By: Gary Palmer
Zev, Kilo and Bril walked away in a tight group from the
camera interview they just finished. They looked amused and playful shooting
smirk filled glances and flashing teeth at each other, but walking in silence.
Being able to keep a straight face as they answered all the questions one by
one was a pretty good feat. As they
turned the corner onto
“How wicked lame”, said Bril jumping out in front of his crew.
“Yeah, I mean I don’t mind helpin out fellow students but man, those questions I mean any idiot should know that crap.” replied Zev as he lit up a smoke and took a deep drag.
Kilo added, “Freakin A; Are crackers heroes or villains? They wouldn’t even ask that question if they knew what we know. Maybe they’ll understand when we’re done”. Then he shook his head and looked over his shoulder just in case.
After walking a few more blocks they climbed the concrete stairs leading to the lobby of a five-story building went in and walked the two flights of stairs to their apartment. It was a typical college student disaster area, but to them it was command central. Bril took off the heavy backpack and dropped it on the coffee table as he headed to the refrigerator for a cold brew.
“Open one for me” yelled Kilo as he unzipped his pants in the bathroom.
Zev was already sitting at the computer beginning to read the reports coming in from the unsuspecting “zombie machines” they had been recruiting since their new friend convinced them to help in his cause. His crew now gathered around the screen with him.
“I see the bot is working well. Muuuuahhhhhh, slave to my programming skill, stealthy, undetectable, a masterpiece, if I do say so myself. I truly am 133T!” whispered Zev.
“Do you worry about your privacy on the Internet?” Said Bril, mimicking the college interviewer.
“Why, should I”? Answered Kilo in his best southern belle accent
“Yeah, it’s amazing how many people just plug their computer
into their cable modem without a care.”, said Zev and added, “Planting root
kits couldn’t be any easier especially with the vulnerability info
“Well I think we have a list of targets that should make him very happy”.
“Do you think anyone is onto us”? , said Bril, “I mean this seems too easy”.
“Yeah, What’s Digital Forensics?, The act of taking so much time to find me that I can get away without even trying” , snickered Kilo.
“Ok, enough screwin around. Get the payload ready to send to the zombies. This has to go off without a hitch or we miss the window. We can’t let that happen” said Zev as he took a swig of beer and focused all his attention on the computer screen in front of him.
Marty and Dan walked back to their cubicles from the coffee
machine. They had both started this new job at NORTHCOM’s AAC3 (Anticipatory
Adversarial Conflict and
As they sat down Dan said, “Hey, did you finish integrating the Kulesh-Daniels network monitoring code yet”?
Marty replied “Well yes and no.” “The tokens are being distributed now but only in certain domains, getting the coverage we need is going to take a lot of time and some providers aren’t playing yet. I did add the Mukkamala tracking logic and trend analysis modules to the intrusion detection system and that may be working right now although the most accurate sampling is day’s away, maybe weeks”.
“All we can hope for is some useful coverage. The dart has to hit the board every once and a while. Hey, wasn’t CIP/Intel supposed to get back to us with applied threat prognosis by now”, Dan chimed in.
“Hey loser! Read your frigin email on occasion, they did. Their latest report came in 1300 Zulu on Monday. It was used to help prioritize the token distribution as well as placement for new Honeynet installs”, said Marty
Dan looked over at his friend with a made-up frowning snarl. “Hey man, don’t even talk to me about emails. Not enough hours in a day. Honeynets, now that has promise! I just hope CIP/Intel is on target. Those are scarce resources we are committing”. He winked and added with a half smile, “Well, I guess I can still flip this dime if that doesn’t work”. “You want heads or tails”?
They both chuckled but only half heartedly.
At that moment Pete, the summer intern, ran past the door and seeing them there stopped abruptly and stepped into the room. “Guys, they need you in ops right away! We’re receiving indicators we’ve never seen before, they need your take”.
“Probably too many ICMP echo requests”, said Marty
“I’ll put money on Change Control running ISS scans again”, smirked Dan as they walked out of the room toward AAC3 Ops.
The crew was waiting. They had sent the post about 3 minutes
ago using the agreed on method so they knew an answer would be on its way
“Final countdown…”, said Kilo. “By this time tomorrow night this will be a done deal. Data collected and delivered without a trace”.
“Yeah, sweet” replied Bril with a laugh “My father would be so proud”.
Zev continued to stare at the screen and said, “Crap, my father is still trying to figure out how to stop the VCR from blinking . I could try to explain to him what I was doing but he would just tell me how clueless he was and let me go to my room, close the door and conquer the internet and he wouldn’t even look away from ESPN or the Speed Channel. Yeah, he…”
Just then the screen beeped and all eyes shifted their focus. Zev was there ready at the keyboard for the exchange to follow.
ZEV> Voodoo Priest….syn
ZEV> Eyes wide open and focused on the clock
ZEV> True that…voodoo dust ready… waking at 2200Z
ZEV> True that…
IRC Session Terminated
“Bond, James Bond” cracked Kilo
“More like Robin Hood meets the Neuromancer, wouldn’t you say?” answered Zev “the government can’t be allowed to control the knowledge flow that influences technology and our world. It’s like he said, equilibrium and balance have to be restored. If they won’t share we’ll fix it so it doesn’t even matter.”
Marty pushed open the double door to ops with Dan and Pete following him through. A small crowd was gathered around a table in the center of the room
A figure looked up from the group and waved them over with a hurry up motion.
“You guys should see this” exclaimed Cody as he quickly re focused on the two monitors there in front of him.
Marty and Dan nudged their way closer to the table joined the squinting group taking in as much data as possible looking from display to display over a series of raised eyebrows and a few chin scratches.
“Interesting but hardly proof of anything significant” said Dan “I see that four of the nine new Honeynet installs have started reporting some suspicious IP session activity, but really they haven’t even finished normalizing their activity profiles. You have to expect this kind of noise. It’s a bit early to start worrying don’t you think?”
There was a short silence as most of the crowd started to relax and straighten up. However, Marty was inching his face closer to the Honeynet detail being displayed.
“I don’t know Dan. Normally I would agree but, look at the
related domains here. All .edu and all west coast and
“Cody, call CIP/Intel and get a reading on the threat index for the destination hosts that seem to be targeted here.
“Dan, take a look and see if Kulesh-Daniels can plot the track for any of the inbound sessions. Maybe we’ll get lucky. I’m gonna look a little closer at this data.”
Cody hung up the phone while looking at the computer screen in front of him. He turned in his chair toward the group and said “ CIP/Intel says they are all universities…”
“Wow, .edu equals university… who would have thought?” interrupted Marty
“You didn’t let me finish” said Cody “all universities… and
all doing SBU research in alternative fuels for the DOE.
Pete asked “SBU?”
Marty answered “Sensitive But Unclassified. Kind of like proprietary. Protected but not like the really classified stuff.”
Dan spoke up “K-D is sketchy but I am getting some loci, medium confidence but it’s something to start with. I ran whois and then queried the ISP drilldown server for particulars. 82 of the 325 sessions reported by the Honeynets originated from 3 hosts subscribing to one ISP. The other K-D tracks seem to be stopped due to incomplete token distribution. ”
“All right” said Marty scratching his head “See what detail you can get on the 3 hosts from our provider liaison in that region and then call Adversarial Reachback (AR). Give them a heads up in case we get the go ahead to probe and data mine. Get CIP/Intel to call the research POCs at the .edu targets and let them know what we have been seeing. I’m going to take a closer look at these port scans.
The data he expected to get would fetch a very nice price. He already had several interested parties lined up. It would also make him more underworld friends who were itching to make their asymmetric conflict with “The West” a bit more, shall we say, even-handed.
“2200 Zulu” he whispered, “the witching hour” a thin smile was etched on his face.
“The port scans are a bit strange” Marty said out loud “they cover standard ports but then they scan specifically for a reply on port 25732. The latest IETF services RFC lists that as supporting protocols for something called “V-trans”. It’s a voice commanded configuration management system. I sent an email to the IETF technical POC listed here for that service and guess what? They’re just getting ready to announce a significant buffer overflow vulnerability in their product. That’s not all; he confirmed that if exploited root or admin access is possible. They plan on distributing a patch in two days. They asked that we keep this hush-hush. They haven’t reported it to NIAC, USCERT or FIRST yet. The four target universities have been receiving free releases during the beta test period. This is looking more and more like a phising expedition with one or more savvy anglers”
Dan walked in back from his visit to AR.
“ISP liaison got subscriber info on 2 of the 3 hosts where scans originated from. AR agreed with our assessment and authorized level 1 non-destructive data acquisition. They ran netcat, Fport and Nessus on the box remotely and then authorized a Sleuthkit / Autopsy run by regional field reps. While I was there an in-time focused ident and recovery of comm traffic channels was launched. Guess what they found?
“Now’s not the time for drama, Dan. Just spit it out” Marty was only a little aggravated.
“Touchy aren’t we?” Dan continued
“Ok, both machines are owned by elderly couples. AR contacted them to ask a few questions and found that both bought their machines on QVC so they could stay in touch with there grand kids. They gave us permission for remote and on-site analysis of their machines which was nice, since they didn’t have to. Sure beats having to evoke the Patriot Act. AR found the same root kit installed on both. Also found session logs communicating with the kit with, get this, hard coded IP information. They did a little deeper analysis and ran DeVel socio-demographics against some of the strings pulled from the root kit binaries. It looks like 2 or 3 separate styles. It showed a 75% probability that the author where white males between 17 and 25 raised in the northeast.”
“De Vel Stylistics computed a 65% match to a Gregory Morton,
aka ZEV, who was convicted 3 years ago and spent 18 days in juvie for spyware
that modified winlogon.exe. He got a fine and community service to boot. An example of his compiled code in C++ from
the Digital Offenders Archive (DOA) was used to match part of the new rootkit
module. The IP resolved to a cable modem customer in
“Good work, all!” Marty said as he turned back to the screen quickly and whispered to himself, “Gotcha! Maybe we got lucky this time. Dan, get all this data compiled and time tagged into evidence with timelines, event reconstruction and integrity checks and send it over to Criminal Assessment, ASAP. They may want to move on this soon. I want everybody’s work notes and Internet link histories catalogued and included too. Also have AR put a monitoring and containment droid on that cable modem subscriber in case they try anything. I hope we acted in time”
It was and the crew was watching Sponge Bob on Nickelodeon.
“All over but the waiting” said Zev feeling pretty good about himself “just an hour and a half and we launch”
“Great, then I can get back to doin that Ethics and Technology paper I have due next Monday” responded Bril “I hate that freakin class but its part of my core stuff. Maybe I’ll find someone selling an old A” he laughed and put his feet up on the dirty coffee table and took a sip of his beer.
The door bell rang and Bril jumped up “finally, it’s about damn time”
Looking through the peep hole he saw “Papa Pete’s” in bright red on the pizza guy’s hat and a Jimmy Durante looking nose pressed close to the door. He opened the door. As he focused on the scene before him the beer he was holding slipped through his fingers and fell away. He zeroed in on the golden reflection from two shiny NYPD badges held up about chest high and half way to his face. One over each shoulder as the Papa Pete delivery guy just shrugged and asked if he could go.
One officer said “Good afternoon didn’t mean to startle you. I’m Detective Kratos and this is Sergeant Forte from the Cybercrime Prevention Division. We’re lookin for a Cozmo Kramer, aka Kilo. We would like to ask him some questions if you don’t mind. Hey, you wouldn’t happen to have a computer in there that we can take a look at?” The Cybercops stepped into the room after Bril and saw the rest of the crew nervously fidgeting on the sofa.
“Well, looks like the gang’s all here. Good that makes this a bit easier. You know what this is?” Sergeant Forte held up a folded paper. “It’s a search warrant. Hey did you guys ever see Minority Report? You should, it’ll make you think. Don’t worry we didn’t bring any Halos. We do have a few little toys we want to show you, though”.
“Well better luck next time, I always say. What’s life without a few small set backs”
He stared intently at his IRC session cursor blinking at the prescribed rate.
“Some things never change” he murmured as he began to type slowly and with purpose….
CODEPRO> Voodoo Priest….syn