Trojan Horse (9 page)

Read Trojan Horse Online

Authors: Mark Russinovich

BOOK: Trojan Horse
3.55Mb size Format: txt, pdf, ePub

Then there was tight code that did what it was meant to do efficiently, cleanly, and with a minimum of space and fuss. Corporations typically produced such code, sometimes government agencies did as well.

Then there was genius code, code so good, so smooth, so effortless, it was like a brilliant work of art. This wasn’t
that
good, Daryl told him, but it was very, very good indeed.

When she finished, Jeff said, “The author has really thought this through. When the system shuts down, the virus saves itself to a file with a name identical to one that’s part of the primary antivirus suite used by the UK government, just in a different location.”

“That’s clever of someone,” she said. “So if an administrator were to stumble on it and examine its properties they’d see ones that matched those of a legitimate file.”

If suspicious, an extra check would typically be to verify the digital signature of the file, tamper-proof evidence that confirmed who it was produced by. However, despite the fact that all Windows components were digitally signed by Microsoft and many software vendors signed their software, the antivirus industry ironically had been slow to adopt the practice. The result was that this second check couldn’t be performed in this instance because the author had been clever enough to hide the file in the one place where digital signatures weren’t commonly used.

“The guy’s pretty sneaky,” Daryl said.

Jeff told her that he couldn’t think clearly any longer and was going to bed. “Sleep tight,” she said. He left a wakeup call for five hours later and was asleep at once. In his dreams he chased pixels across a screen, saw images of streaming code, and engaged in conversations with Yates about their virus that had never taken place. When the telephone rang it was as if he’d never left work, never slept at all, he was so weary. He showered, redressed, ate a continental breakfast, then set out for Whitehall.

The early-spring morning was fresh and invigorating. Big Ben pealed again. A bleary-eyed Blake was already in his office and waiting for him. “You look better than yesterday,” he said as he led Jeff into the basement. “I’ll let you get to it.”

“There’s no need for you to keep me company,” Jeff said as he set his bag down. “I know where to reach you.” Blake left, looking relieved.

Jeff picked up his cell phone and sent Daryl a message to let her know he was working. She came back at once. “Worked all day with no luck.” Jeff did a quick mental calculation. It was nearly three in the morning in D.C. “As I told you, this thing is really clean, I mean
really
clean. Now in the chat rooms.”

Malware creators often bragged about what they’d launched. There were certain chat rooms frequented by such authors and even if they did no crowing personally, it was not unusual for someone familiar with the new virus to chat about it, and the author. This often led to vital clues as it had before when they’d uncovered the Superphreak virus that led them to the Al Qaeda plot.

For Jeff, it was time to determine what the virus did when it went active. Utilizing his debugger again, Jeff focused on the system process hosting the malware parasite. This was a protracted, exhausting process requiring his full attention on the heavily obfuscated malware code. The author had worked hard at making it difficult to analyze. But after several hours Jeff made a key discovery. Every two or three days, after it awakened from its digital slumber, the virus generated a list of a thousand seemingly random DNS names and reached out onto the Internet. DNS, or Domain Name System, is the convention used to give the actual numeric addresses, like 192.168.122.12, human readable aliases, like
www.facebook.com
. Individuals and companies purchase names from domain-name registrars around the world and the registrars maintain mappings of names to the numeric addresses, called IP addresses, in databases on the Internet that software can reference to perform name translations.

The virus then worked its way through the list it generated, one at a time, again at random intervals lasting anywhere from ten seconds to one minute. The lack of regularity was designed to cause the queries to blend in with the usual network activity in the log files. In each case it was attempting to connect to a specific DNS. The purpose once there, Jeff knew, was to download instructions as to what the virus should do now that it was in the Walthrop computer with access to his files.

This was a technique the author had borrowed from the infamous Conficker virus that first appeared in late 2008. It was especially crafty since the author had to simply activate one address of the thousand listed at approximately the prescribed time and from it, deliver the instructions to the virus. The timing was structured into the malware system.

Antivirus investigators such as Jeff and Daryl, not to mention traditional law enforcement agencies involved in stopping cybercrime, lacked the resources and time to check the registrant of every possible domain name the malware was employing. Worse, it was easy to obtain a domain name under a fictitious or borrowed identity and most of the randomly generated names were in third-world countries, which lacked legal agreements with the Western nations and typically had few cyber laws.

He forwarded the address generation code to Daryl and asked her to research it for patterns when she had time. Maybe the names weren’t as random as they first appeared. It would take hours to devise a way to fool the virus into thinking that the time to generate the domain names had arrived so she could scrutinize them in the meantime. Once that was accomplished she’d analyze the list, looking for signs, for patterns, for anything that would help. But she’d have to sleep soon. He wished she was here, working with him hand in hand.

Authors tried to be clever when designing a virus but they could not avoid leaving clues. Bits and pieces of old code were often cobbled into a new creation and the old code, created or used when the author was green, tended to be sloppier. Jeff and Daryl had once managed to find the street address in Moscow for an author based on just such a clue. She’d had no similar luck earlier with the code itself but Jeff was more hopeful she’d have some success with the address list. There was bound to be a pattern.

During these long hours Jeff observed the malware in detail, identifying new files it duplicated into the computer and locating files that had been modified using a Windows feature that tracked such changes. The virus appeared to be searching only for document files, including presentations and those in OfficeWorks.

This was the heart of what Jeff did. There was no glamour in it, but both he and Daryl shared a passion for the cyber hunt. They were detectives on the trail of the culprit and at any turn of the electronic corner within the computer they might uncover him.

Jeff lost all connection to day or night. Every two hours his watch chirped. He would stop, stand up and stretch, go for a walk in the hallways, find a restroom, and splash water on his face. Back in the office, he would pour a cup of whatever had caffeine in it, often eat something sugary, then return to his digital world.

He hated losing, hated it with an all-consuming passion. And he loved games. For him, uncovering the virus, unraveling how it worked, assessing what damage it had done, was the greatest challenge of all, as real to him at times as playing rugby.

He’d told Daryl once that at times like these the pixels in the computer, the code he read, were his entire world. He could understand how certain personalities became addicted to the cyber universe. As it became even more sophisticated, he occasionally wondered what the future for some people was going to be, locked away in their rooms, utterly lacking any normal contact with humanity, their brains directly wired into the network.

By afternoon Jeff concluded he’d learned all he could at Whitehall and told Blake to arrange a meeting as soon as convenient. He called Daryl, who he reasoned had to be even wearier than he was. She’d been working at very odd hours.

“You awake?” he said.

“Just barely. I’m living on coffee.” She sounded tired. “I called Frank Renkin at the Company to see if he’d put his team on the DNS names. It was a big job.” Frank was a friend of Jeff’s from college where they’d taken a number of classes together. She knew him as well from her work with the CIA. Neither of them had kept in touch particularly but they all worked in the same field and ran into one another from time to time. They also customarily exchanged data they thought the other could find useful. What Daryl liked best was that Frank was happily married and had never made a pass. He’d landed with the CIA, working internal computer security.

“And how is Frank?”

“Very good. A third baby is on the way. They want a boy this time. He seemed a bit stunned at the thought. I don’t think it’s planned.” Jeff laughed. “I called because he represented the government in the Conficker Cabal and might have information on new strains.”

“Right. Our guy’s using the same name-generation technique. Any luck?”

“Nothing off the top of his head,” she said, “but he was glad to get the information. I also forwarded the code to him and he promised to get back as soon as his people compared it to what they have on Conficker. It’s always possible it’s the same author.”

“Yeah. More likely our guy borrowed it.”

“You know, I don’t want to give our author too much credit but this seems to be a very well-thought-out virus. When I stepped through the code I didn’t find a single hint of origin, nothing. It seems like he made a conscious effort to keep it clean. And there was something else. It doesn’t have the feel of a single gifted author. I’d say several people worked on this thing.” She paused. “There was also nothing in the chat rooms. Not a word. This thing’s potential is so great you’d think somebody, somewhere, would be talking about it. It’s as if it was created in a vacuum.”

“Any luck with the DNS names?”

“I’ve just been looking over the results Frank’s team came up with and can’t help notice that the names are heavily biased toward those ending in Iran. In fact, nearly half of them produced by the algorithm fall under the Iranian namespace, ending in .
ir
.”

“That’s either a very stupid move on the part of an Iranian author,” Jeff speculated, “or a clue dropped to deliberately mislead us.”

“Right. But there’s no way to tell which at this point.”

“You know, it’s impossible for us to position ourselves to intercept a command coming to it. And if the author picks up we’ve accessed the thousand URLs he’s using, he’ll just add thousands more. And we still have no idea of the scope of this thing, how old it is, or what it does.” Jeff paused. “What do you think it does?”

“It can do most anything really, but from what you’ve found it wants to access documents. That tells me it’s snooping.”

“A cyber spy.”

“Exactly. Like a keystroke logger but much better.” Loggers tracked the keys struck on a computer keyboard in a covert manner so that the victim using the keyboard was unaware they were being monitored. The information was then accessed by whoever planted, or had access, to the embedded

logger.

“You know,” Jeff said, “this guy in Geneva might not be lying.”

“If he’s telling the truth, the only way it can be is if someone used this virus to access an OW file in his computer and altered its language
before
Herlicher sent it with the digital signature attached to it.”

There was silence. They both knew what that meant.

“Get some rest,” Jeff said. “I’m wrapping it up here. The next step is Geneva if they want me, where malware on that end—if it’s still there—might have more clues. I’ll let you know either way. Thanks for your help and thank Frank.”

10
 

LONDON, UK

WHITEHALL

FOREIGN AND COMMONWEALTH OFFICE

RESEARCH GROUP FOR FAR EAST AFFAIRS

IT CENTRE

3:32 P.M.

 

J
ust as Jeff’s wrap-up meeting was about to begin he received an e-mail from Daryl.

 

The Company says this is first it’s heard of this virus and tnx us very much. They want to know if we’ve noticed how clean code is. I said we had. When we figure out what it does we’re to let Frank know at once. If they figure it out first, he’ll do the same. Finally, Frank wants us over for dinner when we get back home. It’s going to be a girl this time and they want to brainstorm names with us. I take it this is some kind of new game they’ve come up with. Miss you.

 

Yates and Walthrop looked hopeful and expectant as they begin. Through the office window beside him, Jeff saw a heavy fog rolling across the city. “This is what I have so far,” Jeff said. “The trail goes to UNOG, as you suspected. I need to access this Herlicher’s computer to be certain and to see if I can learn more about what it’s after.”

Walthrop nodded. “Franz is very upset over this. Between our concerns, his desire to placate me and your reputation, I don’t see a problem with access. I had Graham speak with his counterpart earlier today when it became apparent where this was heading from what Blake told me. They’ve been taking a look at Franz’s computer. There is a greater acceptance of the need to move quickly when it appears digital defenses have been penetrated. Plus, as you saw, this involves Iran’s nuclear program. OFDA at UNOG has a great sensitivity to this. Franz’s superiors already know what has happened and are not happy. It appears the release of their report has been delayed.”

Other books

The Long Fall by Julia Crouch
Disturbing Ground by Priscilla Masters
Darkness Series Epilogue by Contreras, Claire
The Ophir by Irene Patino
A Fatal Twist of Lemon by Patrice Greenwood
Specter by Keith Douglass