Rogue Code (32 page)

Read Rogue Code Online

Authors: Mark Russinovich

BOOK: Rogue Code
10.21Mb size Format: txt, pdf, ePub

“My word,” Agnes said, “imagine running into you here of all places.” She sat beside him, a bit winded from her rush over. “Where are you off to? Or are you just coming back?”

Jeff had last seen Agnes the year before at CyberCon in San Diego. She’d been on one of the discussion panels. It had been unique in that the hacktivist group Anonymous had joined remotely.

Jeff didn’t want to lie, but then, he was traveling under a false identity. “Where are you off to?” he asked, answering her with a question of his own.

“Back home to beautiful Oklahoma City, if a tornado hasn’t flattened the homestead. I’ve been doing some research here. You would be shocked at what the U.S. government is secretly doing with all this social networking information people put out there so casually. It’s like
Brave New World
or
1984,
one of those books. They know everything about us—
absolutely
everything—and they don’t even have to listen in to our telephone calls.”

“I doubt much would surprise me,” he said. “They have the ability to collect it and from their perspective, why not? They’ve got a country to keep safe.”

She snorted. “That’s what they say but it’s not true, believe me. You know,” she whispered, “I think that kind of information was used to influence that last presidential election. That’s why the polls were so far off.” She looked around to check that no one was listening. “I can prove the government used mass fake social networking accounts in the campaign, coordinated across Facebook, Toptical, and Twitter, and that they planted online articles to influence public opinion. They softened public outrage against the IRS, NSA, and other scandals with those same tactics.” She moved even closer, her body touching Jeff’s, and with her lips nearly touching his ear said, “If the truth were known, it would come out that the NSA is engaging in wholesale securities fraud to fund government black budget projects. They’ve been at it for years.”

What to say? “It wouldn’t surprise me a bit.”

“So … where are you off to?”

“Just coming back. Going home.”

“Ah, well, that’s always nice, isn’t it? And how is the lovely Daryl? I’ve not seen her in ages.”

“Good.” He hesitated. “But we’re not together anymore.”

Agnes raised her eyebrows. “She’s a keeper, young man. You can take it from me. Don’t let her get away.” She glanced at her watch. “I must be off.” She stood. “See you soon.”

Jeff watched her walk away with a wave of relief.

“Agnes is looking good,” Frank said as he joined him. “I thought I’d wait until she left. Did you mention me?”

“No. I told her I was on my way to D.C.”

“Good. Keep it simple, logical. What say we check into international departures and get that out of the way?”

They took their carry-ons with them and entered the security checkpoint. Jeff held his breath as the heavyset woman accepted his passport, scanned it, looked at the screen for several seconds, then handed it back. He moved on, placed his laptop into a container, shoes and belt, wallet, keys and change into another. The alarm sounded when he went through the machine, and a stoic man had him pass through again, this time without incident. Jeff recovered his items and sat down to put his shoes back on.

“So far, so good,” he said as Frank sat beside him.

“Don’t think about it.”

The pair walked down the long hallway to their departure lounge. Two hours later, they boarded. Another woman looked at his passport, matched it to his boarding pass, then let him on. Jeff didn’t breathe easy until they were in the air.

Now all he had to worry about was clearing immigration in São Paulo.

 

48

HOLIDAY INN

LAFAYETTE STREET

NEW YORK CITY

8:26
P.M.

Though her part of the operation was to follow the money, Daryl instead turned her attention to the code itself. She reasoned that Jeff and Frank had been in motion since the previous day, and she knew they’d had little if any time to work on the rogue code.

Frank had sent her a summary of their findings and suspicions before the pair left. She’d spent late Saturday night reviewing the code and tinkering with the malware. Now all day Sunday, she’d devoted herself again to the task.

She’d reached some conclusions, which to her seemed self-evident. She’d traced the stolen money to the bank accounts through which it was routed. According to Frank’s report, they’d decided that the money originated from outside traders, not from accounts within the Exchange itself.

This made a great deal of sense to her. If they were taking money from within the trading software of the Exchange, then security would easily discover it. But if they took the money from someone making a trade, then routed it through the Exchange, they could diffuse suspicion to any number of targets. And since none of the thieves were part of the NYSE, it would not be of concern to its ongoing security efforts.

So just as the money was dispersed into hundreds of bank accounts so too was it likely taken from a vast array of traders and brokers. As she worked the heavily obfuscated code in the malware she eventually located a store of IDs and what appeared to be trade amounts. She looked through the documents Jeff and Frank had gathered, remembering that one was a spreadsheet that listed the IDs the Exchange assigned to stocks. Sure enough, the IDs in the malware matched the ones in the spreadsheet. Attached to them as well were other symbols but a bit of research revealed them to be prefix designations to identify the type of trading vehicle.

One of the symbols was that for Toptical, TPTC. That was no surprise. Now that it was about to be publicly traded, it needed one—and starting Wednesday, it was going to be a heavily traded stock, at least initially. Its presence within the malware told her that the IPO was going to be a target.

As she knew little about them, Daryl researched IPOs to see what prior experience said on the subject. Major IPOs, she learned, created enormous volatility in the market during the first few hours. This occurred because there was pent-up demand by those who used the product, which in cases like this one represented millions of people. Toptical was enormously popular and a great number of the faithful users were going to want to own a piece of the action.

Another reason was that the public generally had a positive opinion of IPOs. There was the undeserved belief that they were always successful and that those who got on board early did very well. There were plenty of public offerings to testify against that opinion, but for some reason, that reality didn’t capture the public consciousness.

Then there was the host of brokers representing hundreds of thousands if not millions of clients. Public offerings were always a part of their portfolios and in this case they’d be under pressure to take part. There were as well hedge and retirement funds, enormous piles of cash looking to diversify under favorable conditions.

There were also speculators, individuals and traders who believed they understood the market better than most and were persuaded they saw an opportunity. Some of them would buy early and if a specific price point was reached late Wednesday, they’d sell, looking to make their money quick and easy. Others would gamble that the stock was overpriced. They would sell short and make their money during the price collapse.

Finally, there were the high-frequency traders, some of which fronted those big piles of cash. The difference with them was their ability to incrementally manipulate the price, then exploit the conditions they’d created. They were seen as major factors in previous IPOs, and they relentlessly expanded their algos, tweaking their systems for each new opportunity. They could make money on the rise, on the fall, and on the thousands of variations in price in the meanwhile. They would have enormous influence on the IPO, especially in establishing a perceived level of trade volume.

What concerned her was that Jeff and Frank had already concluded that the rogue code was itself a high-frequency trader and whoever was behind it had gone to a lot of trouble to get the two of them out of the way. The only conclusion she could take from that was that they’d been too close. The malware wasn’t just any high-frequency trader; it was a trader without a monetary reserve. In other words, it had no backing. In the real world it could be said that in many, if not most, cases it made its play by some form of cheating.

Looking at the data dumps that Jeff and Frank’s code had funneled out of the engine to her C2 servers via the backdoor, Daryl observed the code had been updated twice since the Exchange had loaded its new IPO software and updated its trading platform code. Now TPTC seemed to be interlaced everywhere within it. A third update that afternoon disclosed it as the rogue code’s primary target, the numbers controlling the size and frequency of the trading skims representing as much as half of all the projected rogue code action.

How much would that be? she wondered. What she saw convinced her it was more than a billion dollars.

She turned her attention to the malware’s trading logic, carefully stepping through it and following the numbers flow across it and into functions that were obviously its connections with the actual NYSE trading engine. After several hours, she decided that she could make an estimate of how much money it had siphoned out of legitimate trades in the last year, $50 to $100 million.

Employing this information as a baseline, she now tried to determine how much action the latest code and configuration were designed for when it came to Toptical. She knew her best estimate would be inexact, that it had to be inexact because even those who wrote the algo didn’t know with precision how many opportunities it would encounter on IPO day. But even an imprecise estimate was better than a guess.

Seven to fifteen billion dollars. That was the potential spread.

Daryl was staggered. She double-, then triple-checked her analysis, but the results didn’t change. Hadn’t one of the significant problems with the market been caused by a much smaller trade? After a few minutes, she found it. On a day in which total volume was $200 billion, the Flash Crash had been caused by a trade of just $4 billion.

She wrote up a report of her findings to the “boys,” as she thought of them, concluding, “I’m no expert, but if these guys are looking to take seven to fifteen billion Wednesday, that is going to cause a great deal of economic trouble. And if there is a problem with the rogue code, or with HFTs or with the NYSE’s new trading software, we could be looking at a disaster worse than 1929. These exchanges worldwide are so interlinked that a multibillion-dollar scam of this sort could be the catalyst for truly terrible events. Look at what that harmless bot has done to the market. There’s another editorial in the NYT today attacking security at the Exchange. The market is expected to fall even more tomorrow because of lost confidence. If Wednesday is a disaster, I don’t even want to think what the consequences will be. We need to stop this!”

Daryl stepped away from her laptop and prepared for bed, scrubbing her face, combing out her hair, brushing her teeth. She was tired but knew she could still put in several hours yet. Back at the desk she connected to one of the C2 servers and looked for a new data dump from the engine, but found none. She checked and saw that the jump server backdoor was not in the logs. They had either been discovered and shut down, or some change in the Exchange’s security configuration was blocking their outbound access.

Her shoulders sank as the reality set in. They were cut off from access into the Exchange beyond the jump server, with no access to the rogue code or chance to trace it back to whoever was planting it. She tried again. No luck. After sitting for several long minutes in shock and dismay, she composed herself and sent another message to Jeff and Frank. “Beacon is down on the backside.”

Daryl stood up. What to do? How much more could she learn on a computer? How much could she expect to accomplish from her hotel room? Where could she best spend the next day?

She undressed, then climbed into the shower, soaping head to foot, scrubbing herself clean as she emptied her mind. Outside the shower as she toweled off it came to her.

Plan B. Boots on the ground and all that. There wasn’t much time. Still …

She was humming as she set her alarm and crawled between the sheets.

 

DAY EIGHT

MONDAY, SEPTEMBER 17

 

HIGH-FREQUENCY TRADERS POISED TO EXPLOIT TOPTICAL IPO

By Arnie Willoughby

September 17

As the next major IPO approaches, high-frequency traders are gearing up for what promises to be an eventful and highly profitable day. “HFTs make real money on big trading days with plenty of volatility,” Shannon Woodruff, publisher of the highly regarded
Woodruff Report,
said in remarks earlier this week. “The Toptical IPO promises to provide both.”

High-frequency traders, or HFTs as they are more commonly known, earn enormous profits by exploiting small changes in stock valuation. They identify these changes before anyone else, then complete their trades at lightning speed. Backed by billions of dollars they are the 800-pound gorilla in the stock market and Woodruff says they are able to bully their way through traditional traders.

“With enough capital, the latest algos, and proximity hosting, HFTs have a disproportionate advantage over everyone else,” Woodruff said. “The NYSE regulators are moving too slowly and too ineffectually to rein them in.” The price investors pay because of their dominate place in trading is a higher cost for the securities they buy, or reduced earnings for those they sell. “The HFTs scoop up the difference even though they serve no meaningful role in public trading,” Woodruff observed. “They are the three-card monte game of the stock market.”

High-frequency traders have been with us since the beginning of programmed computer trading. The advantages computers brought with their incredible speed and the ability to handle enormous volumes of data were recognized from the start. HFTs are always one step ahead of regulators in their latest exploits. “Despite recent changes in law the SEC essentially cleans up after them,” Woodruff said. “They give the illusion the HFTs are under control, but they are not. It’s the Wild West out there, and IPOs are the major shootouts.”

Other books

Entwined Secrets by Robin Briar
3 Weaver of Shadow by William King
The Sicilian's Mistress by Lynne Graham
WAR: Intrusion by Vanessa Kier
Death on Deadline by Robert Goldsborough
A Wolf's Obsession by Jennifer T. Alli