Episode One – Setting the hook

As it’s name would suggest, Episode One – Setting the hook, is the first of hopefully several short stories written about the interactions of end users, systems administrators and the cyber criminals working hard to get in between them.  The stories are a mixture of completely fictional tales, my experiences in the better part of two decades in IT (the names have been changed to protect the innocent and the guilty alike) and, in some cases, a mixture of the two. My hope is that the stories are equally entertaining both to the non-technical and technical reader alike, possibly giving each a different perspective of the other and making everyone’s job a little easier when it comes to using, managing and securing the technology that we all rely on day to day.   

“Bring me another soda” Ian yelled as Myles got up from his laptop and headed toward the kitchen. It was Wednesday morning and a lot of computers were now being patched against this latest virus, but he was still seeing the occasional new victim pop up and didn’t want to miss any excitement.  This was only his first attempt at spreading the virus via email but it had been the easiest and, by far, the most fruitful.  He had sent out four templates, one claiming to be a UPS tracking email, one claiming to be a problem with an ADP payroll deposit and one claiming to be a Facebook friend request (he did two of these, one with a male ‘requestor’ and one with a female) and the Facebook message was the clear winner so far.  Out of the over 12,000 emails he sent, he had already gotten more than 100 computers infected and more than 60 of those were from the Facebook emails.  Myles already had most of those setup with multiple backdoor accounts, covered their tracks and then got them patched up and secured so that no other bad hackers could break into them.  These now belonged to Ian and Myles.  They made a good team but Ian’s experience made him the clear alpha at this point and Myles, while tech savvy, was still very much a student when it came to making money from things like browser hijacking, clickjacking and botnets for hire.  He was a quick study though and had already learned a lot.

Clay, the new IT guy (i.e., Security Nazi), had blocked access to Facebook (and pretty much every other good site on the Internet) after the whole ‘Farmville incident’, but Nancy was still able to access her Gmail account and get some updates on real life outside the office.  She didn’t play the silly games, but did like to see what was going on in the world around her and Facebook had become her preferred window to that world.  She was cooped up in a locked room reconciling accounts, processing expense reports and cutting checks 8 hours a day and the occasional communication from the outside broke the monotony.  Access to her Gmail account meant that she had been able to accept Warren’s friend request but she wouldn’t be able to see his profile until she got home and could log into Facebook.  When she clicked the link in the email to accept Warren’s friend request, part of the Facebook page started to load (maybe that meant that Clay was slipping) but then it just crashed.  She was pretty sure that she was now friends with Warren (if not, she could just click the link again from home) but she didn’t want to tempt fate twice by also accepting the friend request that she had gotten from Camille. 

Things were finally starting to come together.  When he first arrived three months ago, Clay immediately understood why JP&S Partners needed a full time IT guy.  Half of the computers were home versions of Windows and half of the remaining were still Windows XP.  The rest were computers that had been in varying degrees of failure when he arrived and he was able to replace them with new Windows 7 Pro laptops.  There was no standard antivirus, most had trial versions that had long since expired and some of the more ‘tech savvy’ users had installed free products that had mostly been compromised or just disabled.  The server was still Windows Server 2003 and they had a Linksys router as a firewall.  He had made significant progress so far by replacing the server and firewall and installing centrally managed antivirus but there was still work to be done and he was getting a lot of pushback from management about costs.  He felt like he had most of the big battles won but the war was still on and now he had to start picking which battles were worth fighting and which ones he had to forfeit. 

“This one has a webcam and it’s running Quickbooks” Myles said, hoping that the value of the target would overshadow the fact that he had broken protocol.  Ian’s instructions had been clear (gain access, setup backdoors, cover tracks, move on to the next target) but he had finished his work on all of the zombie computers they had so far and had been dying to get more familiar with the tools they were using.  By the time that Ian got to his desk, Myles had one window open looking at Nancy’s webcam and another window looking at her screen.  She had Quickbooks and Outlook open but seemed to be spending most of her time scanning through web based email and, since Myles (and now Ian) were watching her, clicking on fake friend requests from Facebook.  Nancy’s computer seemed like as good a foothold as any to start looking around from and a good opportunity to teach Myles about recon / footprinting and ultimately pivoting further into the network.  They would be spending a lot of time with Nancy.

All of the servers were finished and Clay had spot-checked logs on several of the workstations.  He knew the remaining Windows XP workstations were a threat but had accepted that he wouldn’t be able to replace them until they died (or until a threat against them arose that would be more expensive to fix than to avoid, assuming the threat was identified in time).  He had segmented them away from the rest of the network as much as possible and was monitoring them but that would have to do for now.  The coast seemed clear.  Updates had been applied, virus logs looked clear (aside from the occasional coupon printer, oddball search engine / browser hijack, etc.)  and no one was screaming of smoke and / or fire coming from the server room.  Now would be a good time to dig into the firewall logs and flush out any remaining bugs.

“Right now, we have control of a single computer, Nancy’s, and we don’t appear to have tripped any alarms on our way in.  This is where the rookies get busted and the elite get paid.  We’re going to setup some passive scanning on Nancy’s computer to get a better lay of the land.  We’ll check back in a week or so to make sure that our virus is still there and, if it is, what it has for us.  Just in case it’s a trap, we’ll check back in from one of the other zombie computers that we can burn if we get caught.  Best case, we own the entire network.  Worst case, someone spots us and we trash Nancy’s computer and whatever other zombie computer we decide to use to check in from and move on”.  Ian could tell Myles wasn’t sure what to be more excited about at this point.  Breaching an entire network completely undetected or having another entire network of computers working away for them surreptitiously “clicking” on ads all over the Internet.  It was less than a penny per click, but with thousands of computers constantly “clicking”, it was a decent living.  They set Nancy’s computer about it’s task of spying on the remainder of the network and started looking at the rest of the computers they had gained access to that day, suspecting that they would be spending more time with Nancy very soon.

Almost 5:00pm.  A successful update cycle in the can and the rest of the week should be a downhill slide toward the weekend.  It had been a long three months but it was starting to pay off.  There were a few interesting entries in the firewall logs (it seems that some people were still testing the content filtering by trying to get to social media sites) but they were few and far between at this point.  One other interesting thing was that one of the workstations that he spot-checked had a lot of garbage in the log file.  It was Nancy in Accounts Payable and she had been one of the most vocal against the content filtering, which wasn’t a surprise.

At this point, we know our players and we know a little about the game.  Will Ian and Myles be able to recon the remainder of JP&S Partner’s network undetected?  If Clay does catch them, will it be too late?  What about all of the other computers infected today?  How may did Ian and Myles have already?