Read The Florentine Deception Online
Authors: Carey Nachenberg
The Florentine Deception (38 page)
“One second,” he said, navigating around a heap of sixties computer equipment, “hold the door until I find the light switches.”
Amir knocked something over, cursed in Farsi, and a few seconds later, a seemingly random collection of overhead fluorescent lights began flickering listlessly, emitting just enough illumination to cast the helter-skelter graveyard of discarded engineering equipment in ominous shadows.
“Spooky,” I said. “Looks just like it did five years ago when we used to go dumpster diving in here. Only dustier. You know, back during junior year, we found parts of the control panel of Boelter's original nuclear reactor in a pile over there. Just sitting there, totally covered in dust. My friends also used to enter the underground steam tunnels from here. That door over there at the far end,” I pointed into the back wall, “supposedly leads to a tunnel under the Court of the Sciences.”
“It's amazing you and your crew were never expelled,” he said, piloting around an engineering desk covered with stacks of dust-covered PDP-11 mainframe manuals. “Follow me. Carefully.”
Amir wended his way through the islands of discarded equipment, heading toward the right wall of the fan-shaped room. He stopped at a metal door set into the grimy concrete wall and pulled out an enormous key ring.
“Welcome to my vault,” he said, fingering through the two dozen keys decorating the ring. “It's not much but it's all mine.” He stopped when he reached a hexagonal brass key, and unlocked the door.
Amir's vault stood in stark contrast to the chaotic main storeroom, clean and bright. He'd removed the depressing overhead fluorescent bulbs and replaced them with four large halogen floor lamps. Rows of individually labeled cardboard boxes with names like “Ethernet Cables,” “Ethernet Cards,” “Wi-Fi Cards,” “SATA Cards,” and “Cabling Tools” lined wire-mesh shelves along the left and right walls. Along the back wall, a sixties-era desk held several neat stacks of paperwork, and to its side a half-height dorm-room refrigerator hummed softly.
“Dump the computer over there,” he pointed at the desk, “and throw the drinks and food in the cooler, please.”
He dropped his load onto the desk as well, propped the metal door open, and disappeared into the ersatz equipment graveyard. He returned a minute later with a dust-covered leather desk chair.
“This was Dean Boelter's, believe it or not. For the next twenty-four hours, it will be yours. Grab a paper towel from the roll on the cooler and wipe the dust off outside, then it's back to work.”
“I've been thinking,” he said while I wheeled in the wiped-off chair. “We know that the Florentine has a module that runs inside of Windows on every PC. That module is responsible for monitoring for incoming attack payloads from Microsoft's update servers, then launching each attack at its designated trigger time. If we can't trick this module by changing the time, could we possibly send a command to delete the module altogether? If we could remove the time-triggering module itself, this would solve all our problems.”
“Like removing the timer from a time bomb.” I chewed on my lower lip and considered the idea. “Even though the bomb is still functional, it can't trigger without the timer, and is rendered benign. It's a good idea. The challenge is, this module could be hidden anywhere inside of Windows. Even if we found it, it could take days to figure out how to safely disable it.”
Amir shook his head glumly. “Back to the drawing board.”
“Not a bad idea though, just not practical given our tight timing. But it does give me another idea, a plan of last resort, really.”
“What's that?” he said, swiveling his chair around.
“Well, even if we can't figure out how to locate and disable the Florentine component that's hidden
within
Windows, we can easily attack Windows itself. We could delete essential Windows system files so it simply can't function. Like ripping the spark plugs out of a car engine. And if Windows can't run, then the Florentine module hidden inside it can't run either: or for that matter, activate its payload.”
A puzzled look materialized on Amir's face. “You're suggesting that we attack every computer in the United States and Israel, and kill Windows on all those computers, before the Florentine has a chance to do so itself? The cure is as bad as the disease, no?”
“No. Deleting a few Windows files is temporary. That can be fixed in just a few hours or days. Khalimmy's firmware attack is permanentâthose machines will be turned into paperweights.”
“But the devastation ⦔
“Yes, it's an option of last resort. It would cause a massive disruptionâprobably billions in lost business during the outage. But it would be temporary. Everything would be back up and running in a few days. And if we scheduled such an attack to trigger at 9:55 a.m. on Wednesday morning: say, five minutes before Khalimmy's attack, then his payload would never get a chance to run. Meanwhile, that would give the NSA, or Department of Homeland Security, or whoever, time to come up with a permanent cure.”
Amir mulled over the idea some more, then nodded. “You're right, it is an option, but it should be our last option.” He cleared his throat.
“Agreed,” I said. “Let's create the attack and keep it in our back pocket for now.”
I sat down at the desk and motioned for Amir to join me.
“Now if I recall correctly from my virus analysis days, there are about four or five key files that are involved in the boot-up of Windowsâafter each one starts up and performs its task, it proceeds to load the next file in the series, until Windows is fully up and running. All of them are critical. If even one of them is missing, Windows won't start. These files are often targeted by viruses, because if the virus can inject its logic into one of them, it gets control of the entire computer immediately when it starts up.”
As Amir processed this, I pulled up the network settings on his laptop and connected it to the Computer Science Wi-Fi network; the signal was extremely weakâjust one barâbut sufficient for our purposes.
“So if we delete one or more of these files, the computer crashes?” he said.
“Not quite. Once the computer is up and running, deleting these files probably won't cause any problems: Windows will continue to run normally because the files are only involved in the startup process. But the next time computer is restarted, it'll crash immediately, certainly long before the Florentine component has a chance to load.”
“I see. So we need to not only remove these files, but also reboot the computer to ensure that it crashes.”
“Correct,” I replied. “Now if I'm not mistaken, each version of Windows uses a slightly different set of files to start up. So, to make sure we can cause all versions of Windows to crash, we're going to have to identify a different set of files to delete for each major version of Windows.”
Amir eyed his watch nervously.
“We'll have time.” I pulled up Google in Amir's web browser and searched for “windows startup process.” After a few minutes of hunting, we found web pages that described the boot-up sequences for Windows XP, Windows 2000, Windows Vista, Windows 7, and Windows 8: all the major versions. I cut-and-pasted the names of the operating system files involved in starting up each version of Windows into a document file, so we could see them all in one place.
“Each version of Windows uses a slightly different set of files to start up,” commented Amir.
“Not quite. If you look closely,” I pointed with my finger, “all of them share one file in common: NTOSKRNL.EXE. If we delete that file, I believe we'll be able to crash all versions of Windows, at least all the major ones.”
Amir considered this, then nodded in agreement. I opened up the Notepad application on Windows and began to type in the payload script, consulting the example attack payloads that were included in the Florentine PDF. Amir leaned in and watched from behind as I typed.
TRIGGERâCRITERIAâBEGIN
DATE=09/06/2015
TIME=17:55:00GMT
TRIGGERâCRITERIAâEND
PAYLOADâPROGRAMâBEGIN
IF (oslang == “en-us” OR oslang == “heâil”) THEN DELETE %SystemRoot%\system32\ntoskrnl.exe
ENDIF
PAYLOADâPROGRAMâEND
“That should do it,” I said. “This will trigger at 5:55 p.m. GMT this coming Wednesday, which is 9:55 a.m. Pacific Standard Time, five minutes
before
Khalimmy's attack is supposed to trigger.”
Amir lifted his glasses and reviewed the trigger criteria. “I concur.”
“Good, let's review the payload now. Our payload first checks to see if the system is configured to use either English or Hebrew. This is the same criteria Khalimmy used, as far as we know, to identify which machines to target. If a machine uses either language, then our payload deletes the ntoskrnl.exe file. Otherwise our payload does nothing. Did I make any mistakes?”
Amir leaned in and studied the three-line program.
“No,” he said, running his index finger down the screen for a second review. “There are no problems I can see.” I moved the mouse over the Save button and clicked.
“Wait,” he said. “You're missing the reboot command that will cause the machines to restart and then crash.”
“Good catch,” I said, adding a line with the word “REBOOT” after the “DELETE” line. “Look okay now?” I asked.
“Yes,” he said, after pausing to reread the entire program. Receiving his blessing, I saved the payload into a file called Antidote.dat.
“Now let's reserve one of the authentication keys and pick a password.”
He shook his head. “You know, it's scary that in just ten lines, you've got the power to crash hundreds of millions of computers, to potentially alter the path of entire economies ⦔
“It is scary,” I agreed.
I switched windows to the file containing the ten Florentine authentication keys and copied the last 256-digit key into a new file called Key.dat. Finally, I opened up a command shell where I could type in the command to launch the attack.
“Okay, pick a password we can use to cancel the attack, if need be.”
“Shamshiri,” Amir said.
“Like the restaurant?” I asked, referring to the popular Persian eatery near campus.
“Yes, it means âsword' in Farsi. We are the defensive sword.”
“I guess we are,” I said, typing in the command line:
C:\temp> florentine.exe key.dat shamshiri antidote.tad
“Don't hit Enter!” said Amir nervously.
“Don't worry.” I swiveled the chair around and patted him on the shoulder. “I intentionally misspelled the name of the payload file, Antidote.tadâit should be â.dat', not â.tad'. If and when we're ready to launch the attack, I'll fix the spelling and then hit Enter.”
“I am getting slow in my old age.” He patted my back reciprocally. “So if we are to give all of the machines at least twenty-four hours to retrieve our Shamshiri payload, we need to launch the antidote before ten a.m. tomorrow morning, at the latest?”
“At the latest. Plus there's a chance we'll run into some problem or other, so I'd suggest we limit our launch time to no later than eight a.m. tomorrow morning. And the same holds true if we want to send a cancellation command. In order for the cancellation to reach every machine, we also have to launch it at least twenty-four hours prior to the original payload trigger time. Otherwise, there's no guarantee all the machines will check the update server and see it.”
Amir reflected. “I hadn't considered that. It's another good point. Well, hopefully we won't have to launch this attack in the first place, let alone send out a cancellation.” He stood up, stretched, and yawned. “So now we must focus on a less destructive solution. There must be something we're missing, some clever fix.”
“Occam's razor,” I suggested.
“Yes, exactly, an Occam's razor solution but without the sharp edge.” Amir put his hand over his pocket. “Hold on a second.” He pulled out a cell phone. “Hello?” ⦠“What? Nelson's hurt?” ⦠“Oh God. Is he okay? Did you call an ambulance?” ⦠“Good, good. I'll be right up.”
Amir clicked off his phone and took a step toward the door. “Professor Keller was found wandering aimlessly on the seventh floor with a bruise on his forehead. He must have fallen. He's been having balance problems. Can you manage for fifteen or twenty minutes without me?”
“Go,” I said. “I'll keep brainstorming.”
Amir dashed out of the room. I stood up and began pacing in thought.
After a few minutes of fruitless ruminating, I propped open the door and stepped back into the main Cellar area. Perhaps a walk between the old stacks of junk would help stimulate my creative juices.
I wandered through the mounds, stopping at an eighties-era metal desk entirely covered with thick textbooks. Crouching down on my haunches, I began dusting off their spines one at a time with my finger.
Introduction to Bioengineering
,
Organic Chemistry II
, and
A History of Life
successively emerged from beneath the filth. I flipped open the top cover of
Introduction to Bioengineering
in search of an inscription. A label on the first page read “From the library of Irving Whitman.”
“Probably long dead,” I muttered, “otherwise maybe you'd have some ideas for me.”
I scraped the dust from my finger on the underside of the desk, then tried its drawers: all locked. A challenge. My first-year UCLA roommate had taught me how to pick simple locks with a couple of heavy-duty paperclips, so I grabbed a handful from the desk in Amir's vault and returned to test my skills.
“How is defending against Khalimmy's attack like picking a lock?” I asked myself. I'd found that out-of-the-box questions like that sometimes resulted in interesting insights. This one did not, but after a bit of fumbling in the wavering gloom of the overhead lights, the lock clicked anyway. I pulled the left drawer open and rummaged inside. The drawer held a spare pair of thick-rimmed, black plastic glasses with quarter-inch-thick bifocal lenses, a half-full bottle of Jameson whiskey, and a tumbler.