Counting from Zero (19 page)

Read Counting from Zero Online

Authors: Alan B. Johnston

Tags: #FIC036000, #FIC022000

BOOK: Counting from Zero
9.63Mb size Format: txt, pdf, ePub

 

On All Hallow’s Eve, Mick had just returned from a short test ride on his 1993 Ducati Monster 9ØØ (a fiercely named superbike) when he received an alert of a zero day spreading through the Internet.
 
Mick decided to delay leaving while he read up on it, and the more he read, the more interested he became.
 
According to early reports, the attack was hitting mail servers used to send and receive email on the Internet.
 
This particular attack seemed to ignore end user’s computers but instead went for the mail infrastructure: the servers that provided service for large groups of people.
 
Crashing a server that provided service to thousands of users had a much larger impact than just going after a single user’s computers.

Mick hardly noticed the passing of time as he read more and more accounts.
 
His own mail server seemed unaffected.
 
He jumped when his secure telephone alerted – it was Lars.

“Hey!
 
What do you think about the mail server attack?” Lars began.

“Well, it looks like there might be some new scripts out there that we aren't aware of.”

“Mick, this isn't a script.
 
My mail server just got hit.
 
I still haven't been able to regain control over the server,” Lars explained.

“What do you mean?
 
Cleaning and rebooting didn't work?” Mick asked, using a term from the very early days of computing, originating from the expression ‘pull yourself up by your bootstraps’.
 
Early computers had only a tiny amount of permanent program storage, known today as firmware – the name indicating that it is somewhere between hardware and software.
 
As a result, when first powered on, a user had to manually enter a short bootstrap program that would instruct the computer to load a longer program from a tape drive or punched cards.

“No, and reinstalling the OS didn’t.
 
I tried reformatting, too.
 
Have you read of anyone else recovering their system yet?”
 
Lars asked.
 
Mick thought hard, then answered.

“No…
 
I haven't.
 
That is very strange.”

How could reinstalling the operating system not work?

“Mick, I think this attack is rewriting the firmware,” Lars said.

“Is that really feasible?
 
I know people have talked about it in theory, but I've never heard of anyone actually doing it.”

“I think this is it.
 
Would you keep searching and monitoring this?
 
I want to know right away if anyone else does a successful cleaning.
 
I'm going to put hardware monitors on my server and try to figure out what is happening.”
 
Lars had computers that were specially modified so he could control and slow down the system clock.
 
A clock on a computer does not tell the time – instead, it acts more like a metronome, and provides regular ‘ticks’ at a particular frequency.
 
The clock regulates and synchronizes everything a computer does.
 
Engineers continually increase the speed or frequency of computer clocks to speed up processing.
 
Gamers even experiment with ‘over clocking’ their computers – risking a complete meltdown of their computer motherboards just to make a game run faster.

Lars’s setup did the reverse: slowed down the clock so he could observe, effectively in slow motion, what was happening on the computer.
 
If anyone could figure this out, Mick was sure Lars would.
 
He hung up a few minutes later.

So much for my Halloween plans...

Mick let his friends on his social network know so they wouldn't wonder why he wasn't sharing his nocturnal adventures with them.

He barely had time to get back to reading when his video screens lit up.
 
It was Kateryna.
 
He stared at his reflection for a moment before answering.

“Hey Kat… this is a surprise!” he began.

“Mick, sorry to interrupt your holiday but
 

 
hey
, I like the jacket,” she paused.
 
Mick had not taken off his
leather riding
jacket, although he was still wearing (what else?) a black T-shirt underneath.

“No worries.
 
What’s up?
 
You following this mail server attack?”

“Yes I am, and it’s what I want to talk to you about.”

“Go.”

“OK, our guys have been looking at it for about five hours now.
 
A customer shared it before it was even public – can't say who, of course.
 
Well, one of our guys, Martin, a young kid – I mean really young – it is scary to think of him driving, that’s how young he seems...
 
Anyway, Martin had a hunch after looking at the code, and the hunch played out.
 
He compared the Zed dot Kicker code to this code, and it has very, very strong similarities.”
 
Mick felt a tingling all over his body.
 
Now he had a moment to study her, he could see that Kateryna looked a little agitated.

“Shut up!” he shouted.

“Pardon me?” she asked, puzzled.

“Sorry – I think I'm spending too much time with ten-year-old girls.
 
I just meant 'Wow!'”

“Mick, I know your other job is confidential, but we need to share this.
 
Others need to know that someone has written a sophisticated program that is being used to launch a whole bunch of different attacks, and all of them so far are zero days.
 
I know this has happened in the past with simple scripts.
 
But this is new code – good code – advanced stuff.
 
What do we do?
 
Martin and I can't tell anyone without your say so, and you probably can't say anything without your client’s permission.”
 
Kateryna paused while Mick thought hard.

“Can you prove the attacks are from the same source?”

“Prove it?”
 
Kateryna thought hard, then replied, “I'd say no.
 
We can’t prove it yet.
 
But it is extremely probable.”

“OK, then keep working on it.
 
Your corporate handlers probably wouldn't let you announce without irrefutable proof anyway, so let’s use this time to come up with a plan.
 
Just make sure Martin doesn't leak this or we are both compromised.”
 
Kateryna nodded.
 
She knew exactly what Mick meant: the sharing of this type of information through informal channels, although common, was right on the edge ethically.
 
It wouldn't be hard for someone to misinterpret or paint a different picture of everyone’s motivation – especially in light of the forged email to
Internet Security World
.
 

Kat,
thanks a bunch for letting me know!”

“My pleasure, Mick.” Kateryna smiled weakly back at him.
 
Mick couldn’t resist smiling back which made her smile grow.

“OK, OK, I need to get back to work…” he replied.

Mick finished up with Kat and slumped in his chair.
 
He needed to clear his head and figure out what to do.

He could release the details of his own mail server compromise to F.T.L.
 
However, the linkage was not quite strong enough – the best information and data he had on Zed.Kicker came from LeydenTech, which he couldn’t release without approval.

The whole situation suffered from non-transitivity, Mick decided.
 
The ‘Carbon’ compromise was strongly coupled to LeydenTech’s.
 
And LeydenTech’s was strongly coupled to the mail server discovered by F.T.L.
 
Putting all three together made a very strong case for a new and dangerous set of programs.
 
However, he could not strongly couple the ‘Carbon’ and F.T.L. compromises, without LeydenTech’s.
 
This meant only one thing: he had to have a discussion with Vince, and share a few more details and see if he would agree to release some details of their attack.
 
It was a conversation he did not look forward to.

He spoke to Lars a few hours later.

“So, it is definitely rewriting the firmware,” Lars began.
 
He looked tired, as if he had stayed up all night, which he had.
 
“I observed it on my slow clocked machine.
 
I’ve figured out a way to restore the system, and I’ve brought mine back up.”

“That’s good.
 
Did you share the info?”

“Didn't have to…
 
a guy named Jasinski beat me to it.
 
His solution was a little longer than mine, and not as elegant, but it will do the job.”

“Sorry about that,” Mick replied.

“I’m not worried.
 
I think I may try to get to know him – he must be pretty good to have figured it out so quickly.
 
There is a patch uploaded too, so this one is all over, bar the shouting.”

“What do you think about the attack?”

“I’m still getting my thoughts together, but I think this is a watershed.
 
The level of sophistication needed to launch this attack is quite staggering.
 
Yet, the resulting attack was quite simple to find and clean.
 
It kind of gives me a bad feeling...” his voice trailed off.

“What do you mean?” Mick asked.

“Well, to me, this feels like a test run – an experiment.
 
The attacker wanted to try it out to see how it would work and what defenses would be used against it, but the rest was just for show.
 
I know
,
it doesn’t make any sense.”

“Oh, no.
 
It makes sense, unfortunately.
 
I can’t explain, but let me just say that I’m not surprised.”

“But you can’t say more than those maddeningly cryptic words?”

“Right.
 
Sorry.”

“No problems.
 
I understand.
 
I’m going to get some sleep now,” he replied with a big yawn.
 
“Sorry this attack ruined your Halloween plans.”

“Yeah, I don’t take many days off, so it is kind of a bummer.”

Actually, Mick wasn’t feeling sorry about it.
 
He was energized with thoughts about the series of zero day attacks and Zed.Kicker.
 
He knew there were hundreds of new attacks launched over the Internet each year, but to have three in a row that were linked, and seemed to target different types of servers, applications, and users.
 
He knew something was afoot.

“Talk to you soon.” Lars ended the conversation.

 

The next day, Mick cleared his calendar.
 
His new book outline and industry analysis paper would have to wait.
 
Today, he was determined to discover the steganography in the spam emails.
 
He had a large dataset of spam messages.
 
He first sorted out the ones that went between the computers he knew to be infected; if there were any P2P control messages, they would be there.
 
The rest of the data might also contain messages, but he figured he had a higher probability of discovering them in the smaller set.

He then analyzed the different kinds of messages, sorted them first by subject, then by sender, then by date, but couldn’t draw any new conclusions.
 
Starting to run out of things to try, he just started reading the emails.
 
He was amazed at the variety, the emotion, and the brazenness of some.
 
He imagined himself a spammer (presumably in some anti-universe where he had turned his computer skills to evil) and tried to look at them as samples, as bait, and as marketing exercises.
 
He got nowhere.

He was about to quit and go out for coffee when he realized he had been ignoring the attachments – the message bodies in the spam mails.
 
He stripped them out and fed them through his scanning software.
 
Not surprisingly, he found viruses, Trojans, key loggers, and various spyware and malware - quite a collection of digital nasties.
 
Then, he found some that appeared not to be infected.
 
Some looked like random binary data – perhaps these were attempts at malware that failed, and as a result didn’t execute correctly.
 
He loaded them on his quarantine computer
,
 
a
sacrificial one he often exposed to various viruses in order to observe; they didn’t appear to do anything.
 
A couple were image files, and they didn’t do anything either.
 
He was about to move on when the thought bounced in his mind.

The image files don’t do anything!

Why would a spammer include an image file if it
wasn’t
either malware or an image related to the spam topic?

Other books

The United Nations Security Council and War:The Evolution of Thought and Practice since 1945 by Roberts, Adam, Lowe, Vaughan, Welsh, Jennifer, Zaum, Dominik
The Hawkweed Prophecy by Irena Brignull
Demon Bound by Demon Bound
Dragonblood by Anthony D. Franklin
The Offering by Angela Hunt
Hijos de Dune by Frank Herbert