Zero Day

Home > Other > Zero Day > Page 15
Zero Day Page 15

by Mark Russinovich


  He sighed. What was there to do? The deadline loomed and could not be moved.

  Pauvre Michel, he thought, poor Michael. Repeating the phrase his older sister had used to mock him as a child whenever he felt sorry for himself, he swiveled from the window and returned to his monitor.

  He typed for several moments, then confirmed he was into the Internet access at a cybercafé he knew, one of a dozen around Paris he used. He wasn’t about to leave any trails leading to the office. Next he opened a send box and typed:

  Date:

  Mon, 21 August 19:45 —0700

  To:

  RioStud

  From:

  Xhugo49

  Subject:

  $$$

  Money snt. Attached is doomer. Release, not from your home or work, ASAP. Confrm when done. More t cum.

  Xhugo

  Dufour glanced at his list, considered for an instant if it was worth his time to copy and paste, decided it was not. Instead, he opened another message box.

  Date:

  Mon, 21 August 19:47 —0700

  To:

  MgEst109

  From:

  Xhugo1313

  Subject:

  $$$

  Money snt. Attached is new doomer. Release but not from home or work. ASAP, then confrm. More t cum.

  Xhugo

  Dufour stretched, grimaced, opened another send box, then typed:

  Date:

  Mon, 21 August 19:49 —0700

  To:

  DanteHell

  From:

  Xhugo49

  Subject:

  problem

  Load time still too slow. Must reduce by half. Hurry.

  Xhugo

  The Finn was full of himself. Always promising work he couldn’t deliver. Thought he was hot stuff with code. That should fix him. Dufour took a long look at his work list, opened another e-mail send box, then typed:

  Date:

  Mon, 21 August 19:51 —0700

  To:

  Wiseguy

  From:

  Xhugo2009

  Subject:

  great!

  Doomer works very well. Gd job. Kp it up. Will pay 1,000 euro bonus for similar clean work with no existing patch. Want 10 more like last one ASAP. Sugst u open egold account for transfers.

  Xhugo

  That was almost it for the night. Dufour dug through the papers strewn about his desk but couldn’t find another fresh list. He reminded himself that he had to get better organized.

  Then his fingers found a scrap of paper. Oh, yes. One more for the night, then some wine and Yvette. He started to type xhugo49 @ gmail.com, then decided he was finished with that e-mail address.

  Date:

  Mon, 21 August 19:54 —0700

  To:

  Superphreak

  From:

  Xhugo1101

  Subject:

  status

  New product with u code works very well. Have snt money to u egold account. Confrm u recve. We r on schedule.

  Xhugo

  29

  MANHATTAN, NEW YORK

  HOTEL LUXOR

  EAST THIRTIETH STREET

  TUESDAY, AUGUST 22

  12:09 A.M.

  A package, delivered by courier, was waiting at the front desk for Jeff when he returned to his hotel. Thanking the clerk, he rode the elevator up, all but asleep on his feet.

  In his room he tossed the package on the desk, stripped off his clothes, then stepped into the shower, where he scrubbed himself top to bottom. Running the hot water over his body until his fingertips were puckered, he smiled briefly when he glanced at them, recalling how he’d called them “old” fingers when he’d been a child, wondering if his grandparents’ age was catching. He toweled off, then slipped on the hotel bathrobe, feeling if not reborn than at least much better.

  Jeff sat at the desk, fingering the package. What he wanted most of all was sleep, but he’d promised Daryl he’d do what he could to help. And, he had to admit to himself, no matter how tired he was, sleep might not easily come when what he was finding on his client’s server was emerging as his worst nightmare. For years he’d complained to anyone who’d listen about the lack of real Internet security. Now it appeared that a cyber-attack might well be upon them. From what Daryl was telling him, the attacks linked to Superphreak were broadly targeted, meaning the cyber-assault was widespread and aggressive.

  He had no complaint about his actual client. In other circumstances a man like Joshua Greene would have been ranting at him every day, thanks to the enormous pressure he was under. Instead, Greene seemed satisfied with dropping in on them two or three times during his work hours. “I’ll take care of him,” Sue had said that first day, and apparently she had.

  Jeff had spent this entire day in a copy of the firm’s monthly backup, trying to prepare it for Sue’s booting. He’d found more than he had with the daily backup, but had no way of knowing if he’d cleaned out enough.

  He’d located two rootkits in the law firm’s computers but still had no idea how many virus variants there were and what triggering devices they were using. He hoped Daryl, with her much greater resources, would come up with something on that.

  In the case of his client, Jeff had decided that one of the viruses was designed to destroy financial records stored by SQL Server, one of the more popular databases used by midsize businesses. If this same payload was in the Social Security Administration records, or company pension records, or in the computers that controlled Wall Street, when the trigger kicked in, the damage would be incalculable. His sense of frustration and despair increased with each new discovery.

  His work at the firm was about finished, though, one way or another. Sue was going to attempt a boot again later that night. He’d been too exhausted to stay for it. He’d find the results out soon enough.

  Something like this had been coming at them for years, and for too long he’d felt like the lone sentry to realize it. Not that long ago a hacker had detected an exploit in the Excel program and had the nerve to offer it on eBay, in essence selling potential access to every computer online with a copy of Excel. How many was that? Ten million? Fifty million? With so many cloned programs and illegal copying, there was no way to know. Each one represented a doorway through which any cracker could send his malware. And the guy who’d discovered it sold the knowledge over the Internet as if he were peddling a used Ford!

  Jeff had visited Web sites where anyone could download rootkit and other virus code. The creators were just giving the technology away. Any novice hacker with a rudimentary knowledge of viruses could now cloak his programs or discover a new, nastier virus.

  Security firms named variants with letters of the alphabet. Some viruses had so many variants they wrapped around the alphabet three times. One virus alone was known to have two thousand versions.

  The Sober worm, one of the most proliferative ever released, actually communicated with its creator. The guy wasn’t a dunce. The worm checked specified URLs on certain days to search for instructions on what destructive act to commit. The thing was, the URLs didn’t exist. The creator knew the ones he’d planted in the virus. When he was ready to give it instructions, he created the URL on the day he wanted to tell it what to do. How did you stop something like that? Jeff thought.

  The number of businesses harmed by malware was increasing every month. The public only read about it when ABC, CNN, or the Financial Times was struck. Though thousands of new viruses or variants of old ones were released every year, the great harm was coming from the ones seeking financial gain. You could now hire people to write malware to make you a profit, and plenty of unscrupulous people were taking advantage of that.

  If it wasn’t this time with Superphreak, Jeff thought, then soon enough such an attack would b
e mounted and bring the Internet, and a significant number of the computers connected to it, down for the count, requiring that everything be rebuilt from scratch. Billions of dollars’ worth of information would permanently be lost. Businesses and operations necessary to maintain the nation would stop in their tracks. Countless tens of thousands would be thrown out of work; companies would fail. The cost to the nation and to the world’s economy was all but incalculable. It would be what had happened to Fischerman, Platt & Cohen but on a worldwide scale.

  Once the system was rebuilt, there could be no certainty the virus, or some variant of it, could not worm its way into the new system. The price to be paid for the current complacency was likely incalculable. Jeff couldn’t contemplate it without bile rising in his throat. But, on his own, what could he do about it? And even when he’d had access to the powers that be, fools such as Carlton hadn’t taken him seriously.

  Jeff logged onto his laptop as he tore open the package from Daryl, revealing an external USB hard drive. He unfolded and read her hastily scribbled note:

  These are copies of disks we received late yesterday and today. Each has Superphreak and each has a rootkit, as you predicted. They are getting easier to find thanks to you. Each does something different. Three more deaths have been reported. I’m scared.

  Jeff grimaced. He was scared himself. His ICQ icon blinked and the laptop chirped. He opened the instant-messaging system.

  D007:

  Did u gt CDs?

  JA33:

  Yes. Jst startng.

  D007:

  Paswrd is Rubicon. Weve ID’d 3 rootkits. We nw hv 8 diff functns so far 4 the cloaked viruses.

  JA33:

  Wht r thy?

  D007:

  Cnt tell. Sum seem related to $ recrds, othrs t admin functions, sum t industry contrls. Thy seem intended jst t jam things up.

  JA33:

  What am I lookng for?

  D007:

  These are t ones we couldn’t identify. See wht u can learn.

  JA33:

  I’ll try.

  D007:

  Thks

  Jeff hoped that her confidence in him wasn’t misplaced. If her entire team couldn’t identify what she’d sent, he doubted that he could. For two hours he worked on the disk and made little progress other than to cover familiar ground, though he was getting faster at it. Finally, his attention was drawn to the time stamps on a number of files: Date modified: 09/11. The dates were off nearly a month. Odd.

  Curious, he ran another forensic tool, then stopped cold as he read the results. That was it. It had to be. The trigger to the viruses was the date!

  Jeff stood up and began pacing the room. Had he missed a changed date on the law firm’s computer? How many other infected computers had the wrong date somewhere in the software?

  Then there was the date itself. It might be a fluke. Or perhaps Superphreak was using the date as a trigger to make a point.

  Which raised still another issue—could all the Superphreak viruses be time-triggered? Was that something they’d missed? Could that be what happened at the hospitals? At the Ford plant? To the airplane?

  Jeff’s heart was racing as he called Daryl. After several rings her sleepy voice answered.

  “I’ve just come across something unusual on those CDs.” He told her about the modified dates, hearing the apprehension in his own voice.

  “The trigger is the date 9/11?”

  “I’ll check my client’s computer in the morning. Your team should follow up too.”

  “Of course.” Daryl hesitated. “Jeff, what if—”

  “I know,” he cut her off. “I’ve already considered the possibility that we’re actually dealing with Arab terrorists. But let’s not get ahead of ourselves. Let’s first see if it really is the trigger.”

  No sooner had he disconnected than his cell phone rang.

  “The monthly backup crashed and burned,” Sue said, sounding weary. “Just like the other.”

  30

  FORT DUPONT PARK, WASHINGTON, D.C.

  WEDNESDAY, AUGUST 23

  6:31 P.M.

  George Carlton eased his BMW down the narrow, two-lane road, then pulled into an isolated picnic area. He sat there idling for five full minutes before switching off the ignition. It had been at least a year since he’d last used this drop box, and he was certain no one had followed him.

  He’d had no idea how useful working surveillance for the Bureau would be. In fact, he wished he’d paid closer attention to his seasoned partner, because playing the part of the fox instead of the hound was daunting. It seemed simple enough to drop off a disk with information, but he knew how easy it was to fall into patterns.

  During his time Carlton had played a small role in catching a Soviet operator working under embassy cover who’d returned to the same drop box too often. He’d been so predictable that the Bureau had set the location under surveillance, no longer bothering to follow him to the site. They’d had no trouble catching the American traitor who provided the Soviet operator with information, visiting the same drop box. From what Carlton knew, they’d turned the traitor into a double agent for a good two years, during which time he gave false information to the Soviets, before deciding his usefulness was gone and they had arrested the Russian, rolling up a spy ring.

  So when Carlton had initially set up his locations with Fajer al Dawar, he’d insisted they be employed in an unpredictable rotation. It had gone as smoothly as he’d hoped, and Carlton intended for it to stay that way. Still, during the years of their association, as he preferred to think of it, he always experienced a bit of angst whenever he dropped off a disk on the way home from work.

  At their first meeting in Riyadh years ago, Carlton had given Fajer a Hotmail address for contacting him. “Only use it once,” Carlton had cautioned. “When we meet next, I’ll have a more secure system for communication worked out,” certain that Fajer was impressed with his caution and expertise.

  They’d met for the second time in New York City four months later. Fajer was attending various business meetings on behalf of the Saudi government, as Carlton understood it, and requested that they meet, bringing along his first contribution of information. Carlton had stayed at a cheap hotel on Broadway where they’d allowed him just to flash his driver’s license so he could register under a false name and pay in cash for two nights. He’d told Emily he was away on business, and though such trips for him were rare, she’d not so much as lifted her nose from her Sidney Sheldon novel.

  In the end, Carlton had left it to Fajer to come to his small room. Better to risk that then to travel about the city, have the bad luck of someone spotting him, then have to answer questions.

  Fajer had arrived on time, dressed in a Western suit and unaccompanied, as Carlton had requested. They’d shaken hands, and as they sat facing one another, Carlton said, “Forgive the hotel. I was able to use cash and a false name.”

  “A wise precaution.” Then came a round of courtesies that Carlton bore patiently. Finally Fajer asked, “Do you have something for me?”

  “Yes,” Carlton said, patting his jacket pocket, “but I want to go over some of the terms again.”

  “Of course. You’ve had some months to reconsider my proposal. It is only natural that you would have questions.” Fajer smiled, a man accustomed to being in complete command of every situation.

  “The use of this material is entirely commercial, as you said?”

  “Absolutely. And you control what it is you give me. If you are concerned the information could have any other use, withhold it. I will never know.”

  “I ask because I am not a traitor.”

  “Of course not,” Fajer assured him. “We are both honorable men. There is no question of that.” Fajer pulled a cigarette from a packet and held it up in question. Carlton nodded agreement, though he was in a nonsmoking room.

  After returning from his junket, Carlton had scoured the Internet for everything he could find about the Franco-Ar
ab Chemical Company—Franco-Arabe Chimique Compagnie, or FACC, as it was better known. Fajer was all but impossible to find, identified only as the company’s Saudi owner. The name of the company, Carlton discovered, was a bit of a misnomer. While at one time it had apparently been the primary importer of various chemicals into the Saudi kingdom, it was now primarily an importer of oil-production equipment, computer-related electronics, and electronics in general.

  Carlton had applied himself in determining just what kind of information would be of use to such a company, while being the most profitable for him. At home, he’d conducted extensive Internet research on Saudi Arabia and oil to learn what was in the public domain, then at the office he’d accessed databases available to him and compared the two. He’d found several strategic reports prepared by the CIA he thought Fajer would want and downloaded them. Using a laptop he bought just for this purpose, he vetted the material at home, reducing it to bullet points with short generic summaries, which he printed on standard stock paper he was careful never to touch. That way, should the information get beyond Fajer, its original source could not be identified. Between reports to the Saudi, Carlton planned to keep the laptop in his bank deposit box.

  That winter Carlton had surprised Emily with a week’s vacation in Aruba. They’d never taken a holiday in the winter before, and she’d been thrilled. While she lost money at one of the casinos, he’d established a numbered offshore bank account for himself, one he could access and control via the Internet. Since returning home he’d been cautious never to access it with one of his own computers or those of the CIA or Homeland Security. As an added level of security, all payments from Fajer were wired to a GoldMoney account he’d established. From there it went to Aruba. The money was as untraceable as twenty-first-century technology made possible.

 

‹ Prev