Authors: Mark Russinovich
Trojan Horse (7 page)
He now scanned the registry settings. Most often, malware created new entries there. This told the operating system to activate the virus whenever the computer was turned on, or when the user logged in. He spent some time checking every suspicious program reference or bit of code he didn’t recognize. Then he’d locate the code’s file and confirm it originated with a company. Malware rarely had such information. In some cases he conducted an Internet search to locate information about the file. Sometimes the suspect file had already been flagged as malware. It was tedious but had to be done.
Jeff was pleased with the level of security he found on the system, though he’d expected nothing less from such a high-priority office. Still, he knew from experience that agencies and businesses that should know better often had appalling computer security. He routinely found antivirus programs that were no longer current. Most of the malware he located had slipped in because someone had left the door open.
The scope of the harm viruses caused was enormous and not generally appreciated by the public. What they saw in their personal lives wasn’t the tip of the iceberg, not even the tip of the tip of the iceberg. Compromised government agencies didn’t want to reveal the extent of the damage for obvious reasons. It was no different with businesses. Personal and financial data was routinely stolen. Internet crime netted well over $100 billion annually and there was no end in sight. Organized cybercrime operations in Eastern Europe were becoming more sophisticated every month.
The worst part, from Jeff’s perspective, was that most individuals and companies had no idea they’d been hacked. Malware was so common he found at least some of it in nearly every computer network he examined. The only good news was that most did not do any great harm. It was obsolete or improperly designed, or cut off from its “bot herder” and left dormant.
Malware found its way into computers through two routes. The recipient inadvertently admitted the virus by opening an attachment or Web link, usually believing it was something it was not. Or the virus prowled the Internet, knocking on the doors of every connected computer, searching for vulnerability in an application or even within the operating system itself. Computers were so complicated any number of such vulnerabilities existed when software was released, whether new or an updated version. As they were discovered, usually because they’d allowed malware in, they were patched and closed. The problem with this approach was that there was always a period between infection and patching when bad things could happen.
Sometime later, Jeff said, “Okay, Elliot, I see nothing known so we can rule out the easiest solution. Whatever you’ve got is brand-new. Now let’s see if we can get the thing to execute.”
“You
want
it to work?” Blake said, sounding shocked.
“That way we can examine it for clues as to its origin and purpose,” Jeff said. “I’d have a seat; this will take a while.”
Once he’d started the process Jeff said, “Okay, it’s almost certainly using a zero day vulnerability.” Zero day was the term used to identify software bugs for which no fix existed because it had not as yet been discovered. Since a zero day vulnerability wasn’t yet known it was the most effective device for spreading malware as any computer with the vulnerability was wide open to cyber-attack.
OfficeWorks had improved its security enormously in recent years and was perhaps the most vetted word-processing program in existence. It was coded and built with the latest defense-in-depth antimalware technologies and only a handful of exploitable vulnerabilities had been discovered in it since the release of the newest versions. It was also designed to isolate any malware into a digital sealed room to prevent contamination elsewhere. But for all its design sophistication and vetting Jeff was not surprised that a zero day vulnerability existed in its latest manifestation. Such programs were so complex with so many authors they were never entirely secure.
Zero day vulnerabilities were a worst-case scenario for those involved in cyber-security. It had been just such vulnerabilities that had made the massive Al Qaeda attack two years before so devastating, even though the efforts of Jeff and Daryl had significantly blunted its intent. Without them the damage, and loss of life, would have been much, much worse.
Jeff rose and poured a large cup of black coffee. He drank half, then placed it down. He set his wristwatch to a two-hour timer. He’d learned the hard way that at least once every two hours he had to stretch and walk about a bit if he was to keep at this. Most problems he solved demanded a single extended engagement typically lasting eighteen hours. At that point his mental acuity declined significantly. He suspected that wasn’t going to work in this case, especially as he was already exhausted.
He sat down, took another pull of the black coffee, then loaded OfficeWorks into a debugger tool. A debugger is a program that enables a developer or, in this case, a security researcher, to control the execution of another program. It could be paused, which made it possible to step through individual CPU processor instructions, and it could be configured to pause when a specific instruction or set of conditions was satisfied. When the program was paused, the debugger enabled Jeff to view its state, including the value of all its variables. In many ways, it was like a dissection kit, letting him peer beneath the surface of the program, both observing and controlling its operation to unearth how it worked. He knew that all sophisticated malware had “anti-debugging” mechanisms, but he also knew how to defeat the most common techniques, including those that tried to prevent debugging in a virtual machine.
Once the debugger was running Jeff opened the suspect document. The debugger reported at once that OfficeWorks would not open; in so doing it accessed an invalid memory address, causing OfficeWorks to crash. So that he could more easily map the execution of the program to that point, he decided to run OfficeWorks under a special version of the debugger obtained from friends at Microsoft. It enabled him to “rewind” the program to earlier points. With this he began to step backward in the program to determine what OfficeWorks flaw the malware intended to exploit. It was as if the virus had been running an obstacle course, surmounting each barrier with ease until it came to the one it could not cross. Jeff’s job now was to find that point.
This was one of the more painstaking phases of the overall process, requiring Jeff to type notes recording all the branches the OfficeWorks program followed and the values of the data it passed. He was searching for a spot where, if something was different in one of the values, OfficeWorks would follow a path resulting in a buffer overflow, a condition in which a bug wrote data beyond the region allocated for it. Most malware infections started with just such a buffer overflow, which would cause the program to inadvertently execute code it wasn’t programmed for, code controlled by the malware’s author.
Always daunting, this time the process was especially difficult and Jeff found himself slowly overwhelmed as the day dragged on. At one point Blake had a light meal brought in, at another he suggested Jeff join him for tea. All very English, Jeff thought, munching on one of the butter cookies they called biscuits.
Throughout the afternoon and into the evening the permutations exploded and the complexity of the paths was nearly more than Jeff could grasp. But at last he located an OfficeWorks execution that accessed data in the suspect document ultimately triggering the invalid access. This, he knew, was the malware’s entry point, but there had been something about Walthrop’s environment that foiled it. If things had been as the author wanted this would have executed the OW document.
He’d suggested to Daryl at one point that afternoon that he might need her help and she’d assured him that she’d have the time. Despite her evident distraction during their brief conversation she said she was down to the final stages with her project and would be leaving shortly. Hoping she was free and home by now he sent her a message on mIRC, an encrypted chatting program used when they worked together remotely. He briefly summarized the issue and informed her that he’d found the entry point.
“Here’s the malicious data sequence,” he finished. “See what you can come up with.” The code within a virus often contained hints as to its origin, sometimes even about its author. Carelessness and vanity were two of their most powerful assets with any new virus.
A few minutes later her reply arrived. “Back home. Will see what I can do. Luv u.”
Now Jeff used the debugger to change the value at the point where OfficeWorks referenced it to the value that would allow OfficeWorks to execute the buffer overflow as the virus was intended to do.
It worked.
He watched the malware expand and decrypt itself into the memory of OfficeWorks and then activate. This part of his job was typically satisfying since it usually meant the beginning of the end, the time when he’d find a solution.
But there was more to it than that. There was something fascinatingly malevolent about a virus as it revealed itself, like a cancer spread through an otherwise healthy system. It modified everything it wanted to control, even bits of code for which it had no use. It was arrogant and self-possessing. It was, Jeff often thought, almost alive.
This was where he’d see the anti-debugging techniques. If one was in play in the execution of a CPU instruction it would behave differently than usual. Another common tell was the execution of a long string of useless instructions, one that it would take days to step through the sequence. Such a sequence was integral to the malware’s correct operation. Jeff had so much experience he knew how to spot these sequences and set “conditional breakpoints” that halted execution at key points, including one close to where the sequence was set to finish.
This virus installed itself in the memory of the OfficeWorks process, then reached out and inserted itself into a critical system process, one that kept Windows alive, performing background operations on behalf of the operating system and other processes. If things had been as the author wanted, the virus would now be in position to execute within OfficeWorks. He watched as it set a timer. That done, it quietly went to sleep.
“It’s got a timer,” he said to Blake with a smile.
“A timer?” he repeated.
“It set an alarm clock, a timer to activate randomly every twelve to twenty-four hours.”
“Why would it do that?”
“Because it’s harder to spot when it’s asleep. But we’re not waiting for it.” Jeff overrode the timer and told the virus to wake up now. This allowed him to see what it did.
It was well into the night by now. The corridor outside had been silent for some time. Blake had glanced at his wristwatch repeatedly, finally commenting that the American sure seemed to work long hours. Jeff was exhausted but his breakthrough compelled him to press on. Over the next three hours he monitored the malware’s execution using both the debugger and another tool that recorded every change the virus made.
With his monitoring tools Jeff searched for the saved or modified files it created. Seeing none he searched for an update to the registry configuration database, typical alterations done by all malware he’d looked at before. What he found was . . . nothing.
The virus left no tracks.
This came as a great surprise. Though this virus had been cleaner than most he encountered, until this moment he’d had no great respect for the author. The techniques he’d observed had been pioneered by others. But this was impressive. It was as if the malware had walked across virgin snow without leaving a print.
He had known this technique was coming and dreaded the day. Authors of malware knew that rootkit scans were becoming increasingly common and rootkits could no longer be relied on to conceal a virus. With this new technique the author was adopting a fresh, and very effective, method in the never ending race for digital stealth. As it spread, and it surely would, viruses would become increasingly difficult to locate.
This was the first time Jeff had seen it employed. If someone were to analyze the system at the point they’d see no sign of the infection. They’d have to know precisely where in the system process to look for the copy of the malware loaded into memory. That would be like trying to find a book in a major library without the Dewey decimal system.
He told Blake what he’d just discovered.
“You mean it makes no modifications to the system, so it can’t be discovered?” Blake said. “I’ve never heard of such a thing. I didn’t even know it was possible. How does it survive a system reboot?”
“This is a form of malware that leaves absolutely no detectable trace of itself when loaded, but for it to maintain its foothold through a shutdown it would have to download itself to a file and register the file to execute at the next reboot. After activating, it would delete the file from disk. That way, it is effectively invisible without resorting to rootkit techniques. Of course, if the system powers off without executing a shutdown, the virus won’t survive, but that’s a very small risk that the author was apparently willing to take. At least that’s what it looks like to me. I’m going to reboot now and see if it actually happens.”
Jeff left the monitoring tool running during the shutdown and subsequent reboot. He carefully examined the resulting activity log of the transition until after midnight. It was then he finally found evidence confirming his theory. That was what the virus did. Nasty. He stopped to mull the possibilities.
“Mr. Aiken,” Blake said. “You fell asleep.”