Trojan Horse (12 page)

Read Trojan Horse Online

Authors: Mark Russinovich

BOOK: Trojan Horse
5.55Mb size Format: txt, pdf, ePub

They’d received the contract for Project Tusk for a flat fee with a bonus for every zero day vulnerability they uncovered. They’d found one vulnerability in the Bluetooth stack, two more in the core WiFi driver as well as another two in the GPS driver.

“Maybe they outsourced it,” Jeff said as he buttered a second piece of toast. There were plenty of criminal groups around willing to do the work for a price. There were, however, inherent problems with that approach. If someone, even or especially a hired gun, learned enough about you to graft an attack on others it was not difficult for them to turn their creation back on their employer or resell what they created.

“Anything’s possible, I guess. But can you imagine a hacker writing code that clean?” Criminal cyber-gangs in the former Soviet Eastern bloc nations had turned such operations into a vast illegal financial industry but their code was often sloppy and until now, always identifiable for what it was. Was it possible one such group had raised the bar so dramatically?

“It doesn’t seem to get the Iranians very much,” Daryl continued. “So they read this Herlicher’s files, even altered a copy of the final report to say there will be no Iranian nuclear bomb. So what? Such a mistake can be explained and is sure to bring people like us on the scene as soon as they changed something important. From what I’ve read they just want to get their nuclear bomb detonated so they can get on with their quest to become a major world player.”

“And then arrange for it to be used.”

“That’s right.” She paused. “I’ve often wondered why there is so little concern about them getting the bomb. Look what they’ve done financing terrorist groups worldwide. Don’t people see what they do? And even if by some miracle they don’t turn it over to their terrorist minions to use, they’ll bully their way into complete Middle East dominance. After all, when it was still called Persia, the country had a long history of controlling the region. What’s it going to take to wake people up? A nuclear wasteland? The lights going out in their hometown for a month? Sometimes I just want to scream.” She stopped, drew a deep breath.

“It’s all right, Daryl.”

“No, it’s not!” she said. “That’s why I’m so upset. Look, getting back to this thing, I think it’s someone a lot more competent than Iran, someone with a more expansive agenda.”

Jeff considered that as they finished their meal and dressed. It made a lot of sense.

“So, you give this another two or three days to figure this thing out?” Daryl said, her mood having lightened. Jeff nodded. “I was thinking on the way over that Italy is very romantic, according to all the books and shows. Rome, Florence, Venice. We can see the city in a gondola while you serenade me.”

“You’ve got me mixed up with the gondola guy. He does the singing.” Jeff leaned over and kissed her. “You’re a woman of wonderful surprises. I love you.”

“Keep talking like that and I might go ring shopping.”

He pulled her tight. “I can think of worse things.”

 

As they left the hotel, the view of the shimmering lake and distant mountains crowned with white clouds was gorgeous. They had a clear view of the famous Jet d’eau, the enormous jet water fountain, visible from nearly anywhere in the city. Jeff had heard that Geneva was known as a dreary city but from what he’d seen it didn’t seem possible. So far he’d found it quite charming, though he suspected his companion had something to do with that.

The Palais des Nations, where UNOG was located, was a brief walk up the Rue de Lausanne to the Avenue de la Paix, the Avenue of Peace. Jeff noted that there were no visible guards on the grounds or immediately outside the building. The entrance was some distance from the street, reached via a long concrete walkway across a vast expanse of well-tended garden. Exterior security was either out of sight or depended in large part on the inherent stability and law-abiding nature of Swiss society.

Henri Wille, the security chief, was waiting to receive them at Pregny Gate, the usual entry point for first-time visitors. He was in his forties, trim and fit, and looked every inch Swiss with blond hair, fair skin, and deep blue eyes. Though wearing a suit, on his left breast was a distinctive badge. As the designated Interpol agent for UNOG he’d been alerted by the UK Foreign Office of the arrival of two key computer security experts and had been instructed to see to them personally. Frank Renkin had already alerted Graham Yates that Daryl would be joining Jeff. He’d been delighted because her reputation, if anything, exceeded that of Jeff’s.

After introductions, Henri asked Jeff and Daryl to go to a nearby room to have their photographs taken. A few minutes later they received a badge to wear whenever in the building.

“It will grant you near universal access,” Henri said. “If you require anything at all related to security come to me directly.” He wrote his cell number on the back of a business card and gave it to Jeff. He then escorted them to the UNOG IT office and bid them good-bye.

The head of IT was out of the country and they were briefed instead by his assistant who introduced himself as Nikos Stefanidou. Short, with a bushy mustache, he was not happy with their presence. “This is a matter I believe we are capable of handling but others have decided to the contrary,” he said with clipped words. “I will do what I can for you.” He’d not risen from behind his desk.

“You have the computer here?” Daryl asked. It was standard procedure to disconnect the machine from the network and move it to the IT center so no one could do anything to it.

“No, it has remained in Mr. Herlicher’s office. He was told not to use it.”

Jeff raised an eyebrow but said nothing.

“Have you had other reports of infection in the building?” Daryl asked.

“I couldn’t say.”

“Does that mean ‘yes, you have,’ or ‘no, you haven’t’?” Jeff said.

“I couldn’t say.”

“I suggest we get working, then,” Jeff said. There would be no help here. “Can we see the computer, please?”

 

Franz Herlicher, the German technocrat, was a weasel in Jeff’s opinion. He’d given them each a curt European handshake and a quick bob of the head before turning his computer over to them with obvious reluctance. “I must attend a meeting, which will last several hours so you will have the office to yourself. Of course, I will make it available as you need thereafter. I only wish to cooperate and clear up this terrible misunderstanding.”

“Before you leave, could you tell us what happened?” Jeff asked.

“I’m sure you already know. That’s why you are here.” Herlicher pulled himself upright.

“It will be useful to hear it from your perspective,” Daryl said.

Herlicher looked at one of them, then the other, unable to decide just who he should address. “All right then,” he said, deciding on Jeff. He was the man, after all, but with Americans you could never be certain. “I had finished a late draft of the report, which was essentially the final report, pending approval of the specific language by my superiors. I then forwarded it to Mr. Walthrop at Whitehall but what he—”

“He’s part of the approval process?” Daryl asked.

Herlicher swallowed. “Not . . . not exactly. He’s a colleague and this report was very important to him. I wanted . . . his input.”

“Go on,” Jeff said.

“There’s nothing else.” Herlicher looked exasperated. “I received this most horrid message from him—you can see it yourself in my computer—denouncing me as a liar! It was very unsettling, I can tell you. I’m not accustomed to such language. It was simply awful! I e-mailed to assure him there had been some kind of technical mistake but he didn’t reply. Then . . . then I checked the report and . . .” Herlicher stopped, apparently unable to continue. He took a white handkerchief from a pocket and dabbed his moist brow.

“Then what?” Daryl said, when it appeared he wasn’t going to continue.

“The report wasn’t the same! It had been . . . rewritten. It’s quite impossible.”

“Perhaps someone here made the change,” Jeff suggested.

Herlicher shook his head. “I already considered that possibility. I always lock my office when I leave and only two other people have keys.” Neither statement was true, of course, but Herlicher wasn’t going to present any version of events but the most proper.

“Still, the room must be cleaned and no security measures are ever airtight,” Jeff said.

“Yes, I see your point. We do have some . . . less trustworthy types working here in menial positions. But that wasn’t the problem.”

“How can you be certain?” Daryl said.

Herlicher had watched a number of American detective motion pictures. He understood the “good cop/bad cop” technique he’d seen in them. He feared that was what was going on. Did these two suspect him? Surely not. He’d been told their presence was confirmation of what he’d suggested, that something had penetrated UNOG’s cyber defenses, that he was not to blame for what had happened. But that might very well be a lie. They might just be here to trick him.

He pulled himself upright. “I am absolutely certain our building security was not compromised. You see, after I wrote the e-mail to Mr. Walthrop, I attached the document. I then opened it and proofread it a final time. I always do this with important files. The moment I finished reading it, I closed the file and sent it, all but simultaneously. I assure you, the file I sent was the one I wrote. The problem must be at his end. Now, I must go to my meeting. I wish you well in your investigation.”

“One last question,” Jeff said. The man stopped. “You affixed the digital signature before sending the e-mail?”

“Of course! Always on official documents. Now, good day.”

Daryl watched the man walk off in a huff. Still, what he’d said, if true, was most interesting. She moved to a spot where she could work as Jeff sat at the man’s computer. Another windowless office, she thought, as she linked to the computer and booted it up. Maybe she should get a job as a park ranger or something.

“He’s been deleting files,” Jeff said within a few minutes. “Looks like communications with other agencies. Probably sharing things he’s not supposed to.”

“Jerk.” She looked at her screen, which duplicated the one Jeff saw. “And he doesn’t know diddly about how to hide it. Okay, Superman, let’s see what you’ve got now that you’ve had a full night’s sleep and been laid.”

“Let’s start with the obvious,” Jeff said. He went to the folder containing the file and opened it. “See it?” He read it through. “This one is different from the one Whitehall received. It reaches a different conclusion. That’s odd.”

“How?” Daryl asked.

“Until now I’d been thinking the virus allowed the interloper to alter the file in Herlicher’s computer. I’d assumed he’d sent it along without double-checking, placing the signature on it at that time. But this report is not the one Whitehall received. That makes no sense.” Daryl drummed her fingers. “What?”

“Just thinking. What if the change was made after the report was attached? This e-mail program holds its own copy of the file. Hang on.” Daryl opened the attachment with the message to Walthrop in the “Sent” folder. “Whoa,” she said. “This one
is
the same as the one Whitehall received. It’s altered.”

“Let me check the signature.” When Jeff was finished, he said. “Yup, the signature is valid and the same.”

Neither of them said anything for a long minute.

Daryl spoke first. “Someone used this Trojan to access the OW file
after
it was attached to the e-mail and altered its language
before
the digital signature was generated.” She paused, then said, “This is unbelievable.”

“Let’s get a handle on this thing,” Jeff said finally, and the pair went to work. Because of what he’d learned in London the process went quickly and within ten minutes he had located the Trojan. “There’s the nasty little thing,” Daryl said, spotting it on her screen as well.

“What we’re postulating is that this guy sends the correct file, but it’s altered at the moment it’s sent as an e-mail attachment. And there is
no evidence
it was been tampered with. Jeff, they didn’t just change a word. They rewrote the report! How can you do that in the middle of an e-mail transmission?”

“I have no idea. Let’s find out.”

For the next few hours they worked at unraveling how their Trojan functioned. They discovered that it was not hard-coded with commands when it was created and embedded. While these would work in most circumstances to accomplish what the author wanted, such an approach did not permit any degree of flexibility. The virus could only do what it had been preprogrammed for at creation. Instead, the Trojan was sophisticated enough to be programmed with script-language, which gave the author enormous flexibility. This was why it was so aggressive and clever in seeking out a domain from which to receive updates and orders.

Searching further they found snippets of script in memory that enabled the Trojan to copy Herlicher’s e-mail messages whenever they were sent. The copies were kept in memory for later uploading to the control servers. The Trojan then periodically probed the file servers he was connected to, grabbing any documents Herlicher could access.

For the rest of the day they pored over networking logs and reverse engineered the malware, stopping from time to time to brainstorm. At one point, Herlicher stuck his head in the office and asked how they were doing.

Other books

Not My 1st Rodeo by Donna Alward
The Silent Bride by Glass, Leslie
Children of War by Martin Walker
King and Kingdom by Danielle Bourdon
Beds and Blazes by Bebe Balocca
Rapunzel Untangled by Cindy C. Bennett
Another Chance to Love You by Robin Lee Hatcher