Tam Henderson was a Christian missionary with roots in Minnesota, but deeper roots in a war ravaged Vietnamese orphanage. Eternally grateful to the American parents who adopted and raised him and taught him to love Jesus, he dedicated his adult life to sharing the Gospel with Vietnamese children and their parents.
And that was why he found himself sweating on this spring day in the jungle heat of a village near Cam Ranh Bay, Vietnam. It had been a long and fruitful day, filled with happy kids and preaching and singing, and he was eager to share pictures and video with his own aging parents back in Minnesota. He would upload these later. But right now, it was time to wind down and enjoy a late evening snack. If only he could find some ice. Tam chuckled to himself – at least I’m not knee deep in snow anymore!
Tam did not leave behind all his Minnesota roots. He loved baseball and his Minnesota Twins and tried to catch an occasional game whenever he had some time and could connect to an Internet streaming service. It was spring training, the eternal season of hope for all major league baseball teams, and Tam was curious about the new, young starting pitchers the Twins had acquired in the off season. After an embarrassing season last year and the ribbing he endured from colleagues and friends stateside, anything would be an improvement.
He opened his laptop and connected to a satellite Internet service and visited www.espn .com to catch the latest updates and spring training scores. News about his beloved Minnesota Twins was sparse that day, but an ad on the website caught his eye. An online Internet company was offering a spring training special for softballs, bats, and gloves.
“How do these guys know I like baseball?” he thought. “And why are they tempting me with ads for softball equipment in Vietnam? “
What Tam – and most people – did not know is, the ESPN website did not send the ad to Tam’s laptop. ESPN sold space on the screen displaying its website to another company, which delivered the ad to Tam’s screen based on a carefully crafted profile of all the websites Tam visited over the past several months, stored in a directory deep in Tam’s laptop. Similar to traditional television, but more sophisticated, this is how ESPN and other websites are able to offer web content for free to viewers – by also delivering ads from other websites, and the companies hosting those websites pay for screen exposure. Anyone visiting the espn.com website, or any number of other advertising supported websites, also visits several other unnamed advertiser websites.
“This could be interesting”, Tam thought, as ideas started to form. He had a few hundred dollars available. What if he could equip, say, 20 kids with softball equipment and teach them the game? These kids could teach other kids and softball could become a Christian outreach. Baseball as a sport was becoming popular in Vietnam, why not bring a version of it right here, to this mission? Who knows – if it takes off, maybe this could be a legacy. He chuckled again at the thought – “ Pastor Tam Henderson, who tried to teach the Gospel, but left softball instead.“
But God is in control and maybe that’s why the ad appeared and caught his eye. Nothing to lose by checking it out. He hovered his computer mouse cursor over the ad and noticed the URL string at the bottom of his web browser window. “How do those programmers understand all those symbols? I think they put all that in just to confuse us mere mortals.”
He clicked on the ad and waited for the details to come up. After about 30 seconds, but what seemed like several minutes, he started to grow impatient. Give it a little bit longer. Maybe the clouds are interfering with the satellite feed. Finally, after what seemed like an intolerably long wait, the details behind the equipment ad came up. “Lord, please forgive my impatience. I know you’re in control of everything. If it’s Your will, I would like to order this equipment and find a way to ship it here, to Vietnam. Please give me the means to do so and kids willing to learn the game of softball and have fun. Amen“
A few thousand miles west, in a basement in Tehran, Iran, a shady botnet master named Bahir Mustafa knew exactly what all those symbols at the bottom of Tam’s web browser window meant, because he wrote the scripts containing them. And Tam Henderson, from a jungle in Vietnam, tenuously connected to the Internet via an unreliable satellite link, was about to execute them. The programmers who developed the website for the sporting goods company that contracted with ESPN to display the ad on Tam’s workstation worked for a temporary staffing firm in the Philippine Islands. With tight timetables and little money, they managed to produce a usable website barely in time for sales on spring sports.
But they took some development shortcuts. One shortcut was leaving the site open to a cross site scripting (XSS) attack. XSS attacks can be complex, but the idea is, when Pastor Tam clicks on a link from one website, that website returns an invisible script instructing the browser on Pastor Tam’s workstation to run a script on another, unrelated website. Bahir Mustafa managed to create an account for himself on the sporting goods website. He used his credentials to insert code in the appropriate “click here” field to first run a script on Mustafa’s website, before visiting the sporting goods website.
Tam noticed the script took an unusually long time to run. He attributed the problem to his lack of patience or maybe satellite issues. But the satellite signal was perfect on this day. Otherwise, Mustafa’s malicious download may not have run to completion on Tam’s laptop. When the download finally finished, another dot lit up in Bahir Mustafa’s global heat map of compromised computers as Tam Henderson’s laptop, from a jungle village in Vietnam, became a drone soldier in a hidden war controlled by a shadowy botnet master in Iran, all because of a careless programming mistake from a programming team in the Philippines, contracted by a US sporting goods manufacturer.
Tam eventually ordered the softball equipment and had a great time teaching the basics of the game to his kids in Vietnam. He collected hundreds of pictures and videos and put it all together for a Christmas presentation to his home church later that year. But every time he connected his laptop to the Internet, he noticed a significant slowdown.
Jerry Barkley was a church member at Tam’s home church and filled a role as the unofficial IT support staff. Church employees thought Jerry was slightly eccentric, but he was friends with everyone and they all used his expertise to tune up or fix their computers. When Tam connected his laptop to the church network, Jerry noticed an immediate slowdown in Internet access for everyone else at the church. Curious, Jerry used a variety of tools on the open source firewall system he built for the church and traced the problem to Tam’s laptop. He found Tam’s laptop saturated the Internet connection with a brute force password attack against a large bank website, with occasional packets to a website somewhere in Iran.
With one week remaining before Tam had to return to Vietnam, Tam put his laptop in Jerry’s hands and Jerry found and removed a mysterious piece of malware. It was not easy to find and it took several days and late nights to locate and remove it. But with one day left before Tam had to return to Vietnam, Jerry returned Tam’s laptop, now free from malicious software, with some advice on how to keep it that way.
“Tam, this was a nasty one and it wasn’t easy to find. The next one might even be tougher to get rid of.”
“How did it get there?”
“Nobody knows – it could have come from anywhere. Do you go out on the Internet a lot?”
“No, not really. Sometimes I look up sports scores, stuff like that. I don’t have a lot of time to spend on the Internet.”
“Well, sometimes those websites can get compromised. Listen, get a credible antivirus program. Not the chintzy consumer stuff, but some real antivirus software and put it on this laptop. Keep the signatures up to date.”
“Yes. All the antivirus programs work by keeping signatures of known viruses. The bad guys cook one up, the good guys find out, they issue an update. It’s an arms race. So make sure you have up to date signatures. Sometimes they update hourly.”
“Yup, wow is right. Antivirus software is not perfect. It can only find malware it knows about. I tried a few antivirus programs on your laptop and they all scanned clean. None of the automated tools I threw at it found the problem. But every time I connected it to my DMZ network, it blasted traffic to this site. That’s why it took me so long to find it. It was a needle in a haystack. It was buried with a bunch of other Kernel drivers that load at boot time. Whoever did this knew what they were doing.”
“Don’t worry about it.”
“So what do I do?”
“There is no perfect solution. But if you suspect something is wrong, let’s say it starts to run unusually slowly or it starts just generally acting badly, try a system restore.”
“What’s that? I have a ton of files I need to keep. I can’t afford to wipe it all out.”
“I know – and that’s not what a system restore does. Every time you install some new software or do an update, the system should save a copy of its old self. Not your user files and stuff like that, system state stuff. What programs are installed, what’s your computer name, how does it do networking, things like that. So one tactic is, when something goes bad, try restoring the system state to a point before the time when things went bad. All your pictures and videos and documents stay the same – it’s just the system information around all that content that goes back to its earlier state.”
“This sounds tricky.”
“It’s not bad. And you’re out there with nobody else around, so you might have to tackle it. Or call me and I’ll walk you through it if you get in trouble. And think about putting in one of my firewalls at your church over there. I have all kinds of diagnostics that can help track down this kind of stuff. That way, if you suspect something is wrong, bring it back to your Vietnam church and connect it behind your firewall and I can look at the traffic in and out.”
One dot disappeared from Bahir Mustafa’s global heat map display that day, leaving thousands more remaining. How that malicious program came to reside on Tam’s laptop remained a mystery to all Tam’s friends and colleagues.
But not to Bahir Mustafa. A Ukrainian mobster paid $10,000 to deploy his special program onto the computers in Bahir’s botnet. The program tried combinations of letters and numbers in a brute force password guessing attack against banking websites, looking for credentials for a few Hollywood celebrities. With thousands of rented drone personal computers around the world each running a portion of the attack, a few were bound to find pay dirt. Sensational headlines saturated the tabloids a few weeks later, but the headlines all missed how Bahir’s customer used his stolen $millions: to buy weapons for rebels in eastern Ukraine.
Bahir Mustafa and others like him are part of a vast underground value chain, complete with sophisticated, automated systems to constantly probe for vulnerable computers. Don’t be a victim. Don’t become an unwitting drone in somebody’s crime scheme.
If you liked this short story, you’ll love my new book, Bullseye Breach. Check it out, here.
And if you’re concerned you might have a problem with malicious software, don’t hesitate to contact us.