Trojan Horse (6 page)

Read Trojan Horse Online

Authors: Mark Russinovich

BOOK: Trojan Horse
3.84Mb size Format: txt, pdf, ePub

Yates continued, “We think, or strongly suspect, something’s there. Whatever it is has a bug that caused our monitoring of OfficeWorks to alert us to its presence.” He cleared his throat. “This is potentially out of our depth. You are an acknowledged expert in this field and are generally familiar with our system. I should be asking if you’ve encountered contaminated OfficeWorks document files previously.”

“Not long ago malicious PDFs were used to attack both Google and Adobe utilizing vulnerabilities and flaws in Adobe’s Reader software,” Jeff said. “Another, known as Operation Aurora, targeted Google’s intellectual property. It’s one of the reasons Google had so many issues with their presence in China. The Chinese have an ongoing army cyber warfare operation and Google is apparently a major target. RSA, the gold standard in digital cryptography with presumably the finest security in the world, was the victim of an Advanced Persistent Threat attack, which breached its security and stole very valuable authentication technology. It all but certainly was Chinese in origin.

“OfficeWorks is nearly universal. It’s the most commonly used word-processing program in the world. The recent version is as bug free as anything anywhere. I’ve not heard of any significant problems with it recently. Is this attack restricted to Mr. Walthrop?”

“There have been no other incidents. We’ve initiated manual inspection of key servers to look for suspicious activity on the systems or in our network activity without finding anything. We know that hacking techniques are sophisticated enough now to hide in the noise, so to speak, making them very hard to discover.”

Jeff suppressed a yawn. It had been a long sixteen hours since receiving the telephone call summoning him to London. He had called Daryl to tell her about the assignment. With a sinking heart he couldn’t help but notice how distracted she was by her project when they spoke. It had been in that mood he’d hurriedly packed.

Since losing his fiancée in the World Trade Center attack, Jeff had initially found it impossible to move on emotionally. Only much later, when circumstances had put him together with Daryl, had he awakened. Their frantic chase to stop the Al Qaeda cyber-attack, putting their lives at risk in the process, had served to bond them in a remarkable way. The early months of physical recovery from their wounds, of buying the town house together and joining forces professionally had been as wonderful and satisfying as any he’d ever known, the ideal joining of a personal and professional life.

In this war Jeff and Daryl were one team in a million. Jeff was in his midthirties and though he spent most of his time in front of a computer, he’d played rugby at the University of Michigan and still ran almost daily when possible. After university, where he’d obtained his doctorate, he’d taught at Carnegie Mellon, then gone to work for the Cyber Security Division of the CIA. Since 2002, he’d had his own security company.

He’d first met Daryl Haugen when she’d been with the National Security Agency, then assistant deputy executive director and head of a team at US-CERT working for the National Security Agency, or NSA. Also a Ph.D., she was a year younger than Jeff, just over average height, slender, with a fair complexion and blond, shoulder-length hair.

When he and Daryl had been brought together two years ago in their pursuit of an Al Qaeda plot to inflect massive damage to computers and the Internet in the Western world their romance had begun. Jeff had not believed he could love again but there it was, as rich, as deep, as fulfilling as before.

Jeff had rushed to reach Dulles in time for a direct red-eye flight. On the plane he’d done what research was possible on the Internet, then slept fitfully, his thoughts turning repeatedly to Daryl. Was it real? Had it ever been? Did she really feel for him what he felt for her? Or was she going to leave him? Finally, he’d escaped from his thoughts into a restless slumber.

He’d arrived in London at noon local time, been ushered immediately through immigration and customs, then driven to Whitehall where he’d been greeted by Yates. Jeff had worked with Yates before, when Jeff had been with the CIA. The UK had its own spy agency, GCHQ, which increasingly specialized in cyber operations, but their inability to match industry salaries left them short-staffed, forcing government agencies to frequently bring in outside consultants. Though there were any number of experts in malware, few carried Jeff’s security clearance. For those reasons he’d been summoned to London earlier in the year to deal with a complex infection of a portion of their network. That one turned out to be part of a generic botnet. Yates primarily maintained the intraoffice IT system and had very limited experience with viruses, other than in working to keep them out. His concern was not so much the file in question but the integrity of the system overall. He and his team could very quickly find themselves lost if they tried to tackle virus code itself and it turned out to be something serious. And there’d been enough significant problems in recent years to require that experts be brought in at the first sign of any new malware attack. It was simply too dangerous to allow new code to infect an entire system.

“Unless there is more, I should get started,” Jeff said.

“By all means,” Yates said, glancing at Walthrop, who nodded. “We’ve moved Mr. Walthrop’s computer into a free office where you can work undisturbed. This way.”

 

Not surprisingly the office was in the basement. Though it made no sense to place IT in desirable offices with expansive views, a window would have been a pleasant change, just once.

A man of about thirty was waiting inside. He extended his hand and introduced himself. “I’m Elliot Blake,” he said. “I’ve been the one on this bug. I know you by reputation and am delighted at the prospect of working with you. I have a great deal to learn.”

“Elliot’s my best man,” Yates said. “It was he who alerted me to this and advised against chasing it ourselves. I’ll leave you to it. Don’t hesitate if you require any services, any at all. Elliot can always reach me in seconds. It’s good to see you again.” With that and a light pat on Jeff’s back for luck, he left them alone.

Blake was a slender man with black hair and glasses. After pointing Jeff to the coffee, teapot, and biscuits he dived in. “We’ve got the latest version of OfficeWorks and we update as a matter of routine. Until now we’ve had no difficulty with it. I’m assuming Mr. Yates briefed you?”

Jeff nodded.

“So here it is from my end. None of Mr. Walthrop’s files are corrupted that we can detect. We’re told the contents of the document he received from the UN office in Geneva are reported as
altered.”
At this Blake made a face as if he had no idea what to believe. “I checked the digital signature and that just doesn’t hold up. It’s the one affixed in Geneva by the author. So I’d say the bloke in Geneva is lying. I ran the usual antivirus scans and came up with nothing. I even ran one for rootkits with no luck.”

Digital signatures could not be altered. Period. Invented in the late 1970s, they rely on asymmetric cryptography. In cryptography, a secret code called a key is used to encrypt and decrypt messages, much like how secret decoder rings work. With asymmetric cryptography, a user has two keys that work in conjunction. A message encrypted with one key can decrypt a message encrypted by the other and vice versa. However, a message can’t be decrypted with the same key used to encrypt it. With this scheme, a user can freely distribute one of the keys to enable others to send them encrypted messages that can’t be decrypted by anyone else. The key kept secret is called a private key and the one given out is a public key, as if many decoder rings were able to encrypt messages but only one special decoder ring could decode them.

When used for digital signing, the signer uses a hashing algorithm to produce a shortened version of the message—essentially a unique summary—they wish to sign, and then encrypts the hash with their private key. This encrypted hash is the message’s digital signature because it’s a way for a user to digitally confirm that the message is authentic. Checking to see if a message is actually the one that the sender signed requires simply regenerating the hash of the received message and seeing if it matches the one obtained from decrypting the digital signature. Any alteration of the message, no matter how small, results in a mismatch. The security of the scheme is assured by the infeasibility of determining the private key from a public key by even the most powerful modern computers.

Increasingly, governments relied on digital signature software to protect the authenticity of documents and in many cases refused to accept attachments not digitally signed. It was the system by which everyone knew a document was genuine. So it seemed the man in Geneva must be lying.

“We make every effort to determine the cause of any crash rather than take chances. We’ve found no evidence of a virus in fact.” Blake cleared his throat. “As I understand the process from this point on, to determine if the file is infected I have to trace data from the point of the crash, through God knows how many paths, each one potentially being the source of the vulnerability. Have I got that right?” Jeff nodded. “I’ve never done that before so you can see my problem. We want you to determine if there is a virus and if so, find out as much about it as you can, including who made it and what it’s up to.”

A corrupted file can be spotted, usually quite easily since it’s visibly different. But an
infected
file was not necessary outwardly corrupt. It could look and behave in a perfectly normal fashion. Jeff asked which antivirus programs he’d run and Blake provided the names of the five most commonly used.

“You did right,” Jeff said. “If this document is infected you could have a virus spreading throughout your network and exfiltrating data even as we speak.” He pulled out his own laptop and looked for a place to put it. “Let’s get started. Frankly, I’m dead from the flight but we’ll see how much steam I’ve got left.”

Jeff sat before Walthrop’s computer and linked to it. Next, Blake stepped him through the document’s folder and showed him the problematic file. Jeff launched a Windows virtual machine on his own laptop to serve as the laboratory and a sandbox in which he could experiment while keeping the virus contained. His first step was to configure the machine to match the characteristics of Walthrop’s as closely as he could. He then confirmed that his virtual machine was running the same version of Windows, including the updates. Then he installed OfficeWorks, also making certain it had the same updates as Walthrop’s version and configured the program in exactly the same way. Every detail could potentially be significant if the malware was specifically targeted at Walthrop.

With his test environment ready, Jeff copied the infected OfficeWorks document into the virtual machine. He now unleashed a host of automated tools so that they were ready to watch for any sign of compromise. These were scripts, sequences of commands that executed other programs, or were operating system functions, stand-alone programs that picked apart the document searching for anomalies and signs of common attack vectors. In the old days, this had been done manually and the work had been both slow and tedious.

In his laptop’s test environment where a potential virus could cause no damage he attempted to open the file. It made no difference if it crashed or not. If it did, then he could begin figuring out how to get OfficeWorks to work; if it didn’t, he could skip that step and start figuring out what the virus was ultimately trying to do.

The file failed to open. This might indicate nothing of significance as the program could have a bug that was only indirectly triggered by this particular file. Or the problem could be malware that was trying to burrow into the computer, but had hit something unexpected and failed. That was what Blake and Yates feared. If that was the case, whatever was in there had encountered an environment for which it was not programmed, meaning there was a flaw in the malware’s assumptions, causing it not to execute. For now Jeff would act with the assumption he was dealing with malware.

On his laptop were diagnostic programs that were the result of thousands of hours of work. They included the standard diagnostic and recovery tools used by everyone in his profession, but over the years he’d added a collection of very useful utilities. So valuable was the information that it was copied to several DVDs he’d secreted here and there, two of which were in safe deposit boxes. He’d once laughingly told Daryl he was thinking about having them insured.

“Okay,” Jeff said, “let’s first see if it’s a fresh variation of an existing virus.”

“Would that be good?” Blake asked.

“Oh yes, I can catch a variation pretty quickly and the fix is often a snap. We’ll know soon enough.”

New variants were the most common causes of infiltrations. An old virus became increasingly less effective as antivirus programs learned to sniff it out. The next step for the author was to alter it just enough to sneak in under the radar. Thousands of new pieces of malware were unleashed onto the Internet every month and the number was growing. Most were variations and such a variation was the most likely explanation for this problem.

Of course, no virus could actually alter an OW file, not without it looking like gibberish. Jeff didn’t want to seriously consider the alternative.

“Elliot, what do you know about the man in Geneva?” he asked while he waited.

“Only what Mr. Walthrop says, which is that he’s a civil servant with UNOG. They have a professional association. They both serve on an Iranian economic development committee.”

Jeff was inclined to think it most likely the man in Geneva was lying, as the digital signature had not been altered. It was impossible, absolutely impossible, to alter an OW document and not change the signature since it was embedded in the file. It seemed a silly claim for someone to make but he’d seen and heard of much worse from so-called professionals.

Other books

Oak and Dagger by Dorothy St. James
Through the Cracks by Honey Brown
Prince of Fire by Linda Winstead Jones
A Fair Maiden by Joyce Carol Oates
The Good Kind of Bad by Brassington, Rita
The Chamber of Five by Michael Harmon
This Wicked Magic by Michele Hauf
The Dark Blood of Poppies by Freda Warrington
A Love Like This by Kahlen Aymes