Chapter 1 / Empty Cup Mind
Who Builds State-of-the-Art Rootkits?
When it coines to rootkits, our intelligence agencies rely heavily on pri¬
vate sector technology. Let's face it: Intelligence is all about acquiring data
(sometitnes by illicit means). In the old days, this meant lock picking and
microfilm; something I'm sure that operatives with the CIA excelled at. In
this day and age, valuable information in other countries is stockpiled in data
farms and laptops. So it's only natural to assume that rootkits are a standard
part of modern spy tradecraft. For instance, in March 2005 the largest cellular
service provider in Greece, Vodafone-Panafon, found out that four of its Eric¬
sson AXE switches had been compromised by rootkits.
These rootkits modified the switches to both duplicate and redirect streams of
digitized voice traffic so that the intruders could listen in on calls. Ironically
the rootkits leveraged functionality that was originally in place to facilitate
legal intercepts on behalf of law enforcement investigations. The rootkits
targeted the conversations of more than 100 highly placcd government and
military officials, including the prime minister of Greece, ministers of na¬
tional defense, the mayor of Athens, and an employee of the U.S. embassy.
The rootkits patched the switch software so that the wiretaps were invisible,
none of the associated activity was logged, and so that the rootkits themselves
were not detectable. Once more, the rootkits included a back door to enable
remote access. Investigators reverse-engineered the rootkit's binary image to
create an approximation of its original source code. What they ended up with
was roughly 6,500 lines of code. According to investigators, the rootkit was
implemented with "a finesse and sophistication rarely seen before or since.
The Moral Nature of a Rootkit
As you can see, a rootkit isn't just a criminal tool. Some years back, I worked
with a World War II veteran of Hungarian descent who observed that the
moral nature of a gun often depended on which side of the barrel you were
facing. One might say the same thing about rootkits.
In my mind, a rootkit is what it is: a sort of stealth technology. Asking
whether rootkits are inherently good or bad is a ridiculous question. I have no
illusions about what this technology is used for, and I'm not going to try and
justify, or rationalize, what I'm doing by churching it up with ethical window
50. Vassilis Prevelakis and Diomidis Spinellis, "The Athens Affair," IEEE Spectrum Online, July
2007.