The Florentine Deception
Page 29
“Don’t worry,” he said, “I have no desire to be known throughout history as the man who accidentally destroyed the Internet.”
I pulled up a plastic chair and sat down next to Amir, launching a second round of calls to every ViruTrax extension I could remember, while Amir began his detailed review of the translated document and the accompanying files. John Wong, one of my first mentors at the company and now the company’s oldest engineer at seventy, answered just as I was about to slam the handset down on my ninth attempt. I dispensed with pleasantries, asking immediately for Rod’s number. Sensing my urgency, John suppressed his usual chatty repartee and pulled up Rod’s page in the corporate directory, repeated both his extension and private cell phone number twice for me, and then forwarded me to his work number.
Rod’s work extension reverted to voicemail after four rings, so I left Amir’s number and was about to try his cell when Amir raised his finger in warning. I cradled the receiver and gestured for him to talk.
“I’ve changed my thinking. Hear me out. If the NSA shuts down the update servers, there will be no way to distribute a cure using the Florentine system. That means the tens of millions of computers that have already received the attack command will be damaged permanently. That’s not acceptable. We have the means to restore all of those computers, if we can just identify a clever cure. You could call your friend Rod, but even if he were able to get hold of the NSA, it would take them hours to safely retrieve you and the Florentine, then additional precious hours to debrief you and understand its operation and attempt to use it to deploy an antidote. By that time, it will be too late. If, as you say, Windows systems check Microsoft’s update servers once every twenty-four hours, most of the infected systems wouldn’t have a chance to receive the cure until well after the detonation event. No,” he continued after consulting his wristwatch, “the only viable solution is to do this ourselves.”
I considered his argument and came to the same conclusion. He was right; the timing was just too tight, and even a couple hours of delay would subject tens of millions of computers to assured destruction. But the thought of placing hundreds of millions of both nations’ computers in the hands of two private citizens was madness. I opened my mouth to raise my objection, but Amir shook his head.
“No, Alex. There is no other option.” Amir took my silence as agreement and continued.
“Now, as we reviewed earlier, the software requires three different parameters to launch a new attack.” Amir double-clicked an icon, and a command shell window popped up on his desktop; he then keyed in “florentine.exe” and hit the Enter key. The computer paused briefly, then a firewall alert popped up:
The software Florentine.exe is attempting to connect to the Internet. Do you want to [Allow once], [Allow always], or [Block]?
Amir ignored the warning, clicking “Allow always” as fast as his aging hands could manage. An instant later, the program printed the following on the screen:
Использование: florentine.exe ключи.dat пароль нагрузка.dat
florentine.exe -o ключи.dat пароль нагрузка.dat
He said, “When you run the software without the proper parameters, it prints out a line that explains what parameters the tool expects the operator to provide. According to your friend’s translation, the first parameter,” he pointed to ключи, “specifies a data file that holds an authentication key. Without a proper key, the back door in Windows will ignore the attack command. This prevents the system from being hijacked by an adversary. Each cryptographic authentication key can be used just once to launch an attack, and once, if necessary, to cancel a previously launched attack prior to its execution.” Amir clicked his mouse and brought up a second window containing nearly a dozen 256-digit sequences. “Fortunately, the Florentine package came with ten such cryptographic keys—enough to launch ten attacks. These were in the Florentine.keys data file.”
“Like launch codes the President carries around for arming our nukes,” I said.
“Yes. And based on what you’ve told me, I assume the first few keys have already been used by the Iranian agents, to prepare for and launch their attack.” He picked up one of Sami’s yellow Post-Its and pointed to an eight-digit number scrawled at the top. “See. These digits here match the first eight digits of the first key in the file. So my inclination is to start with the last key and work our way up.”
He clicked back on the original window, bringing it into focus. “The second parameter,” he pointed his finger at the пароль, “specifies the cancellation password. When you launch a new attack, you must specify a new password. The password is then required, along with the original key, to cancel the attack at a later time. And the third parameter specifies the name of a payload file that contains the details of the attack timing, machine targeting, and the attack program itself. The Controller tool connects to the Microsoft Update servers over the Internet and sends the key, password, and payload to them for distribution.”
“What’s the ‘dash-o’ for?” I asked.
“That’s the cancellation command. If you add a ‘–o’ to the command line with the proper key and password, it transmits an abort command to the server. Unfortunately, even though we have the keys used by the Persian operatives, without their password, there will be no way to cancel their previous payload. Our only option is to send a new attack that somehow negates the earlier one.”
We next reviewed how to create a Florentine attack program. Each attack program included a series of instructions that would be executed on each computer at the designated trigger time. An attack program could check conditions on the computer, such as the computer’s display language, its address on the Internet, the names of users on the machine, and dozens of others, and then conditionally perform or exclude parts of the attack based upon those conditions.
“There are several example programs in the PDF file—I found them while you were making calls,” he said. “And if necessary, you can launch more-complex attacks using an embedded machine code module.”
“That’s probably what Khalimmy and Sami used to trash the firmware chips.”
“Yes, there’s no evidence of any built-in commands to alter or destroy the contents of the firmware. They almost certainly had to add a special module of their own to do this.”
Amir consulted his watch again. “So we have roughly nine or ten hours of remaining time to come up with an antidote and upload it to the update servers. If we can do so before ten a.m. tomorrow, that will give the population of machines exactly twenty-four hours of time to retrieve our antidote commands, the minimum duration required for all the machines to connect at least once to the update servers, at least those that are powered on during this period.”
“The big question is how we cancel the attack,” I said, just as a knock came at the door. I spun around in alarm.
“It’s okay, Alex. I’m sure it’s just a student.” Amir patted me on the back and then walked over to the door, turning the knob three-quarters of the way to the open position, before hesitating and asking, “Who is it?”
“It’s Terry. Have you got a second? Johan forgot his password again.”
Amir pulled the door open a crack. “I’m sorry Terry. I’ve got an emergency I’m dealing with right now. Can you have Johan call up the Engineering helpdesk?”
“I’ll tell him but he won’t be happy. Last time he spent two hours on hold before someone picked up.”
“I understand. Please apologize for me, and tell him I’ll try to stop by later if I have time.” Amir eased the door shut and returned to his chair. “These emeritus professors can’t tie their own shoes without assistance,” he snorted, “let alone operate modern computers.”
“Amir, is there any chance we could move to a more secure location?”
“Why? We’re perfectly safe here. And no one knows you’re here. Correct?”
“Only a close friend. But Khalimmy managed to locate me at my frien
ds’ house, and the Russians managed to locate Khalimmy’s hideout as well. So I’m not so sure …”
Amir considered this. “I have a small hardware storage room in the Cellar. It’s not very pleasant, but it’s got power, and only a few people know I’ve taken over the room.”
“The Boelter Cellar?” I asked. A graveyard for maintenance equipment and other digital detritus accumulated during Boelter Hall’s fifty-plus years of existence, the Cellar would be a perfect hiding place. Accessible only from the seldom-visited second-floor atrium area in the middle of Boelter Hall, most students didn’t even know the cavernous junkyard existed, or for that matter, how to reach the atrium.
“That would be perfect. Does it have an Internet connection?” I asked.
“No direct connection, but we can use the department’s Wi-Fi network. The area is directly underneath the large Boelter 3400 lecture hall.”
“It’s settled then. Let’s grab some food from the Engineering café and head down.”
Chapter 60
Laden with laptops, power strips and bags of plastic-wrapped premade sandwiches, protein bars, and energy drinks, Amir and I rode the southwest Boelter elevator down to the second floor, rounded the corner, and then stepped down into the atrium. The courtyard’s fallen leaves crackled under our feet as we moved silently, both in brainstorming mode, across the open space and to the Cellar entrance.
“Hold this.” Amir handed me his laptop and fished in his pocket for a keycard.
“Wow. This never used to be locked. Hell, the doors used to always be propped wide open when I was a student.”
“Times have changed, Alex.” He shook his head disappointedly. “They put card readers on all of the doors after a rash of computer-equipment burglaries last year.”
Amir slipped the card from his pocket and waved it past the card reader along the right side of the gray metal door; the electronic door lock clicked immediately. Amir gazed suggestively at the handle, so I grabbed it and eased the heavy warehouse-style door open.
“One second,” he said, navigating around a heap of sixties computer equipment, “hold the door until I find the light switches.”
Amir knocked something over, cursed in Farsi, and a few seconds later, a seemingly random collection of overhead fluorescent lights began flickering listlessly, emitting just enough illumination to cast the helter-skelter graveyard of discarded engineering equipment in ominous shadows.
“Spooky,” I said. “Looks just like it did five years ago when we used to go dumpster diving in here. Only dustier. You know, back during junior year, we found parts of the control panel of Boelter’s original nuclear reactor in a pile over there. Just sitting there, totally covered in dust. My friends also used to enter the underground steam tunnels from here. That door over there at the far end,” I pointed into the back wall, “supposedly leads to a tunnel under the Court of the Sciences.”
“It’s amazing you and your crew were never expelled,” he said, piloting around an engineering desk covered with stacks of dust-covered PDP-11 mainframe manuals. “Follow me. Carefully.”
Amir wended his way through the islands of discarded equipment, heading toward the right wall of the fan-shaped room. He stopped at a metal door set into the grimy concrete wall and pulled out an enormous key ring.
“Welcome to my vault,” he said, fingering through the two dozen keys decorating the ring. “It’s not much but it’s all mine.” He stopped when he reached a hexagonal brass key, and unlocked the door.
Amir’s vault stood in stark contrast to the chaotic main storeroom, clean and bright. He’d removed the depressing overhead fluorescent bulbs and replaced them with four large halogen floor lamps. Rows of individually labeled cardboard boxes with names like “Ethernet Cables,” “Ethernet Cards,” “Wi-Fi Cards,” “SATA Cards,” and “Cabling Tools” lined wire-mesh shelves along the left and right walls. Along the back wall, a sixties-era desk held several neat stacks of paperwork, and to its side a half-height dorm-room refrigerator hummed softly.
“Dump the computer over there,” he pointed at the desk, “and throw the drinks and food in the cooler, please.”
He dropped his load onto the desk as well, propped the metal door open, and disappeared into the ersatz equipment graveyard. He returned a minute later with a dust-covered leather desk chair.
“This was Dean Boelter’s, believe it or not. For the next twenty-four hours, it will be yours. Grab a paper towel from the roll on the cooler and wipe the dust off outside, then it’s back to work.”
“I’ve been thinking,” he said while I wheeled in the wiped-off chair. “We know that the Florentine has a module that runs inside of Windows on every PC. That module is responsible for monitoring for incoming attack payloads from Microsoft’s update servers, then launching each attack at its designated trigger time. If we can’t trick this module by changing the time, could we possibly send a command to delete the module altogether? If we could remove the time-triggering module itself, this would solve all our problems.”
“Like removing the timer from a time bomb.” I chewed on my lower lip and considered the idea. “Even though the bomb is still functional, it can’t trigger without the timer, and is rendered benign. It’s a good idea. The challenge is, this module could be hidden anywhere inside of Windows. Even if we found it, it could take days to figure out how to safely disable it.”
Amir shook his head glumly. “Back to the drawing board.”
“Not a bad idea though, just not practical given our tight timing. But it does give me another idea, a plan of last resort, really.”
“What’s that?” he said, swiveling his chair around.
“Well, even if we can’t figure out how to locate and disable the Florentine component that’s hidden within Windows, we can easily attack Windows itself. We could delete essential Windows system files so it simply can’t function. Like ripping the spark plugs out of a car engine. And if Windows can’t run, then the Florentine module hidden inside it can’t run either: or for that matter, activate its payload.”
A puzzled look materialized on Amir’s face. “You’re suggesting that we attack every computer in the United States and Israel, and kill Windows on all those computers, before the Florentine has a chance to do so itself? The cure is as bad as the disease, no?”
“No. Deleting a few Windows files is temporary. That can be fixed in just a few hours or days. Khalimmy’s firmware attack is permanent—those machines will be turned into paperweights.”
“But the devastation …”
“Yes, it’s an option of last resort. It would cause a massive disruption—probably billions in lost business during the outage. But it would be temporary. Everything would be back up and running in a few days. And if we scheduled such an attack to trigger at 9:55 a.m. on Wednesday morning: say, five minutes before Khalimmy’s attack, then his payload would never get a chance to run. Meanwhile, that would give the NSA, or Department of Homeland Security, or whoever, time to come up with a permanent cure.”
Amir mulled over the idea some more, then nodded. “You’re right, it is an option, but it should be our last option.” He cleared his throat.
“Agreed,” I said. “Let’s create the attack and keep it in our back pocket for now.”
I sat down at the desk and motioned for Amir to join me.
“Now if I recall correctly from my virus analysis days, there are about four or five key files that are involved in the boot-up of Windows—after each one starts up and performs its task, it proceeds to load the next file in the series, until Windows is fully up and running. All of them are critical. If even one of them is missing, Windows won’t start. These files are often targeted by viruses, because if the virus can inject its logic into one of them, it gets control of the entire computer immediately when it starts up.”
As Amir processed this, I pulled up the network settings on his laptop and connected it to the Computer Science Wi-Fi network; the signal was extremely weak—just one bar
—but sufficient for our purposes.
“So if we delete one or more of these files, the computer crashes?” he said.
“Not quite. Once the computer is up and running, deleting these files probably won’t cause any problems: Windows will continue to run normally because the files are only involved in the startup process. But the next time computer is restarted, it’ll crash immediately, certainly long before the Florentine component has a chance to load.”
“I see. So we need to not only remove these files, but also reboot the computer to ensure that it crashes.”
“Correct,” I replied. “Now if I’m not mistaken, each version of Windows uses a slightly different set of files to start up. So, to make sure we can cause all versions of Windows to crash, we’re going to have to identify a different set of files to delete for each major version of Windows.”
Amir eyed his watch nervously.
“We’ll have time.” I pulled up Google in Amir’s web browser and searched for “windows startup process.” After a few minutes of hunting, we found web pages that described the boot-up sequences for Windows XP, Windows 2000, Windows Vista, Windows 7, and Windows 8: all the major versions. I cut-and-pasted the names of the operating system files involved in starting up each version of Windows into a document file, so we could see them all in one place.
“Each version of Windows uses a slightly different set of files to start up,” commented Amir.
“Not quite. If you look closely,” I pointed with my finger, “all of them share one file in common: NTOSKRNL.EXE. If we delete that file, I believe we’ll be able to crash all versions of Windows, at least all the major ones.”
Amir considered this, then nodded in agreement. I opened up the Notepad application on Windows and began to type in the payload script, consulting the example attack payloads that were included in the Florentine PDF. Amir leaned in and watched from behind as I typed.