- Home
- Russinovich, Mark
Trojan Horse Page 7
Trojan Horse Read online
Page 7
This was a technique the author had borrowed from the infamous Conficker virus that first appeared in late 2008. It was especially crafty since the author had to simply activate one address of the thousand listed at approximately the prescribed time and from it, deliver the instructions to the virus. The timing was structured into the malware system.
Antivirus investigators such as Jeff and Daryl, not to mention traditional law enforcement agencies involved in stopping cybercrime, lacked the resources and time to check the registrant of every possible domain name the malware was employing. Worse, it was easy to obtain a domain name under a fictitious or borrowed identity and most of the randomly generated names were in third-world countries, which lacked legal agreements with the Western nations and typically had few cyber laws.
He forwarded the address generation code to Daryl and asked her to research it for patterns when she had time. Maybe the names weren’t as random as they first appeared. It would take hours to devise a way to fool the virus into thinking that the time to generate the domain names had arrived so she could scrutinize them in the meantime. Once that was accomplished she’d analyze the list, looking for signs, for patterns, for anything that would help. But she’d have to sleep soon. He wished she was here, working with him hand in hand.
Authors tried to be clever when designing a virus but they could not avoid leaving clues. Bits and pieces of old code were often cobbled into a new creation and the old code, created or used when the author was green, tended to be sloppier. Jeff and Daryl had once managed to find the street address in Moscow for an author based on just such a clue. She’d had no similar luck earlier with the code itself but Jeff was more hopeful she’d have some success with the address list. There was bound to be a pattern.
During these long hours Jeff observed the malware in detail, identifying new files it duplicated into the computer and locating files that had been modified using a Windows feature that tracked such changes. The virus appeared to be searching only for document files, including presentations and those in OfficeWorks.
This was the heart of what Jeff did. There was no glamour in it, but both he and Daryl shared a passion for the cyber hunt. They were detectives on the trail of the culprit and at any turn of the electronic corner within the computer they might uncover him.
Jeff lost all connection to day or night. Every two hours his watch chirped. He would stop, stand up and stretch, go for a walk in the hallways, find a restroom, and splash water on his face. Back in the office, he would pour a cup of whatever had caffeine in it, often eat something sugary, then return to his digital world.
He hated losing, hated it with an all-consuming passion. And he loved games. For him, uncovering the virus, unraveling how it worked, assessing what damage it had done, was the greatest challenge of all, as real to him at times as playing rugby.
He’d told Daryl once that at times like these the pixels in the computer, the code he read, were his entire world. He could understand how certain personalities became addicted to the cyber universe. As it became even more sophisticated, he occasionally wondered what the future for some people was going to be, locked away in their rooms, utterly lacking any normal contact with humanity, their brains directly wired into the network.
By afternoon Jeff concluded he’d learned all he could at Whitehall and told Blake to arrange a meeting as soon as convenient. He called Daryl, who he reasoned had to be even wearier than he was. She’d been working at very odd hours.
“You awake?” he said.
“Just barely. I’m living on coffee.” She sounded tired. “I called Frank Renkin at the Company to see if he’d put his team on the DNS names. It was a big job.” Frank was a friend of Jeff’s from college where they’d taken a number of classes together. She knew him as well from her work with the CIA. Neither of them had kept in touch particularly but they all worked in the same field and ran into one another from time to time. They also customarily exchanged data they thought the other could find useful. What Daryl liked best was that Frank was happily married and had never made a pass. He’d landed with the CIA, working internal computer security.
“And how is Frank?”
“Very good. A third baby is on the way. They want a boy this time. He seemed a bit stunned at the thought. I don’t think it’s planned.” Jeff laughed. “I called because he represented the government in the Conficker Cabal and might have information on new strains.”
“Right. Our guy’s using the same name-generation technique. Any luck?”
“Nothing off the top of his head,” she said, “but he was glad to get the information. I also forwarded the code to him and he promised to get back as soon as his people compared it to what they have on Conficker. It’s always possible it’s the same author.”
“Yeah. More likely our guy borrowed it.”
“You know, I don’t want to give our author too much credit but this seems to be a very well-thought-out virus. When I stepped through the code I didn’t find a single hint of origin, nothing. It seems like he made a conscious effort to keep it clean. And there was something else. It doesn’t have the feel of a single gifted author. I’d say several people worked on this thing.” She paused. “There was also nothing in the chat rooms. Not a word. This thing’s potential is so great you’d think somebody, somewhere, would be talking about it. It’s as if it was created in a vacuum.”
“Any luck with the DNS names?”
“I’ve just been looking over the results Frank’s team came up with and can’t help notice that the names are heavily biased toward those ending in Iran. In fact, nearly half of them produced by the algorithm fall under the Iranian namespace, ending in .ir.”
“That’s either a very stupid move on the part of an Iranian author,” Jeff speculated, “or a clue dropped to deliberately mislead us.”
“Right. But there’s no way to tell which at this point.”
“You know, it’s impossible for us to position ourselves to intercept a command coming to it. And if the author picks up we’ve accessed the thousand URLs he’s using, he’ll just add thousands more. And we still have no idea of the scope of this thing, how old it is, or what it does.” Jeff paused. “What do you think it does?”
“It can do most anything really, but from what you’ve found it wants to access documents. That tells me it’s snooping.”
“A cyber spy.”
“Exactly. Like a keystroke logger but much better.” Loggers tracked the keys struck on a computer keyboard in a covert manner so that the victim using the keyboard was unaware they were being monitored. The information was then accessed by whoever planted, or had access, to the embedded
logger.
“You know,” Jeff said, “this guy in Geneva might not be lying.”
“If he’s telling the truth, the only way it can be is if someone used this virus to access an OW file in his computer and altered its language before Herlicher sent it with the digital signature attached to it.”
There was silence. They both knew what that meant.
“Get some rest,” Jeff said. “I’m wrapping it up here. The next step is Geneva if they want me, where malware on that end—if it’s still there—might have more clues. I’ll let you know either way. Thanks for your help and thank Frank.”
10
LONDON, UK
WHITEHALL
FOREIGN AND COMMONWEALTH OFFICE
RESEARCH GROUP FOR FAR EAST AFFAIRS
IT CENTRE
3:32 P.M.
Just as Jeff’s wrap-up meeting was about to begin he received an e-mail from Daryl.
The Company says this is first it’s heard of this virus and tnx us very much. They want to know if we’ve noticed how clean code is. I said we had. When we figure out what it does we’re to let Frank know at once. If they figure it out first, he’ll do the same. Finally, Frank wants us over for dinner when we get back home. It’s going to be a girl this time and they want to brainstorm names with us. I take it this is some kind
of new game they’ve come up with. Miss you.
Yates and Walthrop looked hopeful and expectant as they begin. Through the office window beside him, Jeff saw a heavy fog rolling across the city. “This is what I have so far,” Jeff said. “The trail goes to UNOG, as you suspected. I need to access this Herlicher’s computer to be certain and to see if I can learn more about what it’s after.”
Walthrop nodded. “Franz is very upset over this. Between our concerns, his desire to placate me and your reputation, I don’t see a problem with access. I had Graham speak with his counterpart earlier today when it became apparent where this was heading from what Blake told me. They’ve been taking a look at Franz’s computer. There is a greater acceptance of the need to move quickly when it appears digital defenses have been penetrated. Plus, as you saw, this involves Iran’s nuclear program. OFDA at UNOG has a great sensitivity to this. Franz’s superiors already know what has happened and are not happy. It appears the release of their report has been delayed.”
“What is OFDA?” Jeff asked.
“Sorry. The Office for Disarmament Affairs in Geneva. It will source the report. They want nothing to go astray. They are under tremendous pressure.”
He didn’t volunteer why that might be the case and Jeff didn’t ask. “Have there been other incidents since I arrived?” he asked. “These things rarely occur in isolation.”
“Yes,” Yates said. “We’ve had two more computers refuse to execute OW files. Before you ask, one was again from UNOG while the other was from the UN in New York.”
“It’s spreading,” Jeff said. “Here’s what I have. Yes, obviously the problem was caused by a Trojan. It’s brand-new and uses a zero day. That alone makes it stand out. It is also stealthy, utilizing a new and devious technique to conceal itself. It also turns off and on at random, and calls home for instructions in a way I cannot block except by taking it off-line and that’s no systemwide solution.”
“That’s distressing,” Walthrop said.
“Is it targeted to us?” Yates asked.
“I think it is,” Jeff said. “It’s certainly not generic.”
“I see. So what does it do?” Yates asked.
“It’s designed for government espionage, in my opinion,” Jeff said. “At the very least, its purpose is to read your files. And while I have no conclusive evidence, the pointers suggest the government employing it is Iran.” Walthrop visibly reacted to the news but didn’t comment. “As I said, I believe it gives access to content, but . . .” Jeff hesitated. How to say the rest?
“Yes?” Yates said to encourage him.
“I suspect it allows an outside source to edit documents.”
Walthrop sat up straight in his chair. “What?”
“If it executes and gains access, the interloper can change the contents of an OW document,” Jeff said. “This happens, of course, before the digital signature is applied. The document for all purposes appears genuine. Of course, if the author of the document reviews the copy he sent he’ll catch the changes. That’s unlikely, though. People assume a document is the same as when they last saw it on their computer.”
Walthrop eased back in his chair. “So Franz may be telling me the truth. Let me collect my thoughts on this. You’re saying that this nasty piece of code gives access to our documents and allows them to be altered?”
“Yes,” Jeff said. “That appears to be the case.”
“And I think it’s a genuine document when I receive it?”
“Yes.”
“How long has this been going on?” he asked.
“I can’t say,” Jeff said.
“My God,” Walthrop said. “It may already have read, even altered, thousands of files.” All his fears about computers were coming true. He knew, he just knew, it would come to this someday.
“What else do you have?” Yates asked.
“The clues suggest Iran, as I said. But that could be a plant intended to throw us off. This is a very shady digital world we’re dealing with.”
“I’m curious. Why did my computer have a problem the first time but then opened the file when I tried again?” Walthrop asked. “If Herlicher was infected, his computer had no problem with the virus.”
“I don’t know what security UNOG is using,” Jeff said. “That’s likely the reason. As for the other, my guess is there’s a glitch in the virus. It crashed OfficeWorks the first time you tried but not the second, but in neither case did it successfully activate. I suspect that whoever wrote this code didn’t compensate for at least one of the OfficeWorks security checks.”
“Is there anything more to be done here?” Walthrop asked.
Jeff shook his head. “Blake is perfectly qualified to clean the Trojan out of your computers, if it managed to get onto any of them. He’s got the code and he knows where to look if necessary. I’d say my next stop is UNOG, assuming I’m to continue with this. I still need to write the detection program for you and I need to find out how this thing works. Any virus that’s exploiting a loophole in the digital signature system is a serious threat. But I’d need to access Herlicher’s system to confirm that’s what happened here.”
“We and our counterparts at UNOG are agreed that you should follow up at Geneva,” Yates said. “You can understand this is a potential source of friction between Her Majesty’s government and the United Nations. They are eager to see that possibility eliminated. There’s a Swiss International Air Lines flight leaving at six thirty this evening, which you can just catch. You’ll be in Geneva later tonight. Thank you for your help and we wish you luck.”
11
GENEVA, SWITZERLAND
UNITED NATIONS OFFICE AT GENEVA (UNOG)
OFFICE FOR DISARMAMENT AFFAIRS
PALAIS DES NATIONS
4:47 P.M. CET
Franz Herlicher entered his office, glanced about for any signs that someone had been in it while he was gone, saw none, then quietly closed the door before sitting at his workstation. Carlos Estancia, his manager, had summoned him earlier for a quick meeting. Ostensibly it was to inform him that an expert was arriving from London to examine his computer.
Herlicher wasn’t fooled. There was surely more to it than that. There always was. He’d worked for the Spaniard long enough to recognize that look. Estancia thought he had something on him and was just waiting for the so-called expert to give him the cover he needed. UNOG had its own computer people. Hadn’t he been cooperating with them? Who said he wasn’t? Why bring in someone from outside?
Herlicher glanced at his computer. The techs had done some work on it, then abruptly stopped. He’d been told to leave it alone but he couldn’t help wonder what was there to be found. Everywhere he’d browsed was cached away in some electronic recess, at least that was what he understood. He had no taste for pornography and if he had, he counted himself smart enough to know their IT staff would catch him at it at work. It had happened to others. He didn’t squander work hours browsing aimlessly; he knew that was monitored as well. And he certainly never wrote anything disparaging about the UN or the Office for Disarmament Affairs. That was the last thing he’d ever consider.
Estancia had confirmed what the IT people had said, that his computer had been hacked. That was the word he’d used, suggesting by his manner that somehow it was Herlicher’s fault, as if computer security wasn’t a matter for IT. Didn’t they have programs to prevent that sort of thing? Firewalls? They’d been told their Internet security was second to none. Yet, now Estancia was trying to make this his fault.
There was no question of taking this London expert at face value. Something much more significant was taking place. Was he the target? Herlicher wondered, or just a cog in a much bigger game? Was there any way he could know?
Estancia had said nothing about Lloyd Walthrop but it was clear to Herlicher that a document he’d sent the man had been the cause of the problem. The fact that the experts were coming from Britain suggested to him that Walthrop had his own concerns. Shouldn’t that ge
t him off the hook now?
Herlicher couldn’t make sense of the disaster. Estancia, the techs, everyone seemed to be speaking in double-talk. He pressed his hands to his head, feeling one of his migraines coming on. This was all so complicated.
He abruptly straightened with sudden realization. Estancia knew he’d contacted Walthrop about the Iranian report; had been regularly contacting Walthrop. And providing privileged information. There’d been no way to avoid using his office computer for those contacts though they were against policy.
Herlicher turned on his screen and opened his e-mail program. He began systematically deleting every message he’d ever sent Walthrop.
12
MAKU, IRAN
IMAM STREET
HOTEL SEYHAN ADANA
9:58 P.M. IRST
Saliha Kaya stood back from the window as she stared at the dark street below. There were few streetlights and most of those no longer functioned.
It was always this way on these trips. Fly from Prague to Ankara, hire a car, drive in one long day to the border with Iran, wait to cross, then check into the hotel. The woman had come and gone. It was done, so why couldn’t she sleep?
It was all exhausting and she didn’t know how many more of these trips she was willing to undertake for Ahmed. The pay was good—not great but good—but the inconvenience was considerable. The flight itself was no problem. She enjoyed airplanes and she often met businessmen who gave her their cards, promising to help her find work wherever it was they lived. She knew what they meant but each card represented an opportunity. Her relationship with Ahmed was going nowhere and every time she went back home, she grew more depressed at the prospect of returning to Turkey.