Trojan Horse Page 5
“We make every effort to determine the cause of any crash rather than take chances. We’ve found no evidence of a virus in fact.” Blake cleared his throat. “As I understand the process from this point on, to determine if the file is infected I have to trace data from the point of the crash, through God knows how many paths, each one potentially being the source of the vulnerability. Have I got that right?” Jeff nodded. “I’ve never done that before so you can see my problem. We want you to determine if there is a virus and if so, find out as much about it as you can, including who made it and what it’s up to.”
A corrupted file can be spotted, usually quite easily since it’s visibly different. But an infected file was not necessary outwardly corrupt. It could look and behave in a perfectly normal fashion. Jeff asked which antivirus programs he’d run and Blake provided the names of the five most commonly used.
“You did right,” Jeff said. “If this document is infected you could have a virus spreading throughout your network and exfiltrating data even as we speak.” He pulled out his own laptop and looked for a place to put it. “Let’s get started. Frankly, I’m dead from the flight but we’ll see how much steam I’ve got left.”
Jeff sat before Walthrop’s computer and linked to it. Next, Blake stepped him through the document’s folder and showed him the problematic file. Jeff launched a Windows virtual machine on his own laptop to serve as the laboratory and a sandbox in which he could experiment while keeping the virus contained. His first step was to configure the machine to match the characteristics of Walthrop’s as closely as he could. He then confirmed that his virtual machine was running the same version of Windows, including the updates. Then he installed OfficeWorks, also making certain it had the same updates as Walthrop’s version and configured the program in exactly the same way. Every detail could potentially be significant if the malware was specifically targeted at Walthrop.
With his test environment ready, Jeff copied the infected OfficeWorks document into the virtual machine. He now unleashed a host of automated tools so that they were ready to watch for any sign of compromise. These were scripts, sequences of commands that executed other programs, or were operating system functions, stand-alone programs that picked apart the document searching for anomalies and signs of common attack vectors. In the old days, this had been done manually and the work had been both slow and tedious.
In his laptop’s test environment where a potential virus could cause no damage he attempted to open the file. It made no difference if it crashed or not. If it did, then he could begin figuring out how to get OfficeWorks to work; if it didn’t, he could skip that step and start figuring out what the virus was ultimately trying to do.
The file failed to open. This might indicate nothing of significance as the program could have a bug that was only indirectly triggered by this particular file. Or the problem could be malware that was trying to burrow into the computer, but had hit something unexpected and failed. That was what Blake and Yates feared. If that was the case, whatever was in there had encountered an environment for which it was not programmed, meaning there was a flaw in the malware’s assumptions, causing it not to execute. For now Jeff would act with the assumption he was dealing with malware.
On his laptop were diagnostic programs that were the result of thousands of hours of work. They included the standard diagnostic and recovery tools used by everyone in his profession, but over the years he’d added a collection of very useful utilities. So valuable was the information that it was copied to several DVDs he’d secreted here and there, two of which were in safe deposit boxes. He’d once laughingly told Daryl he was thinking about having them insured.
“Okay,” Jeff said, “let’s first see if it’s a fresh variation of an existing virus.”
“Would that be good?” Blake asked.
“Oh yes, I can catch a variation pretty quickly and the fix is often a snap. We’ll know soon enough.”
New variants were the most common causes of infiltrations. An old virus became increasingly less effective as antivirus programs learned to sniff it out. The next step for the author was to alter it just enough to sneak in under the radar. Thousands of new pieces of malware were unleashed onto the Internet every month and the number was growing. Most were variations and such a variation was the most likely explanation for this problem.
Of course, no virus could actually alter an OW file, not without it looking like gibberish. Jeff didn’t want to seriously consider the alternative.
“Elliot, what do you know about the man in Geneva?” he asked while he waited.
“Only what Mr. Walthrop says, which is that he’s a civil servant with UNOG. They have a professional association. They both serve on an Iranian economic development committee.”
Jeff was inclined to think it most likely the man in Geneva was lying, as the digital signature had not been altered. It was impossible, absolutely impossible, to alter an OW document and not change the signature since it was embedded in the file. It seemed a silly claim for someone to make but he’d seen and heard of much worse from so-called professionals.
He now scanned the registry settings. Most often, malware created new entries there. This told the operating system to activate the virus whenever the computer was turned on, or when the user logged in. He spent some time checking every suspicious program reference or bit of code he didn’t recognize. Then he’d locate the code’s file and confirm it originated with a company. Malware rarely had such information. In some cases he conducted an Internet search to locate information about the file. Sometimes the suspect file had already been flagged as malware. It was tedious but had to be done.
Jeff was pleased with the level of security he found on the system, though he’d expected nothing less from such a high-priority office. Still, he knew from experience that agencies and businesses that should know better often had appalling computer security. He routinely found antivirus programs that were no longer current. Most of the malware he located had slipped in because someone had left the door open.
The scope of the harm viruses caused was enormous and not generally appreciated by the public. What they saw in their personal lives wasn’t the tip of the iceberg, not even the tip of the tip of the iceberg. Compromised government agencies didn’t want to reveal the extent of the damage for obvious reasons. It was no different with businesses. Personal and financial data was routinely stolen. Internet crime netted well over $100 billion annually and there was no end in sight. Organized cybercrime operations in Eastern Europe were becoming more sophisticated every month.
The worst part, from Jeff’s perspective, was that most individuals and companies had no idea they’d been hacked. Malware was so common he found at least some of it in nearly every computer network he examined. The only good news was that most did not do any great harm. It was obsolete or improperly designed, or cut off from its “bot herder” and left dormant.
Malware found its way into computers through two routes. The recipient inadvertently admitted the virus by opening an attachment or Web link, usually believing it was something it was not. Or the virus prowled the Internet, knocking on the doors of every connected computer, searching for vulnerability in an application or even within the operating system itself. Computers were so complicated any number of such vulnerabilities existed when software was released, whether new or an updated version. As they were discovered, usually because they’d allowed malware in, they were patched and closed. The problem with this approach was that there was always a period between infection and patching when bad things could happen.
Sometime later, Jeff said, “Okay, Elliot, I see nothing known so we can rule out the easiest solution. Whatever you’ve got is brand-new. Now let’s see if we can get the thing to execute.”
“You want it to work?” Blake said, sounding shocked.
“That way we can examine it for clues as to its origin and purpose,” Jeff said. “I’d have a seat; this will take a while.”
Once
he’d started the process Jeff said, “Okay, it’s almost certainly using a zero day vulnerability.” Zero day was the term used to identify software bugs for which no fix existed because it had not as yet been discovered. Since a zero day vulnerability wasn’t yet known it was the most effective device for spreading malware as any computer with the vulnerability was wide open to cyber-attack.
OfficeWorks had improved its security enormously in recent years and was perhaps the most vetted word-processing program in existence. It was coded and built with the latest defense-in-depth antimalware technologies and only a handful of exploitable vulnerabilities had been discovered in it since the release of the newest versions. It was also designed to isolate any malware into a digital sealed room to prevent contamination elsewhere. But for all its design sophistication and vetting Jeff was not surprised that a zero day vulnerability existed in its latest manifestation. Such programs were so complex with so many authors they were never entirely secure.
Zero day vulnerabilities were a worst-case scenario for those involved in cyber-security. It had been just such vulnerabilities that had made the massive Al Qaeda attack two years before so devastating, even though the efforts of Jeff and Daryl had significantly blunted its intent. Without them the damage, and loss of life, would have been much, much worse.
Jeff rose and poured a large cup of black coffee. He drank half, then placed it down. He set his wristwatch to a two-hour timer. He’d learned the hard way that at least once every two hours he had to stretch and walk about a bit if he was to keep at this. Most problems he solved demanded a single extended engagement typically lasting eighteen hours. At that point his mental acuity declined significantly. He suspected that wasn’t going to work in this case, especially as he was already exhausted.
He sat down, took another pull of the black coffee, then loaded OfficeWorks into a debugger tool. A debugger is a program that enables a developer or, in this case, a security researcher, to control the execution of another program. It could be paused, which made it possible to step through individual CPU processor instructions, and it could be configured to pause when a specific instruction or set of conditions was satisfied. When the program was paused, the debugger enabled Jeff to view its state, including the value of all its variables. In many ways, it was like a dissection kit, letting him peer beneath the surface of the program, both observing and controlling its operation to unearth how it worked. He knew that all sophisticated malware had “anti-debugging” mechanisms, but he also knew how to defeat the most common techniques, including those that tried to prevent debugging in a virtual machine.
Once the debugger was running Jeff opened the suspect document. The debugger reported at once that OfficeWorks would not open; in so doing it accessed an invalid memory address, causing OfficeWorks to crash. So that he could more easily map the execution of the program to that point, he decided to run OfficeWorks under a special version of the debugger obtained from friends at Microsoft. It enabled him to “rewind” the program to earlier points. With this he began to step backward in the program to determine what OfficeWorks flaw the malware intended to exploit. It was as if the virus had been running an obstacle course, surmounting each barrier with ease until it came to the one it could not cross. Jeff’s job now was to find that point.
This was one of the more painstaking phases of the overall process, requiring Jeff to type notes recording all the branches the OfficeWorks program followed and the values of the data it passed. He was searching for a spot where, if something was different in one of the values, OfficeWorks would follow a path resulting in a buffer overflow, a condition in which a bug wrote data beyond the region allocated for it. Most malware infections started with just such a buffer overflow, which would cause the program to inadvertently execute code it wasn’t programmed for, code controlled by the malware’s author.
Always daunting, this time the process was especially difficult and Jeff found himself slowly overwhelmed as the day dragged on. At one point Blake had a light meal brought in, at another he suggested Jeff join him for tea. All very English, Jeff thought, munching on one of the butter cookies they called biscuits.
Throughout the afternoon and into the evening the permutations exploded and the complexity of the paths was nearly more than Jeff could grasp. But at last he located an OfficeWorks execution that accessed data in the suspect document ultimately triggering the invalid access. This, he knew, was the malware’s entry point, but there had been something about Walthrop’s environment that foiled it. If things had been as the author wanted this would have executed the OW document.
He’d suggested to Daryl at one point that afternoon that he might need her help and she’d assured him that she’d have the time. Despite her evident distraction during their brief conversation she said she was down to the final stages with her project and would be leaving shortly. Hoping she was free and home by now he sent her a message on mIRC, an encrypted chatting program used when they worked together remotely. He briefly summarized the issue and informed her that he’d found the entry point.
“Here’s the malicious data sequence,” he finished. “See what you can come up with.” The code within a virus often contained hints as to its origin, sometimes even about its author. Carelessness and vanity were two of their most powerful assets with any new virus.
A few minutes later her reply arrived. “Back home. Will see what I can do. Luv u.”
Now Jeff used the debugger to change the value at the point where OfficeWorks referenced it to the value that would allow OfficeWorks to execute the buffer overflow as the virus was intended to do.
It worked.
He watched the malware expand and decrypt itself into the memory of OfficeWorks and then activate. This part of his job was typically satisfying since it usually meant the beginning of the end, the time when he’d find a solution.
But there was more to it than that. There was something fascinatingly malevolent about a virus as it revealed itself, like a cancer spread through an otherwise healthy system. It modified everything it wanted to control, even bits of code for which it had no use. It was arrogant and self-possessing. It was, Jeff often thought, almost alive.
This was where he’d see the anti-debugging techniques. If one was in play in the execution of a CPU instruction it would behave differently than usual. Another common tell was the execution of a long string of useless instructions, one that it would take days to step through the sequence. Such a sequence was integral to the malware’s correct operation. Jeff had so much experience he knew how to spot these sequences and set “conditional breakpoints” that halted execution at key points, including one close to where the sequence was set to finish.
This virus installed itself in the memory of the OfficeWorks process, then reached out and inserted itself into a critical system process, one that kept Windows alive, performing background operations on behalf of the operating system and other processes. If things had been as the author wanted, the virus would now be in position to execute within OfficeWorks. He watched as it set a timer. That done, it quietly went to sleep.
“It’s got a timer,” he said to Blake with a smile.
“A timer?” he repeated.
“It set an alarm clock, a timer to activate randomly every twelve to twenty-four hours.”
“Why would it do that?”
“Because it’s harder to spot when it’s asleep. But we’re not waiting for it.” Jeff overrode the timer and told the virus to wake up now. This allowed him to see what it did.
It was well into the night by now. The corridor outside had been silent for some time. Blake had glanced at his wristwatch repeatedly, finally commenting that the American sure seemed to work long hours. Jeff was exhausted but his breakthrough compelled him to press on. Over the next three hours he monitored the malware’s execution using both the debugger and another tool that recorded every change the virus made.
With his monitoring tools Jeff searched for the saved or modified files it
created. Seeing none he searched for an update to the registry configuration database, typical alterations done by all malware he’d looked at before. What he found was . . . nothing.
The virus left no tracks.
This came as a great surprise. Though this virus had been cleaner than most he encountered, until this moment he’d had no great respect for the author. The techniques he’d observed had been pioneered by others. But this was impressive. It was as if the malware had walked across virgin snow without leaving a print.
He had known this technique was coming and dreaded the day. Authors of malware knew that rootkit scans were becoming increasingly common and rootkits could no longer be relied on to conceal a virus. With this new technique the author was adopting a fresh, and very effective, method in the never ending race for digital stealth. As it spread, and it surely would, viruses would become increasingly difficult to locate.
This was the first time Jeff had seen it employed. If someone were to analyze the system at the point they’d see no sign of the infection. They’d have to know precisely where in the system process to look for the copy of the malware loaded into memory. That would be like trying to find a book in a major library without the Dewey decimal system.
He told Blake what he’d just discovered.
“You mean it makes no modifications to the system, so it can’t be discovered?” Blake said. “I’ve never heard of such a thing. I didn’t even know it was possible. How does it survive a system reboot?”
“This is a form of malware that leaves absolutely no detectable trace of itself when loaded, but for it to maintain its foothold through a shutdown it would have to download itself to a file and register the file to execute at the next reboot. After activating, it would delete the file from disk. That way, it is effectively invisible without resorting to rootkit techniques. Of course, if the system powers off without executing a shutdown, the virus won’t survive, but that’s a very small risk that the author was apparently willing to take. At least that’s what it looks like to me. I’m going to reboot now and see if it actually happens.”