Zero Day: A Novel
Page 11
The system ran a moment; then Windows hit a break point and the debugger stopped the virtual machine, putting it in a form of electronic suspended animation. Jeff read the script, then entered a g for “go” to allow the driver to continue. A few minutes later he reached his fourth break point. Examining the standard Windows-system data structures on the screen, Jeff noticed that the driver had made modifications to the control flow of several functions used by applications to list the drivers loaded on a system. He launched a device-driver listing diagnostic tool, but saw no sign of the driver he was studying. The driver had intercepted the utility’s query and stripped the driver from the list before returning the data.
“Shit,” he muttered under his breath. The bastard’s using a rootkit.
Once rare, rootkits were becoming increasingly common in malware, since they allowed malware to be hidden from security tools. With a sinking heart he understood now what he was up against. Part of the virus, or another one altogether, was hidden from him.
Rootkits weren’t limited to malware. In 2005, Sony had released a range of CDs that were designed to prevent excessive duplication. The End User License Agreement accompanying them was not complete in that it failed to inform customers that the CD was installing a rootkit onto their personal computer. More than 2 million CDs were shipped with the rootkit, promptly dubbed malware by computer experts who detected its presence. More than half a million customers innocently placed the hidden code deep within their computer’s operating system.
The affair turned into a fiasco for Sony. Early attempts to delete the rootkit disabled the computer’s ability to play any CD and, worse, caused the computer to crash. The rootkit was also not very well written. Hackers soon found they could attach viruses to it, using Sony’s own software to cloak them from detection. Sony was forced by a public uproar to recall the CDs and make a removal patch available, but the harm to the company’s reputation was done. A major international corporation had publicly been branded with employing hacker code. The long-term consequences were incalculable.
Jeff ran a rootkit detection program, then cursed again. There on the screen was unmistakable evidence of the rootkit. He’d seen the behavior, now he had confirmation. As a cloaking technology, rootkits worked by hiding files, registry keys, and other objects in the system in the kernel mode of Windows. When a user ran a standard detection program to see what programs were operating, the rootkit had many ways to remove the program it was concealing from the list being generated. In this case, the program being cloaked was the virus.
The next step was to run a number of advanced security tools, searching for evidence of code that would activate the rootkit at each booting. It came up empty. Then Jeff dumped the service-table contents, studying them carefully. Each should point at addresses within the Windows kernel, but within minutes he found two that did not. One of the intercepting functions was part of the ipsecnat.sys device driver that he had been studying. Now he knew which driver implemented cloaking. At least now I can see if I can disable the cloak and expose whatever it’s hiding, Jeff thought. Opening a command prompt, Jeff entered the hidden directory.
The sophistication of this rootkit was troubling, he realized, especially when compared to what appeared to be the cut-and-paste construction of the part of the actual virus he’d examined so far. The rootkit was lean and cleverly fabricated. Jeff paused for a moment to reflect. What the malware was suggesting to him was at least two creators. That might be significant; then again, it might not. A basic cracker might have created the virus, then found the slick rootkit to hide it. He couldn’t imagine anyone skilled enough to build this rootkit unleashing such a hack job of a virus. He wouldn’t be able to resist cleansing the code. What if they’re working together? he thought, wondering what the implications of that might be.
Jeff took a moment to text Daryl, informing her of the rootkit. A few minutes later she responded with a single word: “Shit!” No kidding, Jeff thought, before turning back to his work.
Next he stepped instruction by instruction through the driver, trying to discern the goal of the virus, without luck. Then it occurred to him there might be more than one, so he examined the assembly language he’d generated earlier. This was extraordinarily time-consuming. Long, exhausting hours dragged by as he threw himself into the brain-taxing exercise. When he could go on no longer, he slept on the couch rather than return to his hotel. At some point Sue returned. Harold appeared and began bringing them food at regular intervals, though Jeff couldn’t have told anyone what he ate if his life depended on it.
One of the major problems he was up against, Jeff realized, was that he couldn’t tell what kind of external influences were normally involved in this suspect driver’s operation. Perhaps the driver had a helper program or some other external stimuli that caused its payload to trigger. Or it might have been something within the virus code itself, even a standard mechanism in the computer’s operating system. So far he’d found nothing to tell him why the virus had been unleashed nor anything to hint at what the purpose had been beyond simple destruction.
Was this a financial operation launched by Russians? Or had it been a simple shotgun attack meant to cause immediate widespread destruction? He simply couldn’t tell. He was burrowing deeper and deeper into decrypting the driver, but still lacked the answers he sought to tell him how the virus actually ran when it was “live.”
Just when he thought he wouldn’t be able to restrain himself from picking up the computer and throwing it across the room, Jeff came across something that promised to be interesting. Even though the driver had decrypted much of itself, when it launched, it still left pieces of itself encrypted. With some effort he coaxed the driver into executing certain code sequences that decrypted more of itself.
The newly decrypted code sequence referred to another driver with a more sinister name, bioswipe.sys, that it expected to be able to extract from itself and execute. However, the second driver wasn’t in the driver file he had, nor in the corrupted installation when he went back to look for it.
BIOS, or the Basic Input/Output System, was the code programmed into the computer itself that started the computer and was responsible for reading the initial part of the operating system code from the first sector of the hard disk into memory and executing it. Modern computers had BIOS that could be “flashed” or reprogrammed with new instructions. Computer manufacturers sometimes made BIOS updates available that fixed bugs or improved the computer’s start-up performance.
But a virus that knew how to reprogram the BIOS could erase its contents, making the computer unbootable. Repairing such a computer was tedious and sometimes even impossible. Part of this virus was missing, he realized, either because it had already been deleted or because it wasn’t part of the variant installed on the law firm computer. Still, the sheer scope of this attack on a system with all the standard safeguards in place was astounding and underlined the enormity of the problem he faced.
Sue took a break, then returned, freshly scrubbed, munching on a candy bar. “Still at it, I see? Did you read about that ship in Japan?”
“No. What happened?”
“Its computer guidance and navigation systems failed. The ship slammed into Nagasaki, killing some people. I saw a video. The harbor is just filled with crude oil. There’s speculation it was a virus of some kind. What do you think?”
“It’s possible, but there’s no way of telling if it’s what we have here.”
“Okay, expert. What can you tell me?”
Matter-of-factly, Jeff walked her through what he’d uncovered.
“I’m confused,” she said, wadding up the candy-bar wrapper and pitching it toward the trash basket, missing by a foot. “Does it want to steal our financial information? Destroy our records? Or destroy our computers?”
“Good questions all. The answer is, I don’t know.” Jeff frowned. “I’ve seen no evidence of stealing information, but it both destroyed records and destroyed computers. I
t’s malicious and destructive but, from what I can see, it’s got no clear purpose.”
“What triggered it?” Sue looked every bit as confused as Jeff felt.
He shook his head. “I don’t know.”
“Can you find it in our backup? I’m under a great deal of pressure here. Clients have figured out we’ve got a problem and are threatening to leave.” Her face was creased with concern.
Jeff hesitated. “I should be able to locate what I’ve found here. But it’s like proving a negative. If I find it, then the backup records are tainted and of no use. But if I don’t find what I’ve got here, that doesn’t necessarily mean something else isn’t buried somewhere. I have no sense of how much I’ve discovered, and I’m almost certain to have missed something. I’m beginning to think there’re at least two viruses here. And I’m dealing with cloaking. A great deal could still be concealed from me.”
“But if you find nothing, that’s a good sign?”
Jeff understood Sue’s need to get this problem solved. Her job likely depended on it. He wanted to sound encouraging, but experience taught him otherwise. Cautiously he said, “Yes, as far as it goes. You could make a copy of the backup, I’ll check it for what I’ve learned. If it seems clean, or if I delete the evidence of what I’ve learned here, I might disable the viruses, allowing you to boot up and see what you’ve got.”
Sue brightened. “I like the sound of that.”
“Don’t get your hopes up too far. That’s going to eat up a lot of time with no guarantee. I’d feel better if I knew more.”
“If you crack this too late to do us any good, what’s the point?”
Jeff hesitated. “There may be clues in the calling cards the cracker’s left in his code. If we know more, maybe we can determine if the backup is secure before putting in all that time.”
Sue stared at him a moment, then seemed to reach a conclusion. “‘Super Freak.’ My guess is, that’s our key.”
18
MANHATTAN, NEW YORK CITY
CENTRAL PARK
WEDNESDAY, AUGUST 16
7:36 A.M.
Jeff placed his foot on the cement bench and methodically began his stretching routine. Beside him passed a steady stream of runners, circling the Central Park Reservoir, one of several jogging paths in the park. When ready, he set out along the Lower Track, which followed the old Bridle Path. This was the course he ran many years ago when in Manhattan because of its forgiving soft dirt and its sheer beauty. He ran steadily, passing a few slower runners, yielding to others. His course took him beneath three lovely cast-iron bridges, and from time to time he caught a commanding view of the park in its late-summer glory.
Jeff Aiken had been born the youngest of two sons. His memories of his parents dimmed with each year as they and his brother were killed in a two-car accident when Jeff was six years old. He’d been spending the weekend with his paternal grandparents and remained with them thereafter in their Philadelphia home.
Joe and Wilma Aiken were adoring surrogate parents, though they were already quite old when they assumed the obligation of raising their surviving grandson. Wilma tended to the house while Joe was active in the Elks and his Masonic lodge. Jeff’s grandfather died when Jeff was a sophomore in high school, and his grandmother passed when he was an undergraduate. Since then he’d been largely alone.
His shoes struck the soft earth with a steady, nearly hypnotic rhythm he found comforting. Perhaps the only aspect of his work he disliked was how it tended to keep him shut up in offices and away from his time in nature, running alone.
Jeff didn’t find it odd that he was drawn to running. Loving though his grandparents had been, he’d had little in common with them. Feeling alone, he buried himself in books, then in mathematics, and finally in computers. Embarrassed by the elderly couple with whom he lived, pained to discuss the tragic death of his family, he’d made few friends during his teens, fewer in college. He’d long since resigned himself to a solitary life. His world with computers added a satisfying, though sterile, dimension to it.
Meeting Cynthia had changed everything. For a brief time he’d seen himself as part of a larger family, with a future that included children of his own. The pain of her loss had been almost more than he could bear, piled as it was on top of the loss of his parents and brother, then of his grandparents. The survivor’s guilt he felt from not being in the car with them when his immediate family had been killed—added to his guilt at failing to embrace the unconditional love of his grandparents, and at failing to save Cynthia—was nearly overwhelming. But he saw no alternative to the course his life was taking, to carry on alone, to do his best, to make sure he did what he could so that others never had to go through what he had, even if his ability to help was limited to the world of computers.
His shoes slapped the dirt as he sank into the pleasant nothingness of the run.
19
MANHATTAN, NYC
IT CENTER
FISCHERMAN, PLATT & COHEN
WEDNESDAY, AUGUST 17
11:08 P.M.
Sue Tabor entered the office, then glanced at Jeff Aiken asleep on the couch, exhausted after a long stretch of work combined with his run. Should she go ahead and do it? Shrugging, she went to her computer and opened Google. She could no longer really contribute anything to his search, and she’d decided to follow the only specific clue they had. She typed into the box Super Freak. Time to learn what the name meant to the Internet.
“Do you mean: superfreak?” the Web site asked.
Sue glanced at the count. Just over 4 million hits. This wasn’t going to work. Still, she scrolled through three pages of entries just to be certain. It was all Rick James in one form or another.
She deleted the space between the words and hit ENTER for superfreak. Now she was down to 195,000 hits, but it was just more of the same. Rick James.
She entered super freak code, followed by super freak virus. She spent an hour going through the various hits with no results.
Undeterred, she sought out hacker groups and began scanning entries for the name Superfreak or Super Freak. Nothing. But what else did she have to do? Two hours into her search, in her third hacker forum, she spotted the word Superphreak. Yes!
Sue backtracked on the thread, but the name didn’t appear again. Someone using the name Dante had mentioned Superphreak in a discussion about security code in the e-mail program Outlook Express. But there was no information about this Superphreak, no hint of who he was or what he was up to.
Checking, she found that the site had an open chat room, so she entered under the handle Dragon Lady. As luck had it, Dante was in the thread. She typed:
Posted: Dragon Lady @ August 17
I have a question for Superphreak. How do I contact him?
Sue waited, biting her lower lip. Was Dante still in the thread? Maybe he’d gone on to something else. It might be days, weeks even, before he returned to this chat room. Five posts appeared over the next fifteen minutes, then:
Posted: Dante @ August 17
I cn pass mesg myb. Wht do u wnt?
Sue’s heart was pounding. For an instant she considered waking Jeff up, then decided against it. She forced herself to concentrate, then typed:
Posted: Dragon Lady @ August 17
Looks like he does really good work. Have him contact me.
She gave the Yahoo e-mail address she used when she was forced to register one on Web sites. She watched the chat room for another half hour, but Dante didn’t make another entry.
Just in case, she went to each of the forums she’d visited earlier and posted this message:
Posted: Dragon Lady @ August 17
I like your work. Contact me ASAP.
Again she listed the Yahoo address, then sat back in her chair.
Without giving it any thought, she crossed her fingers. Okay, fat’s in the fire. On the couch Jeff stirred, then lay motionless. The sound of his deep sleep overwhelmed the all-but-silent-whir of her hard drive kickin
g in.
20
HELSINKI, FINLAND
KRUUNUNHAKA DISTRICT
THURSDAY, AUGUST 17
11:43 P.M.
Oddvar Thorsen lit a cigarette, blew smoke toward the ceiling, then stared back down at his screen and read again:
Posted: Dragon Lady @ August 17
Looks like he does really good work. Have him contact me.
Someone was looking for Superphreak. That was interesting. For a moment he wondered if the poster was even a woman, let alone an Asian woman. He thought about Lucy Liu in that movie with Mel Gibson, Payback. Now that would be hot!
He considered for a moment if the query was of any value to him, then copied the e-mail address and dropped it into his Thunderbird e-mail “To:” box.
Subject: lady looking
Dragon Lady at dlady1312 @ yahoo.com is looking for you. Sys u do gd work. Know her?
Dante
Superphreak was peculiar. Kind of surly and more than a bit arrogant, he acted as if he were the only one who knew anything about code. Thorsen might hear back, or he might not. He wondered once again what this was about, not that it mattered to him. But since he did work with Superphreak from time to time, and it was always best to stay on someone’s good side, he’d sent him the heads-up.
Thorsen turned back to his specific problem. He was being paid to speed up the load time of certain encrypted codes. Even with newer and faster machines, start-up times were noticeably slower once a computer was infected. He’d been instructed to fix the problem, but was making little progress. He took another pull on his cigarette and turned to the work.
Two hours later his computer pinged. Thorsen opened Thunderbird.
Subject: RE: Lady looking
Date: August 18 01:38 AM
To: Dante
u know hr? Wht does she wnt?
Superphreak