Zero Day: A Novel

Home > Other > Zero Day: A Novel > Page 10
Zero Day: A Novel Page 10

by Mark Russinovich

Arroyo moved the control. “Full reverse, sir.”

  Nothing. The engines continued as before. The ship plunged ahead without alteration.

  “Turn the computer back on. Reboot. Hurry, Sonny, hurry!”

  A long minute passed. “The computer’s frozen, sir. It’s locked.”

  “Do it again and keep doing it until we have control.”

  “Captain, we’re almost there!” Arroyo screamed.

  Desperate, Shiva radioed the offshore facility and the port that he had no control over the ship. A small Japanese naval ship came out and signaled frantically for him to stop, but he could do nothing.

  One mile out the computer was still locked and steering was unresponsive. Shiva sounded the horn as warning, over and over. The deep, resonant blast reverberated like the voice of God as the ship moved across the ocean, but it did no good except to draw a crowd of workers on the facility to the rail and members of his own crew to the deck.

  The massive ship passed the floating facility with fifty feet to spare, though they cut several oil lines and crushed at least one small tender tied to a moorage.

  Shiva could now see the port. “My God,” he muttered. “Sonny, you still can’t get the computer up?”

  “No, sir. It just locks, over and over.” Olivera looked up from his screen at the reality beyond the windshield. His face was dripping in sweat. “What’s going to happen?”

  Four minutes after rushing by the offshore facility, The Illustrious Goddess roared into Nagasaki harbor, smaller ships scattering in every direction. The enormous ship made the sound of an onrushing locomotive until it struck bottom more than one hundred yards out, but with its mass plus the surge of the engines continuing without respite, the ship plowed ahead as if nothing had happened. Like a mammoth battering ram it streaked across the harbor, then struck land, continuing almost without letup until two-thirds of the ship was out of the water. The sounds of twisted and torn metal were horrifying.

  Crossing the port, the massive ship killed six men who’d been too slow to move.

  Shiva and his disbelieving crew were knocked to the deck by the force of the impact. A deep moan came from within the ship. The ship’s screw continued to turn and turn, the water behind it boiling into a chocolate-colored froth. Out of water, without the pressure of the ocean, the sides of the ship ruptured, and 4.5 million barrels of oil began surging out.

  15

  MANHATTAN, NYC

  WORLD TRADE CENTER SITE

  TUESDAY, AUGUST 15

  12:38 P.M.

  Jeff’s decision to form his own computer-security company when he left the government had been logical and, for the most part, satisfying. His involvement in the events leading up to 9/11 were known to only a few within the Company, who certainly had reason not to brag about his discoveries. The veil of secrecy over his work at the CIA also prevented him from going public with the details, though he’d come to accept that it would have done no good if he had.

  Instead he plunged into the world of cyber-security, where he believed he could do some good. He knew the government was where he belonged, but it was too mired in bureaucracy for him to be effective. Perhaps he could attack the problem from the private sector and make a good living at the same time. From his experience, the level of security for most computers, even those for otherwise quite sophisticated businesses, was paper-thin. Their security programs weren’t updated routinely or even activated, and patches released for vulnerabilities were often not installed.

  In the worst-case scenarios, viruses propagated at an alarming rate. SQL Slammer, a virus released in early 2003, doubled every 8.5 seconds and infected 90 percent of vulnerable hosts within ten minutes. It was responsible, directly and indirectly, for shutting down thirteen thousand Bank of America ATMs.

  A more recent high-profile example was the Conficker worm. It was originally launched by as-yet-unidentified hackers in late 2008 to serve as a general-purpose platform for malicious activity ranging from spamming to denial of service attacks. By constantly updating to use increasingly more sophisticated update, propagation, and rootkit techniques, it had managed to infect an unknown number of computers with estimates as high as 15 million.

  Every year, every few weeks in fact, more and more viruses were unleashed, and increasingly they were searching for ways to steal money. One-third of the U.S. workforce was online, while millions more banked in cyberspace. Internet crime had outgrown illegal drug sales, netting more than $120 billion annually. There’d been nearly two hundred major intrusions into corporate computers, exposing more than 70 million Americans to financial fraud. This included everything from dates of birth and Social Security numbers to credit-card numbers and passwords. Ford Motor Company had had the records of eighty thousand employees stolen online.

  Worse, the numbers were likely far greater, since so many individuals and companies had no idea their systems had been hacked. The government was largely unconcerned, or unknowing, for the DHS research budget for cyber-security had been cut to just $16 million.

  Basically, it is so damn simple, Jeff thought. Viruses found their path into computers in two ways. They could enter through a vulnerability in an application or within the operating system itself, or they could inadvertently be downloaded by the computer user, who was tricked into manually running the virus, believing it was something it was not.

  Regardless of the method for contamination, the virus would make its way freely into thousands of computers undetected before one of the security companies’ honeypots, computers left online with no protection, attracted the virus. Thereafter, it could take several hours to several days for an antivirus company to create a signature and deliver it, known as a rollout, to their customers. Once loaded, antivirus software prevented the virus from executing, so the user with the program installed was safe against the virus, no matter how the contamination occurred. The antivirus software on customer systems usually checked for the updates once per day, though automatic updates were often never turned on by owners.

  When a virus that exploited a new vulnerability was discovered, the antivirus company also notified the software vendor whose product contained the vulnerability so it could prepare a fix, known as a patch. To create, test, and make the patch available, the vendor would take anywhere from a few days, in the most critical cases, to weeks or even months, for vulnerabilities that were less critical.

  In both cases the patch was rolled out to customers over a period of days. It could be months before most customers installed the patch, and many companies or individuals never installed it at all. When a particularly risky vulnerability was identified, vendors sent security bulletins to customers advising them to manually download and apply the patch rather than wait for the automated update.

  The security companies were always playing catch-up. A new risk existed for a minimum of a few days to weeks. The system, if that’s what it could be called, left a surprisingly large number of computers susceptible, even to viruses that had long been identified.

  The situation was magnified because most home users didn’t possess a security system, and if they did, they let its license expire, leaving the system exposed. Government computers were no less vulnerable. It was well known that the Chinese had obtained an enormous amount of U.S. national security data by entering computers believed to be secure. Other governments were doing the same thing. It was cheaper, and more effective, to hire hackers to work the Internet than to recruit, train, and support spies or to pay traitors.

  Because of all this Jeff had no lack of work, particularly since his reputation preceded him into the market. Increasingly, however, he was seeing malware that traveled under the radar, destructive code that insinuated itself into computers without detection. It wasn’t necessary to open an e-mail or even to neglect your antivirus software. All you had to do was connect to the Internet and the malware found you, if you had a vulnerability.

  The truly destructive viruses, those that stole financial records, destroyed s
ystems, and such, were more often like subterranean trolls. They were unleashed by their creators, or by someone working with them, and flashed across the core of the Internet, seeking a way to enter a computer by exploiting a vulnerability, an error or pathway inadvertently left open in one of its programs.

  The viruses were always there, permanent, relentless. They never tired, never became frustrated, required no fresh direction. As they pressed their electronic nose to the security wall of each computer, they probed for that little mistake written into a program that allowed them to gain entry, undetected, undeflected by firewalls or antivirus programs.

  These worms descended to the depths of the computer, burrowing down and existing like a living parasite, planting themselves within the operating system. They were designed to resist detection. To mask themselves further, they worked slowly at replicating clones, sending out new versions of themselves to seek new computers at an all but undetectable rate. They were a cancer on the Internet and on every computer they entered. They grew, spreading their electronic web into every space they could find. This was the future of all serious malware, one increasingly concealed from detection by a cloaking technology known as rootkits.

  Yet years after the tragedy of 9/11, the FBI was claiming that Al Qaeda and other terrorist groups lacked the ability to attack America’s cyber infrastructure. They didn’t say the system was safe. No, they said that the terrorists didn’t have the ability to exploit it—yet.

  Bringing his thoughts back to the present, Jeff stepped from the subway station onto the sidewalk and stopped.

  He blinked his eyes at the sudden light, trying to take it all in. The sight of nothingness where the World Trade Center had once stood, dominating the landscape, stunned him.

  To his right, still erect and fully functioning, was the World Financial Center. Except for broken windows and some concern about foundations in the weeks after the attack, it had emerged unscathed. Account Resources Management was up and running after a six-month hiatus in upper Manhattan.

  The company lost three employees that day: Cynthia and another coworker attending a meeting near the top of the North Tower, plus one who was arriving late for work and was struck by debris from United Flight 175 when it hit the South Tower. There had been a memorial service, but Jeff had been too overwhelmed with grief, loss, and culpability to attend. For the same reason, he’d not gone to the service the family held in Cookeville, Tennessee. Now, though, his anger was all on himself, and his burden of guilt was almost more than he could bear. He simply could not face it.

  He walked at a steady pace around the enclosed site. With each step he found the enormity of the devastation overwhelming. To see it on television and in pictures was one thing. To be here, to see it like this, was something else entirely.

  From time to time he came upon memorials, some official, most impromptu, commemorating the loss of one group or another. At the poster of three Brooklyn firefighters raising the American flag over the rubble that terrible morning, Jeff stopped.

  What was the point in walking? What did he think he was accomplishing?

  Jeff gazed into the gaping chasm. Cynthia’s body was never recovered. Whatever there had been of her lay there, before him. He closed his eyes and wept.

  16

  ISTANBUL, TURKEY

  SEFAKÖY DISTRICT

  ISTANBUL TECHNICAL UNIVERSITY

  TUESDAY, AUGUST 15

  3:11 P.M.

  Like most of the other students, Mesut Elaltuntas worked on his own laptop at the university computer-science center. The university had an excellent computer program, which was why he went there. They provided this room on campus where students could access the Internet with their own computers, since many of them didn’t have Internet access at home. The room might have been on any college campus anywhere in Europe or America, except here in Turkey the air was thick with the fog of cigarette smoke.

  Elaltuntas scrolled down the list of Web sites produced by his Google search. He was already familiar with several of them and knew they were of no use to him. Others weren’t related to the code he was searching for. He’d already used one that suited his purpose; now he wanted another very like it. He pursed his lips and continued to scroll.

  At first the idea of constructing new viruses had seemed simple enough. He’d designed a few himself and considered releasing them, but the arrest here in Istanbul of the cracker with the screen name Coder had made him cautious. Coder had bragged to everyone in various chat rooms how easy writing virus code was and how you could make money at it. Now he was in jail. Sure, his real name had appeared in newspapers and on television around the world, but that wasn’t the kind of fame Elaltuntas sought.

  But right now he needed a new base virus code. He already had the code for turning systems off and on. When he’d been given it, he’d had no idea what it did, but he’d spent some time studying the code and was now certain. At first it had scared the hell out of him, but once he realized that he was covering his tracks in ways that hadn’t occurred to Coder, he’d been thrilled at the possibilities. Someone was up to something big and he was a part of it.

  Elaltuntas needed to place that code into a virus with a proven record of exploitation. His employer paid a flat one hundred euros for each new virus Elaltuntas produced, but added another hundred if it had a larger than average degree of exploitation. Elaltuntas didn’t know how his employer made that determination, but he’d been paid the extra hundred often enough these past weeks to figure his employer knew how to do it.

  There! StopHackers.com. Crackers posted their virus codes in many places, but Elaltuntas had learned that Web sites that claimed to be fighting malware were actually a great source for the code. He suspected they actually existed for the purpose of disseminating it. It was posted right there on the Web site. Anyone could help himself.

  Now that he’d copped the most obvious viruses and knew the remaining common viruses and their variants, he’d already used the best. Finding something for which a security patch didn’t yet exist was his dream, but he’d settle for a new virus or variant of an old standby that looked to have fresh access.

  StopHackers.com was a new Web site to Elaltuntas. He scrolled through the boilerplate that the Web master had lifted from similar sites, then entered a chat room discussing various viruses at length. He found a lot of chatter about a new one out of Manila, home of the Lovebug, called Doomer. It was a network worm, which meant no attachment had to be opened for it to enter a computer, and gained access by exploiting a vulnerability in Windows XP. Excellent. But the best news was that Microsoft had yet to announce a patch. That meant he would likely have at least a month of smooth sailing, and an extra hundred Euros in his account.

  None of this bothered him in the least. Since he’d been a small child, he’d enjoyed breaking things. Too often he’d been caught and punished. Now, on the Internet, he could smash the biggest of things and never be caught. He found it thrilling.

  Elaltuntas copied the code, then dropped it into his own cracker file. He studied the new virus for a few minutes, but didn’t understand it. The inventor had been clever. Mentally shrugging, he searched for the point where he could insert his new code so that it rode piggyback into computers along with the virus. Shit! He went back to the Web site and read the entries in the chat room carefully. Thirty minutes later he found what he was looking for. Stupid! I should have spotted that on my own! Back into his own file, he pasted his own code into the location—tailor-made, it seemed, for just such an addition.

  Let’s see. He customized the code he’d copied to infect an unattended computer, then downloaded the virus. The girl who owned it, Melek, had asked him to keep an eye on her laptop while she went out for lunch. He’d smiled and agreed. A few seconds later the worm announced it had successfully dropped itself on the target. It had taken. Excellent.

  Back at his own computer he sent an e-mail from his Yahoo account.

  Date: Tues, 15 August 15:56 —0800


  He typed in the address.

  From: Wiseguy

  Subject: new code

  hve the code inserted in new doomer. it tests. is attached. when will u send money? do u wnt more?

  Wiseguy

  Elaltuntas attached the new file and watched the Yahoo e-mail account go through its virus scan with some amusement. He hit RETURN TO MESSAGE and sent the virus. He’d check back later that day for his answer. Then he spent the next twenty minutes searching for another virus for his new code to piggyback on, certain he’d have a use for it.

  Melek returned to her computer. “Saðol,” she told Elaltuntas with a smile. He smiled back. She’d never know how she’d just thanked him for what he’d placed into her computer, not unless she was secretly controlling a nuclear power plant.

  17

  MANHATTAN, NYC

  IT CENTER

  FISCHERMAN, PLATT & COHEN

  TUESDAY, AUGUST 15

  6:09 P.M.

  Jeff walked to the law firm’s building from his hotel, enjoying Manhattan in the early-evening hours of a late summer day. He passed joggers, restaurant owners setting up chairs and tables outside, office workers rushing for home or to join someone for a drink and conversation. Picking up a double latte and toasted bagel, he crossed the marbled lobby, then took the elevator to the law firm’s offices on the twenty-second floor.

  He entered the IT Center quietly in the event Sue was asleep but found himself alone. Jeff took his place and inserted the driver in the virtual machine. To see what the driver was doing, however, Jeff needed to use a kernel debugger. He set break points so that the machine would stop when it reached points where Jeff believed he might be able to study the driver’s operation.

  Going this far was both good and bad. Good in the sense he hoped to produce something useful; bad in that he was forced to go so far searching for answers. But something important was eluding him, perhaps more than a single something. The only truly good thing about all this he could point to was that Daryl was at least as fully engaged and she had far greater resources than he did.

 

‹ Prev