- Home
- Russinovich, Mark
Trojan Horse Page 6
Trojan Horse Read online
Page 6
Jeff left the monitoring tool running during the shutdown and subsequent reboot. He carefully examined the resulting activity log of the transition until after midnight. It was then he finally found evidence confirming his theory. That was what the virus did. Nasty. He stopped to mull the possibilities.
“Mr. Aiken,” Blake said. “You fell asleep.”
Jeff jerked his head up. “Sorry.” He rubbed his eyes, then said, “Elliott, I need to sleep. Back after a few hours’ rest, a shower, and some food. And call me Jeff, will you?”
8
PRAGUE 3, CZECH REPUBLIC
TABORITSKA 5
4:23 P.M. CET
Saliha Kaya stretched naked across the sheet, glanced at Ahmed snoring lightly beside her, then rose and quietly turned on the shower in the cramped bathroom. Once the water was hot she stepped in, luxuriating in the wet warmth. She had no shower in her apartment and took full advantage whenever she spent time here with Ahmed.
Recently turned twenty-eight, she was above average in height and had very long, black hair. Her traditional Turkish figure held more curves than was currently fashionable in magazines, and though attractive she could not be described as a beauty. She had a manner, however, that men found quite appealing.
Saliha was one of six children born to a very poor family in Ankara. Her father had worked in construction while her mother stayed home for the children. To help, she and her daughters made shawls, which she sold at the market. By the time Saliha was ten she could make a shawl blindfolded.
There’d been no money for more than basic school and with so many children Saliha had understood she must fend for herself as soon as she could. She’d waitressed for a time, spurned an offer to become mistress to an older banker, then traveled with a young lover to Prague, for a chance to see the world before it was too late. When their relationship soured and he’d returned to Turkey, she’d stayed on. Her appearance and personable manner had given her work in bars and the trendy clubs, which was where she’d met Ahmed.
She spoke no Farsi and he spoke no Turkish so, as was the case with so many international couples, they conversed in English. She’d once loved her handsome Iranian passionately but the flame of her love was slowly fading. Their time was coming to an end and if she found one more sign he was sleeping with other women she would end it abruptly, no matter how much he paid for her trips.
With the last of the hot water gone, Saliha turned off the faucets, then stepped from the shower and toweled herself carefully. She moved quietly into the single room, sat before an old mirror, and slowly combed out her hair, memories of her childhood flooding back as they always did at such moments. Her grandmother had lived with the family until just before Saliha left home. She’d loved her granddaughter’s long silken hair, telling her it was a gift of Allah, one she should always cherish.
Saliha didn’t know about God but men certainly liked it and every woman she knew was envious.
Ahmed moved lightly. She glanced at him through the mirror. He was a handsome man, with a fit body. He was quick, smiled easily, and was fun to be with. And there was the powerful physical chemistry between them. Whenever they were together they fell into bed at once. It was as if until after sex they couldn’t carry on even a simple conversation. She’d never before experienced anything like it.
Saliha lived in a room in an apartment she shared with three other women who worked at the same club. She’d wanted to move in with Ahmed not long after they met but he’d resisted and now she was glad. It would make ending it much easier.
The question was when.
Her best friend had told her about Ahmed’s love of European blonds. Then one of her roommates, Ayten, said that she’d seen him outside a coffee shop with a blonde and there’d been no doubt what was going on between them. Saliha had her own doubts even before hearing from her friends. This latest story was just so much confirmation. She wanted a faithful man. Was that too much to ask?
Then there was this business of Ahmed’s. She’d stopped asking about it months before but it still bothered her. He was involved in something mysterious and probably dangerous. Attending college was clearly a cover based on the caution with which he lived. He paid cash for everything. That in itself was not so unusual, as few illegals in Prague had bank accounts, but he was a legal resident student and there was no reason for him not to have an account.
Also, she could never determine just where the cash came from. He received no checks, she was certain. The money just seemed to appear. He was occasionally lavish in his spending and yet he always had enough.
He never spoke on the phone in her presence. And he had at least two phones. With her it was always the same one. Another appeared whenever he was making these mysterious calls. She’d often wondered who he talked to because if he had friends, she’d never met them.
Then there were his mysterious trips. He’d simply leave without a word. Sometimes he was gone no more than two days, sometimes as long as two weeks. When he returned he made no mention of the trip, never brought her a gift. It was as if he’d never been away. It was strange.
At first she’d suspected he was involved with drugs in some way. Not as a dealer, of course, she’d seen no signs of that, and certainly not as a distributor, but . . . somehow. But as she’d come to know him she’d understood the absolute contempt he felt for drugs and drug users. Ahmed might enjoy women but in his own way he was quite puritanical. He didn’t attend mosque every Friday but it was a rare month when he didn’t go at least once, which was more than Saliha could say.
No, he was involved somehow in the black market. That had to be it. But what? She couldn’t decide. Her latest theory was weapons, though she’d seen no sign of them and Ahmed had no gun, of that she was certain.
But she couldn’t help wonder what would happen to her if she was ever caught running errands for him. Ahmed had promised that what she did was harmless but he would say that, wouldn’t he?
She slowly dressed, watching him as she did. She pulled on her tight slacks, connected her bra behind her back, then slipped on a very tight white blouse. Finally she stepped into the high-heeled boots she enjoyed so much even though she towered over many men, even Ahmed, in them.
She returned to the dresser and idly fingered the key-chain thumb drive, balancing it in her hand as if she could somehow decipher its mysteries. What was on it? She’d never looked. She’d never so much as tried. She’d been concerned there might be some way for Ahmed to tell. He’d warned her that the information could only be accessed with a certain code and he had ways of knowing if she even opened the file. She slipped it into her pocket.
Saliha glanced at the dresser, then placed her hand on the cash. She didn’t like it when he paid her like this, after sex. It made her feel like a whore, though the money wasn’t for sex and they often slept together when she received no money at all. No, the money was for expenses plus a bit extra to buy things for Ahmed he couldn’t get in Prague. She’d get the balance, her fee, when she returned.
With a final glance at Ahmed she let herself out, hearing the door latch behind her. She walked down the stairs, then passed out into the late-afternoon sun under the gaze of the Hungarian. She was used to that. She lightly touched the switchblade knife in her pocket, the one she’d carried since puberty. Just let him ever try and lay a hand on her. She slipped on sunglasses and strolled toward the city center.
DAY THREE
SATURDAY, APRIL 11
CYBER SECURITY NEWS
US DOD PRIME TARGET
By Dietrich Helm
DOD Is the Most Targeted Computer Network on Earth
April 11
Yesterday, Adam F. Dye, the U.S. Deputy Secretary of Defense for Cyber Security, reported that the DOD computer infrastructure is the most attacked digital target on Earth, receiving in excess of 100,000 cyber assaults annually. “I cannot say that we have been entirely successful in blunting all of these attacks,” Dye testified.
Dye said that t
he entire DOD information system had been taken off-line for ten hours last year because of a major penetration. Had this occurred during a time of crisis the American ability to defend itself would have been significantly compromised. “This is the new face of warfare,” Dye said.
Last year the U.S. Strategic Command reported there had been some 40,000 successful breaches, not attempts, on the DOD. Indeed, the computers of half of all U.S. government agencies dedicated to national security are known to contain malware.
“We are not winning the cyber war. The best I can say is that it is a stalemate,” Dye said.
Congressman Robert Sanchez [D-CA] demanded to know how the most advanced country in the world, with the finest computers and engineers, could be in this state. “It’s nothing less than gross incompetence,” he said. Sanchez has argued for a significant reduction in the budget for the Department of Defense. “Are you saying we could lose a war without the enemy ever firing a shot?” he asked rhetorically.
Dye asked to conclude his remarks in a closed session.
9
LONDON, UK
WHITEHALL
FOREIGN AND COMMONWEALTH OFFICE
RESEARCH GROUP FOR FAR EAST AFFAIRS
IT CENTRE
1:54 A.M. GMT
Blake led Jeff out of the building with relief, mentioning that he still had a forty-five-minute drive home ahead of him. Meanwhile, Yates had booked Jeff into a boutique hotel just down the street, the Royal Arms, a converted Victorian mansion, which specialized in discretion. As he walked to the hotel, Big Ben pealed just down the river from Whitehall. A light fog drifted through the quiet streets, reminding Jeff of a Sherlock Holmes story.
The events of this last decade had only served to impress upon Jeff the increasing danger of the cyber world. Computers were under relentless and ever more effective attack, if not from some juvenile hacker looking to claim bragging rights, then from Russian mobsters phishing penetrations seeking financial information, Eastern European gangs out to blackmail companies through denial-of-service attacks, or the ongoing Chinese government campaign to gain security access and information in the West.
It was a never-ending battle, one that demanded increasing sophistication and proactive measures to effectively counter. The usual antivirus security companies that provided firewalls and scans were constantly playing catch up as they responded to each new attack only after it was launched and discovered. Though doing a reasonably effective job, they were essentially counterpunching. All kinds of malware made it into countless computers before being discovered and before a protective patch was prepared, then distributed. His latest client was just such an example.
Worse, the sophisticated tools needed to create malware were commonly available on the Internet. Any geek with basic malware knowledge could download components and cobble together a virus or Trojan, and many did. And now that criminal bands and certain rogue governments were in the malware business for real, the sophistication of each attack was increasing with each passing month.
There were, in general, three varieties of malware: junk malware like “scareware,” malware aimed at stealing money or data to sell, and government espionage including cyber warfare. Such state-directed attacks were ongoing and surprisingly effective.
Valuable data on the U.S. Joint Strike Fighter project, the costliest weapon system ever built, was stolen directly from the Pentagon’s computers. The Air Force’s air-traffic-control system had been penetrated and the intruders downloaded several terabytes of valuable data related to its electronics and design. The Department of Defense’s Secure Internet Protocol Router Network was infected for a time with specially designed software intended to disable the system in time of confrontation or conflict.
In the private sector, the situation was so bad that a major American manufacturer of computers had actually shipped a new product that contained a virus. Infections in iPhones and other cell phones, in every device commonly used in the twenty-first century were increasingly common. Their use for cyber penetration was only a matter of time.
The Royal Arms was nearly beside St. James Park. This part of London was rife with history. He’d like to come here with Daryl someday, when neither of them was on assignment. He wondered if they ever would.
Once in his room Jeff showered then sat in a comfortable chair and despite his exhaustion called Daryl. She sounded glad to hear from him, but then she always did. After he told her what he’d discovered since his e-mail, she briefed him on her examination of the virus code.
“It’s tight, as far as I’ve been able to see to this point. I still have more to do, though,” she said.
The heart, the digital soul so to speak, of the Internet and of computers was software code. Code was the magic that made everything work. Code produced the images, the colors, the words, everything.
Just as there were brilliant painters and amateurs, so it was with code writers. Anyone with a modicum of software knowledge could copy, paste, and modify bits of code. Script kiddies did just that, adding little of their own to the work, often surprised when what they’d cobbled together actually did something. Such junk sat in computers all over the world, sometimes clogging them up, often as not doing nothing but taking up space.
Then there was tight code that did what it was meant to do efficiently, cleanly, and with a minimum of space and fuss. Corporations typically produced such code, sometimes government agencies did as well.
Then there was genius code, code so good, so smooth, so effortless, it was like a brilliant work of art. This wasn’t that good, Daryl told him, but it was very, very good indeed.
When she finished, Jeff said, “The author has really thought this through. When the system shuts down, the virus saves itself to a file with a name identical to one that’s part of the primary antivirus suite used by the UK government, just in a different location.”
“That’s clever of someone,” she said. “So if an administrator were to stumble on it and examine its properties they’d see ones that matched those of a legitimate file.”
If suspicious, an extra check would typically be to verify the digital signature of the file, tamper-proof evidence that confirmed who it was produced by. However, despite the fact that all Windows components were digitally signed by Microsoft and many software vendors signed their software, the antivirus industry ironically had been slow to adopt the practice. The result was that this second check couldn’t be performed in this instance because the author had been clever enough to hide the file in the one place where digital signatures weren’t commonly used.
“The guy’s pretty sneaky,” Daryl said.
Jeff told her that he couldn’t think clearly any longer and was going to bed. “Sleep tight,” she said. He left a wakeup call for five hours later and was asleep at once. In his dreams he chased pixels across a screen, saw images of streaming code, and engaged in conversations with Yates about their virus that had never taken place. When the telephone rang it was as if he’d never left work, never slept at all, he was so weary. He showered, redressed, ate a continental breakfast, then set out for Whitehall.
The early-spring morning was fresh and invigorating. Big Ben pealed again. A bleary-eyed Blake was already in his office and waiting for him. “You look better than yesterday,” he said as he led Jeff into the basement. “I’ll let you get to it.”
“There’s no need for you to keep me company,” Jeff said as he set his bag down. “I know where to reach you.” Blake left, looking relieved.
Jeff picked up his cell phone and sent Daryl a message to let her know he was working. She came back at once. “Worked all day with no luck.” Jeff did a quick mental calculation. It was nearly three in the morning in D.C. “As I told you, this thing is really clean, I mean really clean. Now in the chat rooms.”
Malware creators often bragged about what they’d launched. There were certain chat rooms frequented by such authors and even if they did no crowing personally, it was not unusual for someone familiar
with the new virus to chat about it, and the author. This often led to vital clues as it had before when they’d uncovered the Superphreak virus that led them to the Al Qaeda plot.
For Jeff, it was time to determine what the virus did when it went active. Utilizing his debugger again, Jeff focused on the system process hosting the malware parasite. This was a protracted, exhausting process requiring his full attention on the heavily obfuscated malware code. The author had worked hard at making it difficult to analyze. But after several hours Jeff made a key discovery. Every two or three days, after it awakened from its digital slumber, the virus generated a list of a thousand seemingly random DNS names and reached out onto the Internet. DNS, or Domain Name System, is the convention used to give the actual numeric addresses, like 192.168.122.12, human readable aliases, like www.facebook.com. Individuals and companies purchase names from domain-name registrars around the world and the registrars maintain mappings of names to the numeric addresses, called IP addresses, in databases on the Internet that software can reference to perform name translations.
The virus then worked its way through the list it generated, one at a time, again at random intervals lasting anywhere from ten seconds to one minute. The lack of regularity was designed to cause the queries to blend in with the usual network activity in the log files. In each case it was attempting to connect to a specific DNS. The purpose once there, Jeff knew, was to download instructions as to what the virus should do now that it was in the Walthrop computer with access to his files.