The information he had gleaned from the link Turing had provided him had proved to be invaluable. It proved that the Zed.Kicker botnet was definitely using the P2P communication and messaging software developed by Turing. Being able to send a message into the botnet didn’t mean he could control the botnet. He still needed to do a lot more work before he could pretend to be a botnet controller and issue commands to the botnet. But at least now he could read and understand the commands and knew how to create them. He began to document the differences between Turing's open source code and the actual Zed.Kicker code.
The following day, Mick looked over the latest deciphered botnet control traffic. Although he was sure he had deciphered it correctly, he couldn’t understand what it meant. He saw a list: “biz coop aero” with a date and time, the next day at ØØØØZ, which meant midnight Zulu time or GMT – Greenwich Mean Time. Mick recognized the three words in the list as Internet Top Level Domains (TLDs). For example, company.biz domain name could be registered by a business and used for its web address or email addresses. The other two were also TLDs, but they weren’t in common use. The aero TLD was used for the aviation industry and coop was used for cooperatives. Mick couldn’t think of any companies that used these domains off the top of his head but with a little searching, he found a few.
He also received a fraction: 1/1Ø24. He could not figure out what this fraction meant or represented. As Gypsy Moth progressed eastwards, his current time zone was getting closer to GMT or Zulu time, so midnight in England was now evening for him. He arranged for Ian to take his watch that night so he could be online at that time to see what would happen.
At exactly ØØØØZ, Mick monitored the botnet traffic but didn’t see anything unusual – a steady stream of spam was moving, but otherwise nothing. Then he sent a message to one of the .biz domains he had looked up the previous day – there was no response. He tried another – the same. He tried his list of .coop and .aero domains and found them all unresponsive. He knew exactly what this meant: the botnet must be targeting the domain name servers for these TLDs with a flood of traffic to take them out – a classic denial of service or DOS attack. He performed a DNS trace using a utility called ‘dig’ and confirmed it: there was no response to either the .biz, .aero, or .coop domain servers.
Mariana poked her head inside Mick’s cabin as he was looking over the traces.
“Hullo there!” she called out. “Ian says you are all excited about something!”
“Yep, I’m analyzing a denial of service attack on the Internet by the botnet I’ve been tracking,” he began, and seeing little comprehension on her face, he continued. “You know the Internet addresses we use all the time, like amazon dot com or google dot com? Well, they are called ‘domains’ and there is a bunch of computers, called domain name servers that help computers on the Internet find the services associated with these domains: for example, how to find the web server of that domain, or how to deliver an email message to that domain. The botnet is flooding some of those key domain name servers with too many fake requests, making them crash and go offline. So right now, you can’t send mail or get to the website of company dot biz or airline dot aero or apartments dot coop. In short, part of the Internet is broken, which is a very serious thing.” He searched her face to see if this helped.
“You are an intense guy!” was her only reply, as she shook her head and resumed her duties above decks.
Mick now understood the fraction; it was the fraction of the hosts in the botnet that participated in the distributed denial of service (DDOS) attack. In this case, only .1% of the Zed.Kicker botnet was needed to completely crash these top level domains! This was one powerful botnet!
He did some quick web searches and couldn’t find any confirmation that this was occurring. He attributed it to the fact that these domains were little used. If this had happened to com, for example, in which every website or email that ended in .com would suddenly stop working, the reaction would be a lot bigger. Mick realized that this attack, like the others over the past few weeks, was just a dry run: an experiment, a test. A successful test, he noted. He quickly wrote a script that polled the name servers at five second intervals to note the exact time when the outage would end. He didn’t have long to wait – at about Ø1ØØZ, the outage suddenly was over. Mick found the control messages just prior to this time and sent them out to be decrypted. He hoped they might have some information about the source, the place from which the botnet instructions were originating.
One thing kept bothering Mick: the count of zombie computers in the botnet. Now that he was reading botnet messages, he realized that there was a discrepancy. About 15% of the computers did not seem to be sending messages, even though they were part of the botnet. He still could not rule out that this was a mistake on his part, or perhaps a bug in the botnet software. He had a feeling, however, that it meant something. What, he didn't know.
In the morning, he did find discussion on the Internet about the outage. He also came across some interesting speculation on a web wiki about Zed.Kicker for the first time as well, although it was mistakenly classified as a worm rather than a botnet. However, the news failed to make the mainstream media or even the corporate press. No one seemed to know what had happened. Most people just assumed it was a screw-up by the operator, under the incorrect assumption that the three top level domains were all operated by the same company. It seemed, once again, only Mick knew the truth.
The last few hundred nautical miles were spent working northward towards the Canary Islands where Ian planned to stop over and re-provision. Mick was feeling impatient about arriving in England; he felt he was fast running out of time.
The wind had shifted to the northeast, which forced them to tack, or zigzag their way along. It slowed their effective speed towards the port, since they couldn’t sail directly towards it. But, it also meant a fun maneuver that involved everyone aboard.
When it was time to tack, Ian would get everyone up on deck, even if it meant waking from sleep. Ian took the helm, steering the catamaran. Mick worked the winch to pull the jib, the sail in front of the mast, from one side to the other. The mainsail, supported on its bottom edge by a horizontal pole, known as the boom would also swing to the other side during the tack.
Mariana watched all the ropes, called ‘lines’, to make sure they all flowed freely. When everyone was in position, Ian called out “Ready about!” As he steered the bow of the catamaran into the wind, he called out “Hard alee!” which was meant he was turning the wheel so that the helm was hard to the leeward side of the yacht, which turns it towards the wind. As the jib started luffing or flapping in the wind, Mariana released the line on one side and Mick winched it over the other side. As the bow crossed in front of the wind, the wind caught on the other side of the main sail, moving the boom across. The flogging jib caught the wind on the other side, and Ian straightened the helm. He had steered the yacht through about 9Ø degrees of course change, completing the tack.
They did this about every four hours, or six times per day for the last three days of the voyage to the Canaries. By the second day, Ian let Mick or Mariana take the helm except at night when he did it himself. Mick could feel his muscles toning up, and his appetite increasing.
On the nineteenth day of the voyage, Mick sighted land; they made for the port of Tenerife. As they approached the harbor, Ian fired up the inboard diesel engines, and they motored in. They found a dock and came ashore, heading for the customs office.
Being on dry land felt very strange to Mick: the ground felt very hard and unforgiving. When he stood still, it seemed the horizon moved and swayed slightly. He knew this would wear off in a day or two if he stayed on dry land, but he hoped to only spend a minimum of time there and get back to Gypsy Moth. The London conference was only two weeks away, so they didn’t have much time to waste. They still had over 15ØØ nautical miles to go.
Mick was slightly nervous when he handed over his British passport to the customs
official, but, as expected, they did not have a computer in the office, and it was stamped with only a cursory inspection.
They next walked down to the market and stocked up on fresh supplies, especially fruit, vegetables, and coffee. They arranged for a pile of food to be delivered to their dock later in the day. They changed some U.S. dollars into British pounds and Euros. Mick also purchased a couple of prepaid mobile phones with data plans.
Mick was glad to be back on Gypsy Moth a few hours later. As his body had adjusted to the constant motion of the boat on the water, Mick had felt a little ill back on dry land. His worst moment of ‘land-sickness’ came when he used the bathroom in a shop. Inside the stall, the walls seemed to move and sway and he was almost sick. Being back on the ship made him feel comfortable and relaxed. Ian and Mariana wanted to go out for the evening and Mick was perfectly happy to stay aboard and keep watch.
Mick took the opportunity to connect to a wireless network accessible from the harbor, enjoying the faster speed and lower latency Internet connection than the satellite link he had been using.
The next afternoon, they cast off and sailed right out of the harbor without running the diesels.
That evening, Mick watched as Mariana worked away in the galley with some kind of vegetable in a small circular bowl and what looked like a long stick. She noticed his quizzical looks.
“Ever had chimarrao before?” she asked. When he shook his head, she explained. “It is a traditional Brazilian hot drink made with yerba – kind of like tea.”
“Interesting,” Mick replied, and continued watching. Once it was prepared, Mariana put the long stick inside the bowl, which turned out to be a type of straw. The three of them sat around the cockpit. Mariana took a sip, then continued to drink until she apparently finished. She smiled at Mick as she refilled the bowl with hot water and stirred for a few moments.
“Now your turn… Drink all of it,” she instructed. Mick drank, and was amazed at the taste – kind of like a cross between coffee and tea.
“That was really different!” he said, and continued drinking until he had emptied the bowl. “Does it have caffeine?” he asked.
“I don’t know,” Mariana replied. “Probably.” She refilled a third time and Ian drank.
They each had a few more, as they watched the sun set over the water.
The weather turned colder and the seas heavier as they headed north towards England. They were crossing very busy international shipping routes, so someone always had to be on the lookout for other vessels. The new AIS or Automatic Identification System software Mick had purchased and installed on Ian’s computer was really showing its value now. The screen now showed the position, name, course, and speed of all the other yachts and ships in the vicinity, so they could make early course corrections to avoid collisions or close encounters. The small AIS radio receiver supplied this information via a USB port.
One day, Mick saw another sail on the horizon but he couldn’t identify the yacht or hail them on VHF radio, and they didn't have AIS. On the next night watch, Mick saw a supertanker off to port, named 'Mariposa'. He estimated its length as over 3ØØm from the onboard radar. Since its cruising speed was only a little faster than Gypsy Moth’s, according to the AIS, and they were headed in the same direction, Mick watched it most of the night.
Even with the higher seas, the catamaran still cut nicely through the waves. Everyone was back to wearing foul weather gear above decks such as waterproof jackets and pants with fleece underneath. Mick was sure that Mariana wished they had stayed and explored the Canary Islands, or somewhere else warm, instead of heading north into winter, but she didn’t complain. He needed to come up with a good way to thank them both. He hoped, perhaps, that the two of them could take their time on the way home, presuming that he was able to find another way home. Actually, he hadn’t been thinking very much beyond making it to London, meeting his mysterious contact Turing, and attempting to shut down the botnet. This wasn’t the first time he had been so single minded, he knew, but it was perhaps the riskiest.
As they approached the coast of England a few days later, Mick got ready. He packed up his luggage into a single roller bag, which he gave to Ian for delivery to London. He packed a few things into a small water-proof backpack. He put on a thick wet suit, mask, snorkel, and fins. He hugged Mariana goodbye and shook hands with Ian, thanking him again for all his help. Then, when they were less than two kilometers off the coast, Mick strapped on his bag and jumped overboard into the icy black water. He treaded water for a few minutes as he watched Gypsy Moth sail away towards Plymouth where they would put in a few hours later. He set off swimming towards the shore.
Chapter 1A.
From the Security Wiki
Zed.Kicker (worm)
Jump to: navigation, search
Zed.Kicker is a newly discovered worm that is spread from an infected web server to another web server using HTTPS transport. It is effective against version 2.0 and earlier of Apache. It was first identified in October when it was used in the ‘Carbon is Poison’ exploit that affected a significant percentage of websites [1]. In addition, it is known to install a spambot which sends out a significant volume of spam emails.
The worm reportedly uses a TLS connection over port 443, although this has not been confirmed.
An unknown number of web servers are still compromised. The number is estimated to be in the tens of thousands [2].
The source and origin of the worm has not yet been determined, although there has been widespread speculation about linkages to eco-terror organizations due to the environmentalist message posted on the web page.
Chapter 1B.
To the members of the Joint Anti-Botnet Information Taskforce:
Perhaps my previous memos have not been clear. I will be perfectly blunt in this one to ensure there is no confusion.
We believe that O’Malley knows more about the botnet than he has been willing to share. As a result, finding and apprehending him is a top priority. The grand jury subpoena issued for him to testify next week should give us the necessary grounds for this, as he is unlikely to show up.
In preparation for this, I want a list of all his known family members, associates, residences, hangouts, etc. I want a complete list of all his bank accounts, debit and credit cards. He will eventually run out of cash and this will be an opportunity to locate him.
He also may have additional identities besides the two of which we are aware. He could be using another identity or Internet alias right now without us knowing. We need Langley’s help on this.
Do we know if he has left the country? We must reach out to Canada and Mexico, as that would be the easiest way for him to flee. We should notify MI5 and G2 as well.
I want our best code breakers on his communication intercepts. First priority will be his written communication, followed by his VoIP communication. Get help from the NSA as needed.
We should be able to track his mobile communications. We should also analyze traffic into and out of his servers.
Finally, I want us to review those contingency plans for keeping basic government functions up and running if Zed.Kicker is unleashed, based on what we know about the botnet.
Additionally we may need to break out non-traditional communication methods that do not rely on the Internet infrastructure.
General
Chapter 1C.
Mick O'Malley – knows life isn’t always smooth sailing. (2 comments)
Mick took a break from swimming after about a half hour, and to confirm his course, pulled out a waterproof GPS that Ian had loaned him. The stars no longer seemed so bright, and he could see the glow of civilization in the distance. He was on track.
Another half hour of swimming, and Mick picked a landing spot, a dark area that seemed to have fewer rocks and breakers. He knew the most dangerous part of the swim would be next. He reached down as he swam with his hands to feel for the bottom. When he touched the bottom with his fingertips, Mick put his fe
et down and pushed off towards the shore. A moment later he was on dry land. He looked back and was convinced that this little sandy area was the best place to come ashore – on either side were rocks and a little further on was a sheer cliff.
Mick found a place behind some bushes out of the wind. He stripped off the wetsuit, dried off quickly, and dressed in his clothes from the backpack. He dug a hole in the dirt and buried all the swimming gear in a plastic bag, noting the coordinates in the GPS. Mick got out his wallet and passport and put them in his coat.
He had chosen to swim ashore to avoid having his passport stamped and scanned, just in case his name was on some kind of international terrorist watch list. Mick carried only his British passport. As he was still a British subject, he felt like he hadn’t actually done anything wrong. He was legally entitled to be here, even if he had sidestepped the official procedures Ian and Mariana would be going through. He set off walking towards Penzance, wondering if he might meet some pirates, thinking of the Gilbert and Sullivan opera. He walked rapidly and started to warm up, despite the chill of his damp hair.
Counting from Zero Page 17
