A viral encounter

Having put up “Over the edge #5”, we’ll just follow, in normal backwards fashion, with #4. Then we’ll go back to boring old extremism history and be back later with #6, “A whiff of Summer”.

The points to be made from this little piece is of course that technology sometimes makes surprising inroads for bad people, and that our AV-industry cannot be trusted any farther than you can throw the fattest of the members. That makes the concept a no-go for everyone except Scottish telephone-pole throwers and WSM-contenders.

Network-centric terror:

the next wave – 4

 

A Viral Encounter

 

1st

It starts on a normal morning in a largish city on the East Coast, in the most popular park.  A little girl spots something shiny and yellow in the bushes by the trail.  Happily, she reaches in, retrieves it and brings it to her mother.

It looks like a small flying saucer made of plastic.  The mother turns the thing around, examining it.  Looking close, she can see that it was made from two halves that look like they’ve been glued together.  It feels heavy.

Mom is having a bad feeling about this plastic object.  There’s a policeman standing just a few yards away, and she calls him over.  He takes one look, tells the woman to put the thing down on the bench and move away, and calls the bomb squad.

The bomb squad arrives, bringing with it a small robot on threads.  Everyone moves well away from the bench with the yellow object, an officer readies the robot controller, and then moves the robot close to the bench.  He uses the robot pincers to pick the thing up.  It turns out to be quite flimsy, breaking apart easily under pressure.

The innards are indeed a bomb.  Just a small cell phone in the middle, plastic explosive in a layer around, and then a layer of shrapnel – small nuts and bolts, a few marbles, BBs. A closer examination reveals no fingerprints (which suggests some extraordinary care on the part of the builder), and the phone’s number.  There’s nothing in the phone memory.  It is linked to a small detonator in the familiar manner instructed all over the net.  The phone is set aside to await any calls that might come to it.  Time passes.  Nothing happens.  Someone gets an appropriate loader to keep the battery topped up, and the phone seller is found.  This particular phone was sold three weeks ago, locally, and there’s no way to find the buyer.  Just an everyday prepaid phone with no identity and costing a few dollars. 

 

2nd

 

The train station is packed with people, and most of them seem to be in a hurry.  Along one of the escalators there’s a row of high windows with low ledges.  Someone has left their bucket on the first ledge, a small plastic bucket of the kind you buy assorted candies in.  The lid is on.  The bucket has been sitting there for two days, the cleaners just cleaning around and on one occasion lifting it and cleaning under it, assuming it belongs to some kid who will be right along to pick it up.  It was, in fact, placed there by a child.

The escalator is full to capacity, as always at rush time.  The bucket explodes.  Fallen people, screams, instant pandemonium. Someone has the presence of mind to call 911.

Nothing much is left of the bucket.  Some shrapnel is left to be picked up (and taken out of bodies; 3 dead and 14 wounded) or picked out of the walls.  The shrapnel consists of ball bearings, marbles and nails.  But one of the dead turns out to have been killed by a flying cell phone battery through the head (half the battery to be exact).  So at least one of the components of the device is clear, later chemical analysis of the residue where the bucket was sitting will reveal more.

Still, the police have made no connection to the device found in the park.  That was in another precinct entirely, and nothing happened.  Investigators are still unsure if this was the work of some explosive lunatic and are reflexively adopting the “no connection with terrorism” stance.  The investigation drags on for a while, the explosive that was used is identified from residue and so is the cell phone type (a few fragments were left – buttons, a tiny part of the casing).  Eventually, nothing new is found.

 

3rd

 

The boy is trawling the toy store with some enthusiasm.  He’s there with his father to help pick out a birthday present for his little sister, and he is – with some justification – hoping for a side goodie for himself.  Suddenly, he knows exactly what to get.  He’s got a sign.

He fetches his dad and tells him they must get this teddy bear (Winnie the Pooh, $22).  It has sound.  His father asks him, “what kind of sound, Son”?  The boy tells him, “It played music”.  The father picks up the bear, turns it around in his hands.  It feels heavy and bumpy.  He picks up the bear next to it; it is much lighter and just feels fluffy, not like it has all kinds of hard internal lumps.  He calls the clerk over.  The clerk listens, and examines the heavy bear closely.  One of the seams is falling apart a little, and there seems to be something metallic behind it.  The clerk decides to call the cops.  You can never be too careful.  Just a few days ago, someone replaced bottles of water at a convenience store right down the street with tainted bottles.

The police duly show up, the uniformed cop looking the toy over and probing at the loose seam with his finger.  Suddenly, the thing rips another four or five stitches and reveals more of what lies beneath.  Nervously, the constable backs away and calls the bomb squad.  They show up very quickly, and Pooh is whisked away in a blast bucket, which is a completely new experience to him.

Later that day, after the toy is examined, the police fully realize that they have something more on their hands than a single bomb.  They have made the connection to the first device found in the park, and they’re starting to be somewhat suspicious about the blast at the train station.  The insides of the teddy bear were found to contain a cell phone, plastic explosive, and shrapnel.  The police are hoping for a break in the case, since it seems someone called the cell phone.  That was the music the kid heard, and luckily, so very luckily, the detonator setup malfunctioned.  Anyway, the police hope they can just pick up the culprit from the call record in the phone.

However, it turns out not to be so simple.  The call came in from a small company making wedding dresses and national outfits.  But the phone supposedly making the call was unmanned at the time, the owner away on holiday.  By now, the FBI has been called in.  After some head scratching, someone points out that getting a forensic snapshot of the place’s computers might be a good idea.  What is found changes the whole nature of the case.

To put it very shortly, the computers at the dress company are found to contain a virus.  The virus is new but shares some characteristics with an old and highly successful one, known by the name Hybris.  It has the ability to pluck files from the internet and do things with them, and what it is currently doing is looking at a set of data it can recognize when the user accesses a website that has been tweaked in the right fashion.  The set of data is a list of phone numbers, which the virus will then proceed to call when its random counters are just right.  The list contains 25 numbers.  The virus will only call one, at random, and then not call anymore.

It is felt that this is a real break.  If this is the numbers for bombs (and it seems a safe bet that it is), one can just shut the phones down with the network providers, and then proceed with finding and rendering the devices harmless.  However, 25 devices show that something completely new is afoot – small mine-like devices just spread at random throughout the city, looking harmless – a toy, candy, or plastic doodads.  The work with finding and collecting the things proceeds; after a week 16 have been found and taken apart.  Then, the case changes again: there’s an explosion in the waiting area of a local dentist.  No one is killed, which is lucky seeing that the walls (the ones that stand) are fairly riddled with shrapnel.  Tiny red metal fragments are also found; eventually they are shown to be from a toy fire truck.

Now what?  There seems to be a new batch of devices out there – after all, the first 25 have obviously been killed even if not all of them have been found.  More than that, there must be new phone numbers out there if the bomber MO hasn’t changed.  The answer is found rather quickly, letting the now dissected virus have access to the net eventually yields a new list of phone numbers, this time 30.  It is not known if updating the list was something that was always in the works (this seems probable, since the cheap phones used have a limited time before their battery dies), or if the perpetrators were somehow tipped off that their number list had been found.

 

After

Three months after the spate of “minibombs”, the bombers still haven’t been found.  The bombings seem to be over, but it’s hard to be certain.  No new number lists have come to light, and no group has stepped up to take credit.  Still, the devices that have been found were spread over such a wide array of locations that nobody thinks this was the work of one person.

Meanwhile, the attackers are not idle.  One of them is changing the computer virus that was used.  He has a pretty good idea of what is now needed, having monitored several hacker and industry chats where people talk more freely than they should.  Several others are recruiting more people to place the devices.  And one is designing a new variant of small bomb that will simply explode if moved – even cheaper than the cell phone bombs (small switch to arm, mercury switch to detonate).

 

Next time, we’ll look at a large WMD attack facilitated by off the shelf technology.

 

© Ståle Fagerland 2010

 

 

 

 

 


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: