The exploit was crude, but effective. Molten Hail—aptly named—melted through firewalls before freezing servers. The only survivors were hardened servers specifically designed to test every byte passing through their ports. It was one of these computers that Jeremy was analyzing when Bertha walked into the lab.
“Hi, Jer. What do we have?”
“Hell if I know, Bird. This is some nasty stuff we're dealing with, here. This Rayotech IX was in the process of being hardened and didn't have all the security rings enabled. All I know is that the damned thing got past the outer firewall and mutated three times in the kernel! To keep them sorted, I've assigned the name Mikhail.A to the first known version of the worm. The other two are dot bee and dot cee.”
“Well, from what I can retrieve from the event log, the vector appears to be the NTP port. Specifically, Mikhail.A enters the host via a mode 7 packet spoofing the address of a timer server. Rayotech hadn't updated this computer's NTP config file yet, so the kernel daemon was not restricted from responding to this address as legit.”
“Spare me the techno-babble. I simply need the differentiating characteristics between the mutations, so that we can begin to roll out some kind of preventative measures.”
“Sorry, Bird. Rayotech connects with an NTP server to synchronize all their clocks. What's cool is that the 64-bit timestamps have just enough room to deliver a 32-bit instruction or data, along with a 32-bit flag that signals to Mikhail.A. Apparently, the flags are set to randomly rebuild a tiny executable service in the kernel with full permissions. I call this mutation Mikhail.B. Rayotech doesn't catch these because of the nature of timestamps – it looks like noise with no discernible pattern for signatures. It's genius!”
Bertha sighed. She was just going to have to sit through this litany. She pulled up a chair and sat across from the enthralled technician as he continued detailing the attack:
“At some point, one of the flags signals the Mikhail.B daemon to start executing. I have no idea how this happens but, the result is that this sucker starts probing the host for vulnerabilities. The log shows attempts to cause a buffer overflow in the ‘get item function'.” At this point, Jeremy pushed a copy of the log over to Bertha, showing the highlighted entry:
Bertha glanced at the sheet, nodded perfunctorily and pushed it back. “You mentioned a third mutation, Jer?”
“I'm getting to it. The trouble with this hack is that it didn't bother trying to cover its tracks. The baseline security protocol was alerted as soon as the buffer overflow failed. It sent out an alarm but, because the entire infrastructure was not in place, only minimal safeguards were activated. I think the Rayotech IX was overconfident because the overflow had failed. It had no idea that it should keep monitoring the daemon! Exactly two microseconds later, MikHail.B successfully penetrated the actual hardening software and attached the Mikhail.C code.”
Bertha sat up straighter. “Which module in the software was affected?”
“I'm not certain,” Jermey Shrugged. “This isn't some script kiddie at work. The code is polymorphic, using encrypted memory pages to hold portions of its instructions as a data-driven utility. That's what's so neat. Mikhail.A never stopping working! It rerouted its random bit stream to the compromised memory area and started building the random looking 32-byte packets there. And, get this–Mikhail.B didn't stop, either! It continued looking for vulnerabilities and replicating Mikhail.C in other places. If this computer had been on the main net, the worm would have gotten loose rather quickly. I see fifteen vulnerabilities that it exploited.”
Bertha gasped. “Fifteen!”
Jeremy nodded enthusiastically. “From the size of the Mikhail.C code at each flashpoint, I can determine the precise search order of the Mikhail.B engine. We're going to nail this sucker!”
Bertha got up and prepared to leave. “Good job, Jer. Keep me posted.”
Bertha carefully transcribed her meeting with Jeremy. She had her own names for the variants, though. She really liked the collective name given to this worm by the security community. But, what Jeremy didn't realize was that his Mikhail.A, which she called Meteor, was designed to blow up on the security radar of targeted systems. When they attempted to block Meteor and succeeded, they would either quarantine the code or decide that the threat level was too low for follow-up.
This is precisely why the NTP vector was chosen. It was impossible to assign a threat level to random noise! As she detailed Jeremy's forensic analysis, she marveled at how easy it was to inject Jacob's Ladder into the system. Jeremy had called it Mikhail.B and this was the most profound part of the worm. Sure, it had the standard polymorphic code and 256-bit encryption. But Jacob's Ladder also had a RAM-based code page that allowed for dynamic reprogramming from the continuous time synchronization stream. NTP was designed to discard packets that were obviously incorrect. However, Jacob's Ladder monitored all packets and was able to build code from those discarded bits!
Finally, Jeremy's Mikhail.C had really been code-named Ebola. This was the so-called freezing hail. It was cruder than Meteor, but, really, how elegant does one's hammer need to be?
The seedy motel room made her flesh crawl. She couldn't wait to deliver her report, collect her money and be gone. In a moment of true paranoia, she told her controller that she was registered in room 202. In fact she was across the courtyard in 217. Now, sitting in the dark, she peered out of the filthy window every 30 seconds, looking for the pizza delivery car that would signal the arrival of her controller.
She need not have bothered. When the car arrived, with a Domino's magnetic sign haphazardly sitting atop its roof, the driver merely honked and flashed its lights at room 202. Slipping out of 217, she ran in a crouch toward the driver's side and tapped the window. Startled, the driver whipped his head around and relaxed when he saw her gaunt face.
“Ivanka! You shouldn't sneak up on people. Why the cloak and dagger, eh? Get in.”
“No, Pieter. I'm handing you a transcript. Where's my money?” She held out an envelope, which he snatched and threw on the passenger seat.
“My, my. No sense of decorum. Here, then. Fifteen hundred with a four hundred daily limit.” He handed her a plastic card with a magnetic strip on the back. “Can you at least give me the highlights?”
“It works. You won't need to bother infiltrating Schriever Air Force Base. The timestamps are undetectable, so manipulating the source would be a waste of time. However, once all systems learn to restrict spoofing, Molten Hail will need to find another way to assemble Jacob's Ladder. Also, it's not a good idea to keep that redundancy code active. They are able to determine the order of failed attempts and will probably be able to reverse-engineer Jacob's Ladder if you give them too many chances. That is unlikely, since it uses the Blowfish encryption scheme, but why give them any ammunition? If you must be redundant, you should at least randomize the attack probes.”
Pieter raised his hands in mock surrender. Laughing softly, he said, “Okay, okay. All that's above my pay grade. I just need to know if Operation Ancient Sunday is a ‘go'.”
“It's a go.”
On November 11th, 2011 at 11:11:11, a stream of pulses from time synchronization servers around the world began sending erroneous timestamp packets that were picked up by many computers polling port 123. A large number of these computers were running UNIX systems with unpatched configuration files. In a matter of minutes, these vulnerable computers had a new program running in their kernels. All it did was change the system date to
7F FF FF FF.
In the next instant, those computers reset to December 13, 1901.
Ancient Sunday destroyed almost every network on the planet.
Copyright © 2016 by Mitchell Allen
Originally appeared 3/31/2011 (April Fool's!) on CreativeCopyChallenge #131.