Trojan Horse

Home > Other > Trojan Horse > Page 1
Trojan Horse Page 1

by Mark Russinovich




  Mark Russinovich works at Microsoft as a Technical Fellow, Microsoft’s senior-most technical position. He joined the company when Microsoft acquired Winternals software, which he co-founded in 1996. He is also author of the popular Sysinternals tools. He is co-author of the Windows Internals book series, a contributing editor for TechNet Magazine, and a senior contributing editor for Windows IT Pro Magazine. He lives in Washington State. Zero Day is also published by Corsair.

  ALSO BY MARK RUSSINOVICH

  Zero Day

  TROJAN

  HORSE

  MARK

  RUSSINOVICH

  Constable & Robinson Ltd

  55–56 Russell Square

  London WC1B 4HP

  www.constablerobinson.com

  First published in the US by Thomas Dunne Books, 2012

  First published in the UK by Corsair,

  an imprint of Constable & Robinson Ltd, 2012

  Copyright © Mark Russinovich, 2012

  The right of Mark Russinovich to be identified as the author of this work has been asserted by him in accordance with the Copyright, Designs and Patents Act 1988

  All rights reserved. This book is sold subject to the condition that it shall not, by way of trade or otherwise, be lent, resold, hired out or otherwise circulated in any form of binding or cover other than that in which it is published and without a similar condition including this condition being imposed on the subsequent purchaser.

  This is a work of fiction. Names, characters, places and incidents are either the product of the author’s imagination or are used fictitiously, and any resemblance to actual persons, living or dead, or to actual events or locales is entirely coincidental.

  A copy of the British Library Cataloguing in Publication Data is available from the British Library

  ISBN: 978-1-47210-195-2 (ebook)

  ACKNOWLEDGMENTS

  I’d like to thank John Lambert, David Cross, Frank Simorjay, and Scott Field—colleagues of mine at Microsoft—for reviewing drafts of Trojan Horse and providing valuable input based on their real-world experiences with cyber espionage. Ron Watkins provided me great input on the plot and character development and made helpful reviews of numerous drafts.

  I’m grateful to Kevin Mitnick for endorsing the book with his foreword and to Mikko Hypponen for his blurb. I’ve learned a lot from both of them and am honored to have their names associated with Trojan Horse.

  My thanks also go to my agent, Ann Collette, from the Helen Rees Literary Agency, who helped usher the book through the publication process. I owe thanks to Peter Joseph, my editor at Thomas Dunne Books, for believing in a sequel, for the insightful feedback he gave in his reviews, and making sure everything was covered for the successful publication and launch for Trojan Horse.

  Finally, I want to again thank my wife, the real-life Daryl, for her continued support of my indulgence as a fiction author.

  FOREWORD

  It is Mark Russinovich’s in-depth knowledge of Windows and how data traverses over the digital landscape that creates the chilling realism in the backdrop of Trojan Horse, the highly anticipated follow-up to his first novel, Zero Day. I’ve long said that people are the weakest link in the security chain (and, in the past, frequently taken advantage of this myself). In his thrilling tale, Mark shows us that malware remains a significant threat as the sophistication of malicious programs continues to grow. The bad actors still use the age-old technique of social engineering—the method of manipulating people into performing an action in order to leverage the help of the victim to exploit a security flaw in the application software that resides on their computer. When used together, these two attack methods can lead to devastating outcomes as they leapfrog over even the most resilient network defenses. No one is immune to social engineering, and even the most technically competent can easily fall victim to this method.

  In today’s world, it is rare that such an attack will merely affect one network. Once again, Mark makes us aware of how interconnected our systems are, and how their dependencies can be used to create havoc in our world. Geographic boundaries are no longer an obstacle for those wishing to cause harm. Our future wars may employ people on the battlefield as a last resort. The initial efforts will likely be fought digitally over the vast technology infrastructure that the Internet has created. It is now possible to have a virus weaponized in China, employed in Berlin on behalf of Afghanistan, and have the payload delivered in Sydney or the United States—masking origination, and making detection and accountability almost impossible.

  Mark has created well-defined characters in Jeff Aiken and Daryl Haugen, whose challenges will absorb the reader. His attention to detail in both the technical and backdrop settings are realistic because they are closely related to real events exposed by the media. Even the nontechie will have no trouble understanding the well-explained technical details. The story line keeps the reader immersed, anticipating what will happen next, and the only difficulty comes in trying to put the book down.

  Trojan Horse is a work of fiction, but it makes you think about the possibilities in the future as the sophistication of our adversaries continues to grow in response to narrowing gaps in security posture. I am both honored and privileged to have the opportunity of an advance read of Mark’s latest work, and look forward to sequels in the future. However, after reading his book, even I am left wondering how prudent the decision was to open an e-mailed copy of the manuscript called “Trojan Horse.doc.”

  —KEVIN MITNICK,

  SPEAKER, CONSULTANT, AND AUTHOR OF

  THE NEW YORK TIMES BESTSELLER GHOST IN THE WIRES

  TROJAN

  HORSE

  INTERNAL DISTRIBUTION ONLY

  SECRET

  MEMORANDUM

  DATE:

  June 24

  FROM:

  Rhonda MacMillan-Jones

  Deputy Director, Cyber Security

  National Security Agency

  TO:

  Admiral Braxton L. R. Compton

  Chairman, Joint Chiefs of Staff

  Pentagon

  RE:

  Confirmation

  This is a follow-up to our conversation earlier today in which I confirmed the discovery of extraneous software embedded within the U.S. Pacific Fleet Command computer structure. This malware has access to the database that manages fleet deployments. It is highly sophisticated, unlike any we have previously encountered. At this time we do not know how it penetrated COMPACFLT computer defenses, how long it has been embedded, or the extent of the infection. It constitutes the most serious penetration to date by malignant software embedded from an unknown source within a highly classified U.S. military command computer system.

  We share your suspicions that this malware was responsible for the ten-hour blackout experienced by COMPACFLT during fleet maneuvers off Taiwan nineteen days ago. Be assured that we are working with your staff and will do all within our ability to locate and remove every vestige of this Trojan from your system and that we will learn how it managed to insinuate itself into such critical software.

  I wish to repeat that we do not yet know the scope of the penetration or the capacity of the malware to disrupt, or direct, fleet operations. We urge great caution in the interim. Though we cannot know its origin with certainty, the level of sophistication and the nature of its disruption indicates a nation-state with national security interests toward the United States.

  cc:

  CoS, POTUS

  NSA, White House

  INTERNAL DISTRIBUTION ONLY

  SECRET

  DAY ONE

  THURSDAY, APRIL 9

  CYBER PENETRATIONS REACH

  ALL-TIME HIGH

  By Arnie Willoughby

  April 9

&nb
sp; Sophisticated computer penetration is at record levels according to Cyril Lester, executive director of the Internet Security Alliance. In a speech delivered at the association’s annual meeting in Las Vegas, Nevada, Lester said, “Despite an increase in awareness by individuals and companies, malware, particularly in the form of Trojans, continues to find its way into computers at an alarming rate.”

  Though hackers still release what Lester described as “junk malware,” advanced and highly sophisticated viruses are an ever-greater cause for concern. Most target financial records and a number have been highly successful in looting personal and bank accounts.

  A new version of the Zeus Trojan, for one, recently penetrated bank security then silently stole more than one million dollars from an estimated three thousand accounts, according to Lester. “Authorities have been unable to trace the ultimate destination of the funds,” he said.

  The Zeus Trojan infected Windows machines through various exploits in Internet Explorer and Adobe Reader. It then lay dormant until the user entered his bank account. Through a technique known as keystroke logging it captured log-on information later used to access the account. If it was determined to hold at least $1,250 dollars the money was stolen.

  Though not proven, the cyber operation is believed to have been orchestrated by an East European cyber gang.

  Until recently, the Zeus Trojan was considered the most sophisticated and dangerous virus of all time, Lester said. That dubious distinction has been supplanted by Stuxnet, the mysterious virus which has targeted Iran’s nuclear development program. Lester emphasized that even more dangerous malware is likely already implanted in computers worldwide. “We’ve scarcely viewed the scope of the risk we face,” Lester said.

  The Internet Security Association is funded by the major computer and software manufacturers in the U.S. Lester has requested a four-fold increase in funding.

  US Computer News, Inc. All rights reserved.

  1

  YAKIMA, WASHINGTON

  EASTERN WASHINGTON ELECTRICAL GRID

  WAYK5-7863

  12:47 A.M. PST

  Scalpel.”

  The nurse placed it in the surgeon’s palm firmly, without the slap portrayed in movies. The young patient had been brought in more dead than alive following a highway accident. She could not have been more than fifteen years old. Somehow, in the violence and extremity of the collision a knifelike blade of hard polymer had pierced her skull and embedded itself in her brain.

  Her vital signs, however, were strong and given its position, if properly removed, the surgeon was optimistic for a satisfactory recovery. She was young, resilient, and the brain had an amazing capacity to restore itself at this age.

  The surgery had already lasted for more than three hours. He’d removed a portion of her skull to give him access. He’d picked out bits and pieces of bone until she was clean. But this was the worst of it. Remove this bit of plastic from the young woman’s brain and there was a very good chance she’d live. Leave it in place and she’d die. Make a mistake and she would be left functionally impaired or dead.

  Dr. Elias Holt lifted his hand and prepared to make the delicate incision. Just at that moment the lights blinked, then a moment later came back to life. Holt waited in case it happened again. Nothing.

  “We’re on emergency power,” Paul Sanders, the tech with the ACPM, or acute care physiologic monitoring system, said. “My data scrambled, Doc. I need a minute to reacquire.”

  Holt lowered his hand. There was no need to say anything. The technology this delicate surgery relied upon would soon be back up.

  “All right . . .” the tech began, but just at that moment the lights went out and did not come back on.

  Everyone on Holt’s experienced team knew to freeze in place, to do nothing. In a moment, the power would be restored from the outside grid or the hospital’s auxiliary system. A power outage was rare and Holt could not recall a time when he’d been left in darkness during surgery.

  The Mount Rainier Regional Medical Center was a small hospital with just eighty-five beds. In recent years, it had added emergency care to its profile as part of a significant expansion. The patient had been brought here because the accident had taken place nearby and her condition was so desperate.

  After twenty seconds of darkness the lights sprang on. “Paul?”

  “Sorry, Doc, but I need to reacquire my data. It will take a minute or more.”

  “How’s the patient, Allison?”

  The anesthetist answered, “Stable. No change.”

  Holt waited, then asked, “Paul?”

  “I’m resetting now.”

  Just then the lights went out again.

  In the basement, the night supervisor was staring at his computer screen. He could make no sense of what he was seeing. The primary backup generator had started twice, then simply kicked off. There was no power coming into the hospital from the outside power grid. They were on their own and this should not be happening.

  He’d been trained on the computer that controlled the power supply but hadn’t done anything with the system since then. It was automatic, computerized. It ran itself. Just as he was considering actually doing something, the generator kicked into life a third time. He held his breath, hoping no surgery was underway.

  Twenty seconds later the generator died again.

  Kathleen Ficke left the Holiday Inn bar and walked to the elevators. The bar was closing and her night was finished. She punched the button and waited for the doors to pop open.

  Ficke worked three or four times a month on such assignments for the Smart Agency. When she’d applied for the job, the owner had explained it to her in simple terms. “When a wife thinks her honey is fooling around, sometimes she wants proof, usually to get a better deal in the divorce. That’s when they come to us. I get a good photo and send a woman of the right age into the hotel bar where the target’s likely to do his drinking. She can’t be too pretty or too plain; she can’t be dressed sexy. In fact, I’ll take a full body picture of you before you go out. You’ll have the guy’s photo. All you do is sit alone at the bar and drink a Coke. That’s it. Don’t talk to anyone, get rid of any man who tries to pick you up, including the target. We just want to know if he’s with someone or if he hits on you. That’s it. You file a report and I give you two hundred dollars. Want the job?”

  The work had proven just as easy as he’d explained and the extra money had come in handy. She was tired and ready to go home. Her cat needed to be fed.

  She’d spent two hours in the bar and during that time her target had consumed eight bourbons. He’d been at a small round table talking with two men he’d apparently met in the bar. Each of them had given her the eye but none had approached her, not like others.

  The elevator doors opened with a digital chime. Ficke stepped in and a moment later so did her target. He glanced at her, slightly intoxicated, and punched the button for the fourth floor.

  “You?” he asked.

  “Lobby.”

  She stared straight ahead as the elevator began to move. He was overweight and she could hear his labored breathing. His face was flush and his eyes watery. Now she could smell the booze.

  Without warning the elevator stopped. There was the fading sound of dying machinery in the shaft. “Whoa,” her target said. “Who turned out the lights?”

  Ficke said nothing but was acutely uncomfortable at being stuck in an elevator with him. They stood silently until the wait extended uncomfortably.

  “I saw you at the bar,” the target said out of the darkness. “No luck, huh? Maybe he got held up. I’ve got a bottle in my room. Once this buggy gets going, come on down and we’ll talk it over.” He moved closer, so close the reek of bourbon flooded across her face. “What do you say?”

  Engineer Doug Bradstreet watched the green lights flash past as Trans-American train number 435 plowed through the night at sixty miles an hour. The run had begun just ten minutes earlier when he’d cleared the sw
itching yard in Yakima and now he was picking up speed before reaching the Pacific Coast mountain range.

  He wasn’t supposed to do that, of course. He’d been assured he had all the engine power he needed to make the climb, but he liked to build speed and hit the mountains as close to full throttle as reasonably possible. His two linked engines pulled eighty-three cars filled with coal intended for the TransAlta coal-fired power plant near Seattle. Bradstreet enjoyed the motion, the sense of power that came with giving the twin engines their head and letting them run.

  The window was open and he leaned out every few seconds, relishing the rush of fresh air across his face. A series of green lights told him all was well ahead. He’d spent long hours this way, the green lights a seemingly endless stream. Just at that moment, the lights suddenly flashed red. Bradstreet eased back on the throttle. Flashing red meant the light system was off the power grid and running from battery power. He slowed, feeling the slight uphill grade suck the power from the train.

  Then the flashing lights turned dark. Bradstreet cut the power to nil and the powerful train slowed until it came to rest atop the second of the five bridges the track crossed before reaching the mountains. He removed the microphone, punched the button, and said, “This is 435. I’ve lost signal lights and am stopped on bridge two. What’s the problem? When will I get lights back? Can I proceed?”

  “Stand by,” came the answer. Bradstreet didn’t know if the outage extended to his control, but even if it did the facility had a backup generator.

 

‹ Prev