Authors: Mark Russinovich
The good news was that the virus was a generic botnet host, not one of the newer, far more sophisticated versions designed to target the company specifically. It was the kind of broad digital aggressor every company encountered from time to time. They’d dodged a bullet because if a virus specifically targeted at them had penetrated their system, it would have caused financial havoc on the company’s customer accounts.
Once he grasped the nature and extent of the infection Jeff had recommended that they utilize the best-case solution, which was to “repave” their system. This meant reinstalling the operating system and server applications, then restoring all the data from the uninfected backups. The CEO had balked at the downtime this would entail, calculating it would be both disruptive and expensive. Instead, Jeff had been told to cleanse the system.
Though faster and cheaper, this was the least certain approach. The enormous size and complexity of the system meant there were countless digital holes in which malware might lurk. Jeff could never be certain he’d cleaned everything. But he understood the practicalities of a functioning business; this was not a laboratory situation. And he understood that taking the system down to rebuild it would have created significant issues of trust and reliability with the company’s clients.
No antivirus signatures had been established for the virus as yet. This was how the usual antivirus programs uncovered malware. As a consequence, Jeff had to do it for himself by defining a series of steps to purge the virus from the system. This malware-cleaning solution then became a script that the company could run on their live server. It would seek out the tentacles of the virus and surgically sever them, deleting its files after the malware had been immobilized.
He’d alerted his contacts in the antivirus security industry to the new virus and made his fix available once he’d developed it. His connections were extensive and he was widely respected in his field because of his work to advance the state of antivirus research and in creating effective countermeasures.
Jeff had run a test of his solution before leaving Atlanta and it checked out. He’d then left the system to the IT staff while he flew home. He’d just spent the day remotely running additional tests, really for his own peace of mind. It all looked good, but as he’d tried to explain, this approach always left bits and pieces of the virus behind like so much clutter scattered across a factory floor or piled in corners. Generally that was no problem, but do it often enough and you slowly contaminated the operating system in subtle ways that adversely effected its efficiency and security. Well, they’d been warned.
In the quiet of his house he heard a car drive by, its tires splashing as it passed through standing water. Finished, Jeff disconnected from the Atlanta system, then opened his accounting spreadsheet to calculate the bill.
Daryl was away—again. Since the events of two years before when they’d nearly been killed obtaining the codes needed to partially counter the force of a cyber-attack on the West by Al Qaeda, they’d been a committed couple. She’d resigned as director of US-CERT Security Operations located at Arlington, Virginia, and joined him in his private IT security company, Red Zoya Systems LP. The name was a takeoff on the zero day applications that had made the Al Qaeda attack so frightening.
Though neither of their names had surfaced in the media after blunting the Al Qaeda attack, within certain circles they were superstars. Word of their exploits, both accurate and wildly exaggerated, had spread throughout the cyber-security industry. The result was more work than they could comfortably manage.
Their fees continued to pile up in the bank as neither of them had the time to spend their income. They worked out of their Georgetown Redstone town house, though; on any given day one or both of them were out of the city or country on a project. They stayed in touch remotely, but the work tended to be all-consuming. Partly it was their nature, but it was primarily the demands that came with the job. By the time they were summoned the situation was always critical.
One snowy Sunday Jeff had contemplated just how many days they’d spent apart. He’d pulled out his calendar and made a dismal discovery that only confirmed what he suspected. In the last eighteen months, since they’d been set up here and been fully available for work, he and Daryl had spent a grand total of twenty-three days together. And on most of those days one or both of them had worked. He did not include one frenzied three-month period when they had largely worked from the office together on a special project as there’d been little interaction between them except as related to the job at hand.
He’d pointed this out to Daryl while she’d hurriedly packed for her next trip and she’d assured him they’d do something about it, that she
wanted
to do something about it—just as soon as she got back. That had been three weeks ago.
Jeff finished the tabulation, saved the file, then locked the screen with a sigh. This was no way to run a relationship. He sometimes wondered why he even bothered. Given the reality of their situation, he could only see one outcome.
Just then his telephone rang. He glanced at the number as he answered. London calling.
PRAGUE 1, CZECH REPUBLIC
MYSLIKOVA 23
9:09 P.M. CET
A
hmed Hossein al-Rashid left class ahead of the pack, stepped outside the building, and drew a deep breath. The wind flowed down the Vltava River valley, bringing with it the floral fragrance of the countryside. It was spring but there was still a hint of lingering winter in the air. The other students streamed about him, laughing, talking, smoking. He pulled a pack of Marlboro cigarettes from his pocket, turned his back to the wind, then lit up with a Zippo lighter.
Thirty-eight years old that month, with olive skin, thick black hair and mustache, he was a physically fit man who worked to stay that way despite his love of American cigarettes.
He liked Prague. Though a European capital, with the narrow, winding streets of the Old City and the ornate coffee shops rich with their pungent aroma, it reminded him of home. Of course, in most ways it was very different. The Czechs were a cold people, not especially friendly to outsiders. No wonder the Slovaks had broken away at the first opportunity.
Prague was, for all its appeal, a superb example of the decline of the West. The Czechs had given up having children, for one. If it weren’t for immigrants like himself the population would be falling. Then who would there be to tax and pay for the lavish social programs and early retirement every Czech expected as a right of birth? And for all the churches that dotted the city, the Czechs were an atheist people—which in his view was even worse than the polytheism of most Westerners.
But his primary complaint was that he missed his own culture, the intimacy of his extended family. There were in Prague nearly 300,000 illegals. With a population of just over one million it was impossible to move about without spotting someone from another country. There were, however, no more than two hundred Iranians in the city and Ahmed spent little time among them. Many had a connection to the long-deposed Shah and his regime, and Ahmed had no wish to be involved with them or Iranian politics.
An attractive blue-eyed, blond Czech, a student in his class, smiled at Ahmed as she passed. He could not recall her name but would make a point to sit with her next time. Some of these Czech girls liked a fling with a darker-skinned, exotic man from the Middle East. He was glad to play his part, though he had to be careful Saliha didn’t find out. He needed to stay on her good side and she didn’t like his roving eye one bit. Their relationship had cooled in recent months, though she was no less possessive.
Ahmed set out for his apartment, which was in a less desirable, but cheaper, part of the city. Forty minutes later the concierge nodded as he entered his building. A fat man with beady eyes, he rarely shaved or bathed. Ahmed had heard he was Hungarian, though he suspected he was actually a gypsy. He mounted the narrow stairs two at a time to the third floor. He unlocked the door, entered, closed it behind him.
Tossing his backpack on the coach, he opened the netbook on the table in front of the room’s only window as he lit another cigarette. He checked for messages and there it was. He downloaded the attachment directly onto a new key-ring thumb drive, deleted the message, then for a few minutes scanned news from home.
Ahmed glanced at his watch, closed the netbook, then quickly made the bed. Saliha was due any minute and she hated dirty sheets, often sniffing at them as if she could detect the odor of another woman. Perhaps she could, if he’d be so foolish as to bring one here.
He’d just finished when he heard the door open.
By Alice Payton 04/10 11:50 AM EST Updated 1:45 PM EST
TORONTO, Canada—The mysterious computer worm known as Stuxnet is the malware equivalent to a digital preemptive attack, an increasing number of virus experts say. When first detected in July 2010, it was found to possess the potential to bring industrial society as we know it to a grinding halt. The self-replicating worm has been described as a stealth cyber drone, which seeks out a specific function of industrial software then seizes control. The bit it hunts for is embedded in the programmable-logic controllers, or PLCs, of Siemens programs. No larger than a pack of cards, PLCs tell switches when to switch, make machines turn off or on, and regulate the flow of liquids. In short, PLCs dictate the manual operation of the machinery we depend on. “Once you control the PLCs you are in charge,” says Eugene Atwood, CEO of Digital Activation, Unlimited, in Toronto, Ontario.
Stuxnet is the largest virus ever unleashed and is also the most sophisticated. It gains access through thumb drives and once within a computer immediately conceals itself. Thereafter it seeks out the exact PLCs it wants, duplicating itself along the way. If it meets a dead end the worm simply sits there and does nothing but take up space. When it finds what it seeks it takes over. It is now believed to have been targeting the Iranian nuclear program from the start and is thought to be responsible for all but bringing that program to a standstill. Several Iranian scientists have reportedly been executed in the false belief they sabotaged the program.
“It is devilishly clever and fiendishly contrived,” Atwood says. Stuxnet has steadily destroyed Iran’s uranium enrichment effort, along the way infecting perhaps every one of the tens of thousands of computers initially employed in the program. No one knows the author of Stuxnet. Suspicion has been directed at the Israeli Mossad but some experts claim the CIA Cyberterrorism department may have played a key role. “It avoids collateral damage,” Atwood said, “almost as if it was written with a lawyer looking over the designers’ shoulders.”
“The secrecy associated with Stuxnet is astonishing,” said one expert, speaking on background. “This is especially so when you consider that key aspects of Stuxnet were certainly farmed out to private security experts. Even they didn’t know they were working on this project.” He went on to say that a third rendition of Stuxnet is believed in certain circles to be under development. “If Stuxnet was Pearl Harbor, this next version will be Hiroshima,” he said. “Iran is working against time to get its nuclear bomb detonated and the clock is running out.”
Regardless of its origin, or whether or not Iran will ever effectively counter it, Stuxnet has been a game changer. “We crossed a threshold with it,” Atwood says. “Malware and cyberwarfare will never be the same. I shudder to think what the future holds for a world increasingly dependent on computers and the Internet.”
LONDON, UK
WHITEHALL
FOREIGN AND COMMONWEALTH OFFICE
RESEARCH GROUP FOR FAR EAST AFFAIRS
IT CENTRE
3:14 P.M. GMT
G
raham Yates finished a review of the steps he and his team had taken with the infected computer. He straightened in his chair and waited for a response as Lloyd Walthrop looked on.
“Let me review this then,” Jeff said, pressing to overcome his jet lag. “Mr. Walthrop received a document, which initially refused to open and crashed the program. That sent you an alert. On his second attempt, the file executed. The incident was so minor he didn’t report it.”
“That’s right,” Yates said. He was in his forties, trim, and dressed in the blue pinstripe suit so common to UK government offices. “We noted it, however. We’ve become very proactive in dealing with such events. Like any system that interacts minute to minute through the Internet, we’ve had problems with attempts to implant malware and have been the recipients of ‘spear phishing’ directed at targeted individuals.”
Jeff had dealt with spear phishing before. It was a technique for spreading malware intended to steal sensitive information. After the recipients opened an infected document, it sought to trick them into disclosing usernames, passwords, and financial information. It did this by masquerading as something trustworthy the target dealt with frequently. It could be an e-mail or instant message. It often directed users to enter details at a fake Web site that looked and felt as if it were legitimate.