Dark Holes

Each step scraped against the wet, sandy concrete as I followed my friend. It was past midnight and drizzling in downtown Chicago. The endless window lights in the skyscrapers above acted like replacement stars lighting our path.

Don’t ask me why I was exploring Chicago at this hour.

You really want to know? Well, OK. In truth, my friend insisted that the real city only came alive at night, and if I wanted that experience, this was the time to go. He was right, because turning a corner I immediately held my breath. Before I describe the sight, you must understand: I grew up around corn fields. Sky lines were clouds, and late night traffic were crickets gossiping outside my window. So, the moment I beheld this black giant shooting through the atmosphere above me, those famous words of Judy Garland about not being in Kansas anymore started bouncing around in my brain.

Apparently, this was our destination: The Sears Tower. Mesmerized by its glow and grandeur I almost missed another, altogether different sight creeping into my periphery. My friend turned to see what I was gaping at.

“You don’t want to go down there.” He said softly.

I can’t overemphasize that it was the largest and longest alleyway I had ever seen. It was so big and dark, it didn’t look real. Almost like a deep well, it stretched so far I could not find its end. A mysterious contrast to the glamour in the sky above us, it felt like a black hole sucking the surrounding city light into its center.

And strangely, it was eerily similar to my role in cyber security and forensics.

You see, I walk dark alleyways all the time, often in the footsteps of criminals who have not yet been found. I wish it really was clandestine, or impressive sounding, but these alleyways are just digital. Also, I’m usually sipping coffee while humming Owl City and reclining in the warmth of my home while I follow their trail. It doesn’t take nerves of steel. The “trail” lives in the digital realm, this dimension where friend and foe sit thousands of miles away from one another in the real world.

But doesn’t that make you wonder, what is real today? How do you define this reality we’re living in? You don’t have to work in digital forensics to agree that on some days, it feels like we’re starring in a budget friendly series on the sci-fi channel. Someone was telling me about their AI girlfriend the other day. Still, if I told you some of the things I’ve seen on the clock, you might get a little weirded out. When I tell people what I do, they just stare at me with that oh that’s interesting but I have no idea what you’re talking smile on their face. Either I’m doing a poor job explaining or my profession is really strange. Or maybe it’s both. Still, I thought it would be fun to revisit a digital midnight stroll, if you will, so if we ever meet IRL (in-real-life, as the kids say these days), you won’t have to ask:

So, what is it you do again?

Because the truth is, my job is like walking dark alleyways, at least in this sense: you have no idea what’s lurking out there, or what you’ll find.

Case in point…

Be Careful What You Capture

I was staring at a piece of Russian malware designed to infiltrate Ukrainian energy plants while sitting at my own computer at home. This artifact was either contracted out by one of their affluent crime rings or made by the GRU themselves. If you remember back in 2016, Russia managed to shut down an entire city’s power with just one piece of malicious software. While my eyes weren’t gaping at that particular piece, this one was much like it.

So, how in the world did it end up in my hands?

You see, before I write detection for viruses, I go into the wild. I capture live samples and execute them in a windows sandbox sitting on my linux machine. Then, I watch to see what happens. Sometimes the sample waits to execute, knowing anti-virus suites only observe for a period of time following a process launch. At other times, it blends in with outbound traffic, mimicking Microsoft tooling. Oftentimes, however, the virus embeds itself into the computer’s registry, start-up, and hundreds of hidden locations so it can persist past reboots and removals. The worst are root-kits, where a binary attaches itself to firmware/hardware. If you get one of these, it’s time to buy a new computer, as no manner of wiping the operating system or cleaning it up will get rid of it.

I was about to throw this file into my sandbox when I thought it would be a good idea to grab its hash first (kind of like an identifier) and run a query to see what I was dealing with. I’m really glad I did, because someone else had seen it before me, and lo and behold, this wasn’t the kind of malware I needed to run on my home network, even if I had it quarantined. Some of the more sophisticated viruses can jump or escape virtual machines when they know they’re watched in a sandbox, though this is rare. Anyway, I knew I was outclassed, and the last thing I needed was a Russian shell phoning home from my family’s network (the same network that watches Blippi, plays Xbox live, and conducts personal finances) to some cold room in Moscow.

Insert terrible Russian accent: Hey Victor, we’ve got a shell. They’re watching Pokemon Ranger.

I looked at it for a few more minutes, and though I really wanted to, I never launched the file. Believe it or not, it’s still sitting in my downloads to this day.

Maybe I should just delete it…

Or, would it hurt to take a peek? Surely no one’s still listening on the other end after all these years…

Jonathan Runyan is a senior cyber security engineer and former pastor writing on the intersection of spiritual and virtual reality. You can read more about him here.

Please support this free content by sharing - it means the world.