakingly reconstructed
an approximation of the original PLEX
source files that the intruders developed.
It turned out to be the equivalent of about
6500 lines of code, a surprisingly substan-
tial piece of software.

July 2007 | IEEE Spectrum | NA

31
http://www.spectrum.ieee.org
Table of Contents for the Digital Edition of IEEE Spectrum July, 2007
