Pure Blind: Worm Report
From: Avio Yaken
Sent: YC122.07.30 13:30
To: Suha Raibuya,
Komi got back to me with her report on the worm. It’s… Complicated to say the least. Admittedly taking me a few reads to fully understand it, but even then I feel a little in over my head at the depth of these Scrip networks.
No wonder we hire experts for this… Anyway, I’m gonna supply her report in full so you get the context and try to break it down as best as i can.
Technical Analysis of Pure Blind Scrip Network Worm (PB9318041.84b)
#sample 1 = High-Tech Data Chip
While analyzing the Data provided by #sample 1, I’ve found some the fragments of an interesting program, that seems to have the signature of the worm we will call PB9318041.84b
How does the Scrip Network work?
To see how the worm could cause this much damage, first we need to understand how the Scrip-Network works. If you are not familiar with it, let me explain: It uses a decentralised structure of network arrays we will call “Node”.
Each Node has it’s own security certificate and a state of the art firewall for safety measures. In order to perform a transaction, not only one Node has to sign it, but the whole network has to verify it. Meaning in case one Node get’s corrupted and Scrip that are not backed up are transferred, the error will be corrected within the system.
The Scrip Network uses the most advanced security and quantum entangled encryption methods. It is nearly impossible to hack, even for me.
Which makes the worm very interesting from my perspective.
Basically I think she’s saying that every “node” in this scrip network acts as it’s own checkpoint for any data flowing through it. Every step of the way of a transaction being verified and asked to show it’s papers before passing through to the next stepping stone of it’s journey.
Alarming thing is that these Networks all have high-end security measures, and why wouldn’t they? You never wanna be screwing around recklessly with someone else’s money…
How could the worm manage the impossible?
While analyzing #sample 1 I found signatures of a program that I considered to be very unusual software. Clearly some kind of mutating code that is often used with harmful software to prevent signature detection.
Trust me, it took really long to analyze this probably AI generated mess of a code. But it turned out to be what I expected.
I found some promising functions that I renamed after studying the functionality:
This led me to the conclusion that this is probably the worm you are looking for.
Once PB9318041.84b occupies a System, the following will happen in sequence or parallel:
- The carrier worm will create a mutated version of the actual program and save it in the core system.
- A number of ISK-Transfers will be placed
- The worm will go to sleep and wait for something I could not identify, because the sample was incomplete at this point. Probably some dependency I don’t know.
So we did luck out and get a hold of an actual worm sample based off these lines of codes she uncovered while examining the chip. What i believe she’s saying here is that once the worm is in the system, it’ll start rooting itself into the node and prepare itself for the next step, and this is where it gets interesting…
But how could the worm circumvent the security?
Well, I wanted to check if I can get any information about the transactions the worm does and they were not what I expected them to be. I expected to see a large amount of Scrip being transferred but instead I found this:
Transaction No: value, ,source , receiver,
#1 1,01 Sc #H9Q589JAlJ465FF1MMYYX11CI #HFM484DF2V48W954SIV34
#2 0,009194028111322 Sc #H922KLL03919OAA11NNKAH11 #HFMA99112ANAU136KALAA
#3 0,001489449712326 Sc #H781QQL0004004003HSWQQQ #77SV16C13QC1Q11BBBBY3
#4 0,009994512000400 Sc #Z86DPOL416SC132YXX12V81L #75AV123VW943A21V98V3V
#5 0,000047169669120 Sc #GWE56484SFJJJ2481AWQR1C #SFVB1321VAQQQ31BBBNZZ
The amount’s are very unusual. Normally a transaction would be expected to be at least 0,01 Scrip. It’s similar to the ISK-network where the minimum transaction is 0,01 ISK
This was very suspicious so I decided to dig deeper.
The Attack on the Guristas Facility happened to infect the first Scrip-Node. They probably needed control of the hardware to first initialise the worm.
The worm sent those impossible transactions to connected Nodes. This transactions were verified. The neighboring Nodes would receive those impossible transactions (since they were verified by a valid certificate) and would use the garbage collection to discard them. And here the interesting thing happens.
If there was for example an exploid in the garbarge collection or the chipset itself, the data won’t be lost but assembled in Memory. This way it might have been possible to inject the trigger program into the core memory without any security measurements preventing it, since it was a verified transaction of 0,00 Sc (rounded).
Of course it didn’t took the network security team that operates the nodes long to figure out something bad happened after seeing multiple of those 0,00 Sc transactions in their logs.
Once the carrier program is completely loaded into memory, it will extract the mutated worm and write it into the system. Now The worm takes over and will create more of those transactions with the Nodes certificate until all Nodes are infected.
Once a critical amount of Nodes is infected, the worm has control over the whole network. Probably this is the point where the REAL Scrip transfers happened.
I think what she’s implying with her bullet points is that the raid on the Guristas facility by Intara was a literal brute force attempt to get the worm into the system by first getting ahold of some center that had admin rights to freely place whatever data they would want in a node and letting it spread from there.
How the Worm would get past the security of other nodes however is by sending out transactions that are impossible to follow through with…Like 0 Scrip, you can’t really transfer anything now can you? As a result, the nodes that receive this order will discard the data on it’s hardrive’s recycling bin - At that point however the worm has made it inside, the data was sent by a trusted source (It’s fellow node) and thus the receiving node’s security measures wern’t triggered and thought little of the strange data it was getting.
IT’s rinse and repeat at that point, the Worm will extract itself and get to work doing what it did in it’s origin node.
She also provided a small little example of the process.
I’m not 100% sure if this is the way it really happened, but it’s my best guess from the limited data I could analyze.
Insider information about the chipset is crucial. Without it, there is no way to perform this highlevel attack. I think it took a team of specialists months to create this interesting piece of software.
If you want to protect your systems, contact the manufacturer of the chipset or look for a firmware update. The Scrip network was designed to be impossible to hack, the hardware it was running on sadly not.
Hope this helps you
The Guristas might have a mole, Komi insisted once again that someone on the inside must have had prior knowledge of how these scrip networks are set up, what their security is like and how their files are structured. This worm is something truly sophisticated and wasn’t made by any lone hacker that you see in holo-reels. Who exactly made it is still uncertain, Komi gives me the impression that Intara were just the muscle on this attack and that the actual brains behind the worm are still in the shadows here.
I’m gonna ask Komi about coming up with some kind of “Cure” for the Worm, I believe I was told in passing that a cure would be designing our own Worm to go in and eat the first one. Frankly all this stuff is still a mystery to me so I’m just going with whatever the expert is telling me.
Designing one to counter this one won’t be easy, certainly not cheap - But if something like this hits the Venal networks? Could be catastrophic for the region’s economy and hurt the Guristas in a way not yet seen. I’ll pass this info to Mumo, maybe she can keep an eye out on our networks for anything like this in the meantime. I’ll pay our friend here a retainer and see if she can help develop a counter to this before it bites us all in the ass