Counting from Zero
Page 12
Mick hardly noticed the passing of time as he read more and more accounts. His own mail server seemed unaffected. He jumped when his secure telephone alerted – it was Lars.
“Hey! What do you think about the mail server attack?” Lars began.
“Well, it looks like there might be some new scripts out there that we aren't aware of.”
“Mick, this isn't a script. My mail server just got hit. I still haven't been able to regain control over the server,” Lars explained.
“What do you mean? Cleaning and rebooting didn't work?” Mick asked, using a term from the very early days of computing, originating from the expression ‘pull yourself up by your bootstraps’. Early computers had only a tiny amount of permanent program storage, known today as firmware – the name indicating that it is somewhere between hardware and software. As a result, when first powered on, a user had to manually enter a short bootstrap program that would instruct the computer to load a longer program from a tape drive or punched cards.
“No, and reinstalling the OS didn’t. I tried reformatting, too. Have you read of anyone else recovering their system yet?” Lars asked. Mick thought hard, then answered.
“No… I haven't. That is very strange.”
How could reinstalling the operating system not work?
“Mick, I think this attack is rewriting the firmware,” Lars said.
“Is that really feasible? I know people have talked about it in theory, but I've never heard of anyone actually doing it.”
“I think this is it. Would you keep searching and monitoring this? I want to know right away if anyone else does a successful cleaning. I'm going to put hardware monitors on my server and try to figure out what is happening.” Lars had computers that were specially modified so he could control and slow down the system clock. A clock on a computer does not tell the time – instead, it acts more like a metronome, and provides regular ‘ticks’ at a particular frequency. The clock regulates and synchronizes everything a computer does. Engineers continually increase the speed or frequency of computer clocks to speed up processing. Gamers even experiment with ‘over clocking’ their computers – risking a complete meltdown of their computer motherboards just to make a game run faster.
Lars’s setup did the reverse: slowed down the clock so he could observe, effectively in slow motion, what was happening on the computer. If anyone could figure this out, Mick was sure Lars would. He hung up a few minutes later.
So much for my Halloween plans...
Mick let his friends on his social network know so they wouldn't wonder why he wasn't sharing his nocturnal adventures with them.
He barely had time to get back to reading when his video screens lit up. It was Kateryna. He stared at his reflection for a moment before answering.
“Hey Kat… this is a surprise!” he began.
“Mick, sorry to interrupt your holiday but – hey, I like the jacket,” she paused. Mick had not taken off his leather riding jacket, although he was still wearing (what else?) a black T-shirt underneath.
“No worries. What’s up? You following this mail server attack?”
“Yes I am, and it’s what I want to talk to you about.”
“Go.”
“OK, our guys have been looking at it for about five hours now. A customer shared it before it was even public – can't say who, of course. Well, one of our guys, Martin, a young kid – I mean really young – it is scary to think of him driving, that’s how young he seems... Anyway, Martin had a hunch after looking at the code, and the hunch played out. He compared the Zed dot Kicker code to this code, and it has very, very strong similarities.” Mick felt a tingling all over his body. Now he had a moment to study her, he could see that Kateryna looked a little agitated.
“Shut up!” he shouted.
“Pardon me?” she asked, puzzled.
“Sorry – I think I'm spending too much time with ten-year-old girls. I just meant 'Wow!'”
“Mick, I know your other job is confidential, but we need to share this. Others need to know that someone has written a sophisticated program that is being used to launch a whole bunch of different attacks, and all of them so far are zero days. I know this has happened in the past with simple scripts. But this is new code – good code – advanced stuff. What do we do? Martin and I can't tell anyone without your say so, and you probably can't say anything without your client’s permission.” Kateryna paused while Mick thought hard.
“Can you prove the attacks are from the same source?”
“Prove it?” Kateryna thought hard, then replied, “I'd say no. We can’t prove it yet. But it is extremely probable.”
“OK, then keep working on it. Your corporate handlers probably wouldn't let you announce without irrefutable proof anyway, so let’s use this time to come up with a plan. Just make sure Martin doesn't leak this or we are both compromised.” Kateryna nodded. She knew exactly what Mick meant: the sharing of this type of information through informal channels, although common, was right on the edge ethically. It wouldn't be hard for someone to misinterpret or paint a different picture of everyone’s motivation – especially in light of the forged email to Internet Security World. “Kat, thanks a bunch for letting me know!”
“My pleasure, Mick.” Kateryna smiled weakly back at him. Mick couldn’t resist smiling back which made her smile grow.
“OK, OK, I need to get back to work…” he replied.
Mick finished up with Kat and slumped in his chair. He needed to clear his head and figure out what to do.
He could release the details of his own mail server compromise to F.T.L. However, the linkage was not quite strong enough – the best information and data he had on Zed.Kicker came from LeydenTech, which he couldn’t release without approval.
The whole situation suffered from non-transitivity, Mick decided. The ‘Carbon’ compromise was strongly coupled to LeydenTech’s. And LeydenTech’s was strongly coupled to the mail server discovered by F.T.L. Putting all three together made a very strong case for a new and dangerous set of programs. However, he could not strongly couple the ‘Carbon’ and F.T.L. compromises, without LeydenTech’s. This meant only one thing: he had to have a discussion with Vince, and share a few more details and see if he would agree to release some details of their attack. It was a conversation he did not look forward to.
He spoke to Lars a few hours later.
“So, it is definitely rewriting the firmware,” Lars began. He looked tired, as if he had stayed up all night, which he had. “I observed it on my slow clocked machine. I’ve figured out a way to restore the system, and I’ve brought mine back up.”
“That’s good. Did you share the info?”
“Didn't have to… a guy named Jasinski beat me to it. His solution was a little longer than mine, and not as elegant, but it will do the job.”
“Sorry about that,” Mick replied.
“I’m not worried. I think I may try to get to know him – he must be pretty good to have figured it out so quickly. There is a patch uploaded too, so this one is all over, bar the shouting.”
“What do you think about the attack?”
“I’m still getting my thoughts together, but I think this is a watershed. The level of sophistication needed to launch this attack is quite staggering. Yet, the resulting attack was quite simple to find and clean. It kind of gives me a bad feeling...” his voice trailed off.
“What do you mean?” Mick asked.
“Well, to me, this feels like a test run – an experiment. The attacker wanted to try it out to see how it would work and what defenses would be used against it, but the rest was just for show. I know, it doesn’t make any sense.”
“Oh, no. It makes sense, unfortunately. I can’t explain, but let me just say that I’m not surprised.”
“But you can’t say more than those maddeningly cryptic words?”
“Right. Sorry.”
“No problems. I understand. I’m going to get some sleep now,” he replied with a
big yawn. “Sorry this attack ruined your Halloween plans.”
“Yeah, I don’t take many days off, so it is kind of a bummer.”
Actually, Mick wasn’t feeling sorry about it. He was energized with thoughts about the series of zero day attacks and Zed.Kicker. He knew there were hundreds of new attacks launched over the Internet each year, but to have three in a row that were linked, and seemed to target different types of servers, applications, and users. He knew something was afoot.
“Talk to you soon.” Lars ended the conversation.
The next day, Mick cleared his calendar. His new book outline and industry analysis paper would have to wait. Today, he was determined to discover the steganography in the spam emails. He had a large dataset of spam messages. He first sorted out the ones that went between the computers he knew to be infected; if there were any P2P control messages, they would be there. The rest of the data might also contain messages, but he figured he had a higher probability of discovering them in the smaller set.
He then analyzed the different kinds of messages, sorted them first by subject, then by sender, then by date, but couldn’t draw any new conclusions. Starting to run out of things to try, he just started reading the emails. He was amazed at the variety, the emotion, and the brazenness of some. He imagined himself a spammer (presumably in some anti-universe where he had turned his computer skills to evil) and tried to look at them as samples, as bait, and as marketing exercises. He got nowhere.
He was about to quit and go out for coffee when he realized he had been ignoring the attachments – the message bodies in the spam mails. He stripped them out and fed them through his scanning software. Not surprisingly, he found viruses, Trojans, key loggers, and various spyware and malware - quite a collection of digital nasties. Then, he found some that appeared not to be infected. Some looked like random binary data – perhaps these were attempts at malware that failed, and as a result didn’t execute correctly. He loaded them on his quarantine computer, a sacrificial one he often exposed to various viruses in order to observe; they didn’t appear to do anything. A couple were image files, and they didn’t do anything either. He was about to move on when the thought bounced in his mind.
The image files don’t do anything!
Why would a spammer include an image file if it wasn’t either malware or an image related to the spam topic?
Mick turned his attention to the image files that would not open. He did some research on the JPG image format, then began going through the binary information in the files. He quickly discovered that the files were too big for the image sizes they were supposed to contain. Sure enough, in the middle of each JPG file was a block of data that was clearly not image data, but something else. He took out this data block and stored it in a different file. He analyzed it and found that it had all the properties of an encrypted file. He had broken the steganography and found the hidden message in the spam!
Gotcha!
He wrote a short script to do automatically what he had just done manually in his editor – split each non-working image file into two parts: the image file and the hidden message. The script ran, and Mick had a pile of information. He felt triumph at his success! He glanced at the JPG photographs. Now they had their secret payload removed, they were viewable. They were manipulated photographs of celebrities.
He almost called Gunter, but realized he shouldn’t share the results. Besides, Gunter would only ask what the messages were, and he didn’t know that – yet! Dinner had passed him by, but his stomach growls became too loud to disregard, so he decided to cook up some noodles while he replayed the morning’s discoveries again in his head.
Mick tried to decrypt the messages using some basic crypto analysis software he had, but failed to make any headway. He decided to contact his friend Mathison who had helped him in the past with similar problems. To talk to Mathison, he had to run some special encryption software that was even stronger than what he used daily, as Mathison was even more security conscious than Mick. Soon he was in a video call, looking at Mathison’s unshaven face and rumpled clothes.
“Botnet control messages, eh? Sounds pretty cool... Any idea how big this botnet might be?” Mathison asked. Mick had been asking himself the same question lately.
“No, not yet. But I may know soon... Do you need to know?” he asked.
“Well, a large botnet will only use key management and distribution schemes that scale well, whereas a small bot could be more flexible.”
“I’m assuming it is very large until I know otherwise,” Mick replied. “And Math, take care of yourself, OK?” The last time they had worked together Mathison had ended up in the hospital, but continued to work on the project, breaking the encryption just before he was discharged.
“Sure, sure. I’ll get to work, then,” Mathison replied, saluting as he cut his video.
“OK, then,” Mick replied to a blank screen.
Now that he knew how to identify the spam emails containing the secret messages, he wanted to see where else these messages might show up on the Internet. He shared the information with Kateryna, and she passed it along to her company’s anti-spam group. She was nervous about getting in deeper with this unofficial information exchange, but apparently her curiosity got the better of her judgment.
Mick took a break from work during the afternoon for a short ride. He took the tunnel across to Jersey and went south on the Parkway. He exited in the pine barrens and rode a series of winding, sandy trails on his Scrambler, his first ride on it since its repair in Albuquerque and return shipment. It looked and felt great, and he enjoyed the autumn sunshine. Mick was surprised to discover when he returned home that four hours had passed. He felt refreshed, and ready for anything.
“Hey Mick, nice to see you again,” Kateryna began as they started a secure video session later that evening. It was a planned call to touch base on the botnet investigation. She smiled at him, and he couldn’t help but notice her casual attire. He hadn’t seen her in sportswear before, and it distracted him.
“Likewise, Kat. How are things with you?” he asked.
Is she using this spambot investigation as an excuse to stay in touch with me? Or am I?
But her next comment completely derailed his thoughts.
“Mick, you won’t believe what we found! Well, not me, our anti-spam guys. That spam signature you gave me... it’s ALL OVER THE INTERNET!” she practically shouted. Mick was speechless. “They are still putting together the numbers, but it looks like 9% of all the spam they are seeing on the Internet has the same signature as your botnet messages.” ‘Signature’ referred to the characteristics of the spam messages containing the corrupt JPG images Mick had shared with her. Mick knew the statistics on the amazing amount of spam on the Internet – over 8Ø% of all emails sent are spam – to have a significant percentage was astounding.
“You kid, right?” Mick finally got out.
“Kid? Oh, you mean joke? No, I don’t kid!” she replied. “Are you certain that this represents botnet traffic?”
“No, you know I’m not, but I’m fairly sure. I have a crypto friend - I mean, I have a friend who is a crypto expert working on the actual messages themselves. Will your guys have an estimate of the number of spam sources meeting this signature soon?”
“Yes, by the end of today they’ll have a first order estimate, and a better one in a few days. And, we still need that permission from your client for the rest...” she began.
“I know. I know. I’m working on it,” he replied, stretching the truth a bit. He had been thinking about talking to Vince but had not actually started the conversation with him.
“OK. Mick, if this is a botnet, it is the biggest one I’ve ever heard of.”
“Yes, by an order or magnitude or two,” he agreed, meaning a factor of ten or a hundred.
“And Mick... be careful. Botnets these days are usually run by organized crime. One this big could really do a lot of damage to the Internet. If you are thinking of track
ing and taking down this botnet, they won’t like it very much at all.”
“Don’t worry, Kat,” he replied.
After they signed off, Mick stood up, stretched, and realized that this was exactly what he was thinking. He knew he was the perfect person for this job. He was thinking of how he could track, infiltrate, and ultimately destroy this botnet. And he wasn’t thinking about the cost.
Chapter 13.
From the Security and Other Lies Blog:
I read that a website had a ‘Denial of Services Attack’ launched against it. What is that, and how can I protect myself against it? LOLraptors
A Denial of Service or DOS attack occurs when an attacker directs lots of traffic (messages) towards a particular site or computer. Sometimes, a DOS attack can look a lot like a big surge in activity, such as when an otherwise obscure website suddenly becomes wildly popular, for example if it is Slashdotted (i.e. mentioned on slashdot.org – you do read Slashdot every day, don’t you??). This phenomenon also occurs in telecommunications in the case of radio contests or TV voting.
The goal of a DOS attack can be to overwhelm an Internet connection, making it impossible for messages to be delivered over that connection. Or, it can be to overload the processor on a computer, making it run slowly or crash. Another example is to target something called an Internet name server, also known as a DNS server. A DNS name server helps you find sites and people on the Internet by resolving a human-friendly domain name (such as amazon.com) to a numerical IP Address (such as 69.195.97.72) that is routable on the Internet. If a name server can be overloaded using a DOS attack, a whole set of sites can be made unreachable. For example, if you can crash the name server for the ‘yahoo.com’ domain, then all web pages or email addresses associated with ‘yahoo.com’ become unavailable.
Essentially any type of packet flood is a type of DOS attack. Protecting yourself and your site from DOS is difficult to do, but basically involves filtering or blocking the traffic flood as close to the source of the flood as you can.