Trojan Horse Page 9
They’d received the contract for Project Tusk for a flat fee with a bonus for every zero day vulnerability they uncovered. They’d found one vulnerability in the Bluetooth stack, two more in the core WiFi driver as well as another two in the GPS driver.
“Maybe they outsourced it,” Jeff said as he buttered a second piece of toast. There were plenty of criminal groups around willing to do the work for a price. There were, however, inherent problems with that approach. If someone, even or especially a hired gun, learned enough about you to graft an attack on others it was not difficult for them to turn their creation back on their employer or resell what they created.
“Anything’s possible, I guess. But can you imagine a hacker writing code that clean?” Criminal cyber-gangs in the former Soviet Eastern bloc nations had turned such operations into a vast illegal financial industry but their code was often sloppy and until now, always identifiable for what it was. Was it possible one such group had raised the bar so dramatically?
“It doesn’t seem to get the Iranians very much,” Daryl continued. “So they read this Herlicher’s files, even altered a copy of the final report to say there will be no Iranian nuclear bomb. So what? Such a mistake can be explained and is sure to bring people like us on the scene as soon as they changed something important. From what I’ve read they just want to get their nuclear bomb detonated so they can get on with their quest to become a major world player.”
“And then arrange for it to be used.”
“That’s right.” She paused. “I’ve often wondered why there is so little concern about them getting the bomb. Look what they’ve done financing terrorist groups worldwide. Don’t people see what they do? And even if by some miracle they don’t turn it over to their terrorist minions to use, they’ll bully their way into complete Middle East dominance. After all, when it was still called Persia, the country had a long history of controlling the region. What’s it going to take to wake people up? A nuclear wasteland? The lights going out in their hometown for a month? Sometimes I just want to scream.” She stopped, drew a deep breath.
“It’s all right, Daryl.”
“No, it’s not!” she said. “That’s why I’m so upset. Look, getting back to this thing, I think it’s someone a lot more competent than Iran, someone with a more expansive agenda.”
Jeff considered that as they finished their meal and dressed. It made a lot of sense.
“So, you give this another two or three days to figure this thing out?” Daryl said, her mood having lightened. Jeff nodded. “I was thinking on the way over that Italy is very romantic, according to all the books and shows. Rome, Florence, Venice. We can see the city in a gondola while you serenade me.”
“You’ve got me mixed up with the gondola guy. He does the singing.” Jeff leaned over and kissed her. “You’re a woman of wonderful surprises. I love you.”
“Keep talking like that and I might go ring shopping.”
He pulled her tight. “I can think of worse things.”
As they left the hotel, the view of the shimmering lake and distant mountains crowned with white clouds was gorgeous. They had a clear view of the famous Jet d’eau, the enormous jet water fountain, visible from nearly anywhere in the city. Jeff had heard that Geneva was known as a dreary city but from what he’d seen it didn’t seem possible. So far he’d found it quite charming, though he suspected his companion had something to do with that.
The Palais des Nations, where UNOG was located, was a brief walk up the Rue de Lausanne to the Avenue de la Paix, the Avenue of Peace. Jeff noted that there were no visible guards on the grounds or immediately outside the building. The entrance was some distance from the street, reached via a long concrete walkway across a vast expanse of well-tended garden. Exterior security was either out of sight or depended in large part on the inherent stability and law-abiding nature of Swiss society.
Henri Wille, the security chief, was waiting to receive them at Pregny Gate, the usual entry point for first-time visitors. He was in his forties, trim and fit, and looked every inch Swiss with blond hair, fair skin, and deep blue eyes. Though wearing a suit, on his left breast was a distinctive badge. As the designated Interpol agent for UNOG he’d been alerted by the UK Foreign Office of the arrival of two key computer security experts and had been instructed to see to them personally. Frank Renkin had already alerted Graham Yates that Daryl would be joining Jeff. He’d been delighted because her reputation, if anything, exceeded that of Jeff’s.
After introductions, Henri asked Jeff and Daryl to go to a nearby room to have their photographs taken. A few minutes later they received a badge to wear whenever in the building.
“It will grant you near universal access,” Henri said. “If you require anything at all related to security come to me directly.” He wrote his cell number on the back of a business card and gave it to Jeff. He then escorted them to the UNOG IT office and bid them good-bye.
The head of IT was out of the country and they were briefed instead by his assistant who introduced himself as Nikos Stefanidou. Short, with a bushy mustache, he was not happy with their presence. “This is a matter I believe we are capable of handling but others have decided to the contrary,” he said with clipped words. “I will do what I can for you.” He’d not risen from behind his desk.
“You have the computer here?” Daryl asked. It was standard procedure to disconnect the machine from the network and move it to the IT center so no one could do anything to it.
“No, it has remained in Mr. Herlicher’s office. He was told not to use it.”
Jeff raised an eyebrow but said nothing.
“Have you had other reports of infection in the building?” Daryl asked.
“I couldn’t say.”
“Does that mean ‘yes, you have,’ or ‘no, you haven’t’?” Jeff said.
“I couldn’t say.”
“I suggest we get working, then,” Jeff said. There would be no help here. “Can we see the computer, please?”
Franz Herlicher, the German technocrat, was a weasel in Jeff’s opinion. He’d given them each a curt European handshake and a quick bob of the head before turning his computer over to them with obvious reluctance. “I must attend a meeting, which will last several hours so you will have the office to yourself. Of course, I will make it available as you need thereafter. I only wish to cooperate and clear up this terrible misunderstanding.”
“Before you leave, could you tell us what happened?” Jeff asked.
“I’m sure you already know. That’s why you are here.” Herlicher pulled himself upright.
“It will be useful to hear it from your perspective,” Daryl said.
Herlicher looked at one of them, then the other, unable to decide just who he should address. “All right then,” he said, deciding on Jeff. He was the man, after all, but with Americans you could never be certain. “I had finished a late draft of the report, which was essentially the final report, pending approval of the specific language by my superiors. I then forwarded it to Mr. Walthrop at Whitehall but what he—”
“He’s part of the approval process?” Daryl asked.
Herlicher swallowed. “Not . . . not exactly. He’s a colleague and this report was very important to him. I wanted . . . his input.”
“Go on,” Jeff said.
“There’s nothing else.” Herlicher looked exasperated. “I received this most horrid message from him—you can see it yourself in my computer—denouncing me as a liar! It was very unsettling, I can tell you. I’m not accustomed to such language. It was simply awful! I e-mailed to assure him there had been some kind of technical mistake but he didn’t reply. Then . . . then I checked the report and . . .” Herlicher stopped, apparently unable to continue. He took a white handkerchief from a pocket and dabbed his moist brow.
“Then what?” Daryl said, when it appeared he wasn’t going to continue.
“The report wasn’t the same! It had been . . . rewritten. It’s quite impossible.”
/> “Perhaps someone here made the change,” Jeff suggested.
Herlicher shook his head. “I already considered that possibility. I always lock my office when I leave and only two other people have keys.” Neither statement was true, of course, but Herlicher wasn’t going to present any version of events but the most proper.
“Still, the room must be cleaned and no security measures are ever airtight,” Jeff said.
“Yes, I see your point. We do have some . . . less trustworthy types working here in menial positions. But that wasn’t the problem.”
“How can you be certain?” Daryl said.
Herlicher had watched a number of American detective motion pictures. He understood the “good cop/bad cop” technique he’d seen in them. He feared that was what was going on. Did these two suspect him? Surely not. He’d been told their presence was confirmation of what he’d suggested, that something had penetrated UNOG’s cyber defenses, that he was not to blame for what had happened. But that might very well be a lie. They might just be here to trick him.
He pulled himself upright. “I am absolutely certain our building security was not compromised. You see, after I wrote the e-mail to Mr. Walthrop, I attached the document. I then opened it and proofread it a final time. I always do this with important files. The moment I finished reading it, I closed the file and sent it, all but simultaneously. I assure you, the file I sent was the one I wrote. The problem must be at his end. Now, I must go to my meeting. I wish you well in your investigation.”
“One last question,” Jeff said. The man stopped. “You affixed the digital signature before sending the e-mail?”
“Of course! Always on official documents. Now, good day.”
Daryl watched the man walk off in a huff. Still, what he’d said, if true, was most interesting. She moved to a spot where she could work as Jeff sat at the man’s computer. Another windowless office, she thought, as she linked to the computer and booted it up. Maybe she should get a job as a park ranger or something.
“He’s been deleting files,” Jeff said within a few minutes. “Looks like communications with other agencies. Probably sharing things he’s not supposed to.”
“Jerk.” She looked at her screen, which duplicated the one Jeff saw. “And he doesn’t know diddly about how to hide it. Okay, Superman, let’s see what you’ve got now that you’ve had a full night’s sleep and been laid.”
“Let’s start with the obvious,” Jeff said. He went to the folder containing the file and opened it. “See it?” He read it through. “This one is different from the one Whitehall received. It reaches a different conclusion. That’s odd.”
“How?” Daryl asked.
“Until now I’d been thinking the virus allowed the interloper to alter the file in Herlicher’s computer. I’d assumed he’d sent it along without double-checking, placing the signature on it at that time. But this report is not the one Whitehall received. That makes no sense.” Daryl drummed her fingers. “What?”
“Just thinking. What if the change was made after the report was attached? This e-mail program holds its own copy of the file. Hang on.” Daryl opened the attachment with the message to Walthrop in the “Sent” folder. “Whoa,” she said. “This one is the same as the one Whitehall received. It’s altered.”
“Let me check the signature.” When Jeff was finished, he said. “Yup, the signature is valid and the same.”
Neither of them said anything for a long minute.
Daryl spoke first. “Someone used this Trojan to access the OW file after it was attached to the e-mail and altered its language before the digital signature was generated.” She paused, then said, “This is unbelievable.”
“Let’s get a handle on this thing,” Jeff said finally, and the pair went to work. Because of what he’d learned in London the process went quickly and within ten minutes he had located the Trojan. “There’s the nasty little thing,” Daryl said, spotting it on her screen as well.
“What we’re postulating is that this guy sends the correct file, but it’s altered at the moment it’s sent as an e-mail attachment. And there is no evidence it was been tampered with. Jeff, they didn’t just change a word. They rewrote the report! How can you do that in the middle of an e-mail transmission?”
“I have no idea. Let’s find out.”
For the next few hours they worked at unraveling how their Trojan functioned. They discovered that it was not hard-coded with commands when it was created and embedded. While these would work in most circumstances to accomplish what the author wanted, such an approach did not permit any degree of flexibility. The virus could only do what it had been preprogrammed for at creation. Instead, the Trojan was sophisticated enough to be programmed with script-language, which gave the author enormous flexibility. This was why it was so aggressive and clever in seeking out a domain from which to receive updates and orders.
Searching further they found snippets of script in memory that enabled the Trojan to copy Herlicher’s e-mail messages whenever they were sent. The copies were kept in memory for later uploading to the control servers. The Trojan then periodically probed the file servers he was connected to, grabbing any documents Herlicher could access.
For the rest of the day they pored over networking logs and reverse engineered the malware, stopping from time to time to brainstorm. At one point, Herlicher stuck his head in the office and asked how they were doing.
“What do we do about lunch?” Daryl said by way of answer.
“I . . . there’s a cafeteria on this floor, that way. It’s not bad. The cooks are French.”
After Herlicher left, Daryl went for food and brought it back. They ate as they discussed their latest findings. “One of the unique characteristics of this thing,” Daryl said, “is that it retains itself and any documents it copies in the computer’s memory.”
“We didn’t find anything in the memory scans,” Jeff said, biting into a croissant. Why were they always so much better in Europe than back home?
Operating systems like Windows use a technology known as virtual memory. Its effect was to give programs the illusion that the computer had more Random Access Memory, or RAM, than it actually did. It accomplished this by writing out infrequently accessed data and code to a paging file on the disk. When the program accessed that data or code again, the operating system simply read it back into RAM from the paging file.
“There’s no sign of the document, either the original or altered one, in RAM now,” Daryl said. “Maybe the operating system wrote a copy of it to the paging file when the virus had it in RAM around the time that it replaced the original in Herlicher’s e-mail, but before the Trojan deleted the altered copy from RAM.”
“Now that’s original, and devious. Someone’s put their thinking cap on.”
For the rest of that day, they used a special tool Daryl had previously written for their forensic tool kit. It copied the contents of the paging file, something that wasn’t possible when the operating system was running. They then copied the data to an external disk they connected to their laptops.
“Let’s see,” Daryl said. She launched the scan and a few minutes later discovered pieces of the altered document scattered around the file. This was extraordinary.
“So that was it, smart lady. Who said you were just another pretty face?”
“Yeah, right, smart aleck,” she said, with a laugh. “We’re lucky they didn’t include turning off the computer in their pathetic incident response policy.”
While what they’d found was not direct evidence that the Trojan altered the document, it constituted substantial anecdotal evidence. They also checked copies of the document on the file server and those backups were the original document. The copy on the e-mail server was the altered version, and they discovered more bits and pieces of the alterations in the paging file.
Daryl’s laptop flashed an alert. “Looks like the Company wants to talk.”
14
PEOPLE’S REPUBLIC OF CHINA
XINJIAN PROVINCE
URUMQI
PLA CYBER WARFARE CENTER
10:43 A.M. CST
Colonel Jai Feng scanned the three oversized computer monitors at his workstation, taking in the data with a single practiced glance. He lifted another Hongtashan cigarette to his lips and took a long pull, the strong smoke delivering a jolt of nicotine almost immediately. He lifted his cup of coffee, long cold, and drained it.
Feng was dissatisfied with the progress of his team. He was under relentless pressure from Beijing to produce results and it seemed to him everything was going much too slowly. Working for him were the finest computer minds in China. Everyone was proficient in English while a number, though too few for his needs, were fluent. They were highly trained, highly skilled, and dedicated to the work, if not for the greater glory of China, then for the greater advancement of their careers.
The problem, Feng knew, was that he was overextended. When he’d first taken control of the PLA’s Cyber Warfare Center, the operation had been quite modest and expectations low. But as he expanded its scope, and demonstrated time and again the usefulness of what he was doing, both resources and demands had increased.
He’d realized the year before that he needed to reorganize but doing so would be a major interruption in his ongoing operations. This was no time for that. Matters were much too crucial to risk it. And, of course, there were laurels to be had, a promotion to receive if he left things as they were with him in sole charge. But once he split command the inevitable would happen. It was human nature. Those who’d been hired by him, advanced by him, those who owed everything to him would slit his bureaucratic throat in an instant to jump over him in promotion. Time enough for that after he was made general and relocated to Beijing.
Angry with developments in his two main projects, he pushed himself away from his desk and set off on one of his unpopular lightning tours. The warfare center occupied all five floors of the modern building though the heart of the operation was on the second, third, and fourth floors. The second was dedicated to military penetration. Feng’s unit there enjoyed extraordinary success in penetrating the U.S. Department of Defense databases. Its most recent triumph had been the penetration of the U.S. Pacific Fleet Command computer structure. The fourth floor was where the malware was crafted. Bright—very bright—software engineers were constantly thinking down the road, anticipating the next moves, both theirs and their adversaries, and generating clean, effective product. Feng knew that his long-term success depended on just how good these young minds performed.