Zero Day: A Novel (13 page)

Read Zero Day: A Novel Online

Authors: Mark Russinovich,Howard Schmidt

Tags: #Cyberterrorism, #Men's Adventure, #Technological.; Bisacsh, #Thrillers.; Bisacsh, #Suspense, #Technological, #Thrillers, #Suspense Fiction, #Fiction, #Espionage

BOOK: Zero Day: A Novel
12.14Mb size Format: txt, pdf, ePub

Regardless of the method for contamination, the virus would make its way freely into thousands of computers undetected before one of the security companies’ honeypots, computers left online with no protection, attracted the virus. Thereafter, it could take several hours to several days for an antivirus company to create a signature and deliver it, known as a rollout, to their customers. Once loaded, antivirus software prevented the virus from executing, so the user with the program installed was safe against the virus, no matter how the contamination occurred. The antivirus software on customer systems usually checked for the updates once per day, though automatic updates were often never turned on by owners.

When a virus that exploited a new vulnerability was discovered, the antivirus company also notified the software vendor whose product contained the vulnerability so it could prepare a fix, known as a patch. To create, test, and make the patch available, the vendor would take anywhere from a few days, in the most critical cases, to weeks or even months, for vulnerabilities that were less critical.

In both cases the patch was rolled out to customers over a period of days. It could be months before most customers installed the patch, and many companies or individuals never installed it at all. When a particularly risky vulnerability was identified, vendors sent security bulletins to customers advising them to manually download and apply the patch rather than wait for the automated update.

The security companies were always playing catch-up. A new risk existed for a minimum of a few days to weeks. The system, if that’s what it could be called, left a surprisingly large number of computers susceptible, even to viruses that had long been identified.

The situation was magnified because most home users didn’t possess a security system, and if they did, they let its license expire, leaving the system exposed. Government computers were no less vulnerable. It was well known that the Chinese had obtained an enormous amount of U.S. national security data by entering computers believed to be secure. Other governments were doing the same thing. It was cheaper, and more effective, to hire hackers to work the Internet than to recruit, train, and support spies or to pay traitors.

Because of all this Jeff had no lack of work, particularly since his reputation preceded him into the market. Increasingly, however, he was seeing malware that traveled under the radar, destructive code that insinuated itself into computers without detection. It wasn’t necessary to open an e-mail or even to neglect your antivirus software. All you had to do was connect to the Internet and the malware found you, if you had a vulnerability.

The truly destructive viruses, those that stole financial records, destroyed systems, and such, were more often like subterranean trolls. They were unleashed by their creators, or by someone working with them, and flashed across the core of the Internet, seeking a way to enter a computer by exploiting a vulnerability, an error or pathway inadvertently left open in one of its programs.

The viruses were always there, permanent, relentless. They never tired, never became frustrated, required no fresh direction. As they pressed their electronic nose to the security wall of each computer, they probed for that little mistake written into a program that allowed them to gain entry, undetected, undeflected by firewalls or antivirus programs.

These worms descended to the depths of the computer, burrowing down and existing like a living parasite, planting themselves within the operating system. They were designed to resist detection. To mask themselves further, they worked slowly at replicating clones, sending out new versions of themselves to seek new computers at an all but undetectable rate. They were a cancer on the Internet and on every computer they entered. They grew, spreading their electronic web into every space they could find. This was the future of all serious malware, one increasingly concealed from detection by a cloaking technology known as rootkits.

Yet years after the tragedy of 9/11, the FBI was claiming that Al Qaeda and other terrorist groups lacked the ability to attack America’s cyber infrastructure. They didn’t say the system was safe. No, they said that the terrorists didn’t have the ability to exploit it—yet.

Bringing his thoughts back to the present, Jeff stepped from the subway station onto the sidewalk and stopped.

He blinked his eyes at the sudden light, trying to take it all in. The sight of nothingness where the World Trade Center had once stood, dominating the landscape, stunned him.

To his right, still erect and fully functioning, was the World Financial Center. Except for broken windows and some concern about foundations in the weeks after the attack, it had emerged unscathed. Account Resources Management was up and running after a six-month hiatus in upper Manhattan.

The company lost three employees that day: Cynthia and another coworker attending a meeting near the top of the North Tower, plus one who was arriving late for work and was struck by debris from United Flight 175 when it hit the South Tower. There had been a memorial service, but Jeff had been too overwhelmed with grief, loss, and culpability to attend. For the same reason, he’d not gone to the service the family held in Cookeville, Tennessee. Now, though, his anger was all on himself, and his burden of guilt was almost more than he could bear. He simply could not face it.

He walked at a steady pace around the enclosed site. With each step he found the enormity of the devastation overwhelming. To see it on television and in pictures was one thing. To be here, to see it like this, was something else entirely.

From time to time he came upon memorials, some official, most impromptu, commemorating the loss of one group or another. At the poster of three Brooklyn firefighters raising the American flag over the rubble that terrible morning, Jeff stopped.

What was the point in walking? What did he think he was accomplishing?

Jeff gazed into the gaping chasm. Cynthia’s body was never recovered. Whatever there had been of her lay there, before him. He closed his eyes and wept.

16

ISTANBUL, TURKEY

SEFAKÖY DISTRICT

ISTANBUL TECHNICAL UNIVERSITY

TUESDAY, AUGUST 15

3:11 P.M.

Like most of the other students, Mesut Elaltuntas worked on his own laptop at the university computer-science center. The university had an excellent computer program, which was why he went there. They provided this room on campus where students could access the Internet with their own computers, since many of them didn’t have Internet access at home. The room might have been on any college campus anywhere in Europe or America, except here in Turkey the air was thick with the fog of cigarette smoke.

Elaltuntas scrolled down the list of Web sites produced by his Google search. He was already familiar with several of them and knew they were of no use to him. Others weren’t related to the code he was searching for. He’d already used one that suited his purpose; now he wanted another very like it. He pursed his lips and continued to scroll.

At first the idea of constructing new viruses had seemed simple enough. He’d designed a few himself and considered releasing them, but the arrest here in Istanbul of the cracker with the screen name Coder had made him cautious. Coder had bragged to everyone in various chat rooms how easy writing virus code was and how you could make money at it. Now he was in jail. Sure, his real name had appeared in newspapers and on television around the world, but that wasn’t the kind of fame Elaltuntas sought.

But right now he needed a new base virus code. He already had the code for turning systems off and on. When he’d been given it, he’d had no idea what it did, but he’d spent some time studying the code and was now certain. At first it had scared the hell out of him, but once he realized that he was covering his tracks in ways that hadn’t occurred to Coder, he’d been thrilled at the possibilities. Someone was up to something big and he was a part of it.

Elaltuntas needed to place that code into a virus with a proven record of exploitation. His employer paid a flat one hundred euros for each new virus Elaltuntas produced, but added another hundred if it had a larger than average degree of exploitation. Elaltuntas didn’t know how his employer made that determination, but he’d been paid the extra hundred often enough these past weeks to figure his employer knew how to do it.

There!
StopHackers.com. Crackers posted their virus codes in many places, but Elaltuntas had learned that Web sites that claimed to be fighting malware were actually a great source for the code. He suspected they actually existed for the purpose of disseminating it. It was posted right there on the Web site. Anyone could help himself.

Now that he’d copped the most obvious viruses and knew the remaining common viruses and their variants, he’d already used the best. Finding something for which a security patch didn’t yet exist was his dream, but he’d settle for a new virus or variant of an old standby that looked to have fresh access.

StopHackers.com was a new Web site to Elaltuntas. He scrolled through the boilerplate that the Web master had lifted from similar sites, then entered a chat room discussing various viruses at length. He found a lot of chatter about a new one out of Manila, home of the Lovebug, called Doomer. It was a network worm, which meant no attachment had to be opened for it to enter a computer, and gained access by exploiting a vulnerability in Windows XP.
Excellent.
But the best news was that Microsoft had yet to announce a patch. That meant he would likely have at least a month of smooth sailing, and an extra hundred Euros in his account.

None of this bothered him in the least. Since he’d been a small child, he’d enjoyed breaking things. Too often he’d been caught and punished. Now, on the Internet, he could smash the biggest of things and never be caught. He found it thrilling.

Elaltuntas copied the code, then dropped it into his own cracker file. He studied the new virus for a few minutes, but didn’t understand it. The inventor had been clever. Mentally shrugging, he searched for the point where he could insert his new code so that it rode piggyback into computers along with the virus.
Shit!
He went back to the Web site and read the entries in the chat room carefully. Thirty minutes later he found what he was looking for.
Stupid! I should have spotted that on my own!
Back into his own file, he pasted his own code into the location—tailor-made, it seemed, for just such an addition.

Let’s see.
He customized the code he’d copied to infect an unattended computer, then downloaded the virus. The girl who owned it, Melek, had asked him to keep an eye on her laptop while she went out for lunch. He’d smiled and agreed. A few seconds later the worm announced it had successfully dropped itself on the target. It had taken.
Excellent.

Back at his own computer he sent an e-mail from his Yahoo account.

Date:       Tues, 15 August 15:56 —0800

He typed in the address.

From:       Wiseguy

Subject:    new code

hve the code inserted in new doomer. it tests. is attached. when will u send money? do u wnt more?

Wiseguy

Elaltuntas attached the new file and watched the Yahoo e-mail account go through its virus scan with some amusement. He hit
RETURN TO MESSAGE
and sent the virus. He’d check back later that day for his answer. Then he spent the next twenty minutes searching for another virus for his new code to piggyback on, certain he’d have a use for it.

Melek returned to her computer.
“Saðol,”
she told Elaltuntas with a smile. He smiled back. She’d never know how she’d just thanked him for what he’d placed into her computer, not unless she was secretly controlling a nuclear power plant.

17

MANHATTAN, NYC

IT CENTER

FISCHERMAN, PLATT & COHEN

TUESDAY, AUGUST 15

6:09 P.M.

Jeff walked to the law firm’s building from his hotel, enjoying Manhattan in the early-evening hours of a late summer day. He passed joggers, restaurant owners setting up chairs and tables outside, office workers rushing for home or to join someone for a drink and conversation. Picking up a double latte and toasted bagel, he crossed the marbled lobby, then took the elevator to the law firm’s offices on the twenty-second floor.

He entered the IT Center quietly in the event Sue was asleep but found himself alone. Jeff took his place and inserted the driver in the virtual machine. To see what the driver was doing, however, Jeff needed to use a kernel debugger. He set break points so that the machine would stop when it reached points where Jeff believed he might be able to study the driver’s operation.

Going this far was both good and bad. Good in the sense he hoped to produce something useful; bad in that he was forced to go so far searching for answers. But something important was eluding him, perhaps more than a single something. The only truly good thing about all this he could point to was that Daryl was at least as fully engaged and she had far greater resources than he did.

The system ran a moment; then Windows hit a break point and the debugger stopped the virtual machine, putting it in a form of electronic suspended animation. Jeff read the script, then entered a
g
for “go” to allow the driver to continue. A few minutes later he reached his fourth break point. Examining the standard Windows-system data structures on the screen, Jeff noticed that the driver had made modifications to the control flow of several functions used by applications to list the drivers loaded on a system. He launched a device-driver listing diagnostic tool, but saw no sign of the driver he was studying. The driver had intercepted the utility’s query and stripped the driver from the list before returning the data.

“Shit,” he muttered under his breath.
The bastard’s using a rootkit.

Once rare, rootkits were becoming increasingly common in malware, since they allowed malware to be hidden from security tools. With a sinking heart he understood now what he was up against. Part of the virus, or another one altogether, was hidden from him.

Other books

Lion Heart by Justin Cartwright
Servant of the Gods by Valerie Douglas
A Mother for Matilda by Amy Andrews
Return To Sky Raven (Book 2) by T. Michael Ford
The River Between by Ngugi wa Thiong'o