“I worked out a deal with Ivanov,” he explained, after Zula had taken another stand-up sponge bath and grabbed a slice of pizza (for there was a Pizza Hut somewhere within delivery range). “He’s got a sysadmin back in Moscow that he trusts. This machine is connected over a VPN to that guy’s system in Moscow, so he can monitor my use of the Internet and make sure I’m not sending out any distress calls.”
Zula was divided between thinking that this was a clever solution and finding it weird that Peter would put up with it. And indeed the look on his face was not proud. But he had an explanation ready. “We are totally handcuffed if we don’t have access to Internet,” he pointed out. “We can’t even use Google Maps. I’ve been able to make a lot of progress this way.”
“Such as?”
“Well, for one thing, I downloaded a copy of the REAMDE executable that someone posted on a security blog,” he said. “And I decompiled it.”
“How’d that work for you?” she asked. Peter was proud, almost desperately so, of what he’d done, and she felt obligated to let him speak of it.
“Well, I was afraid that they might have used obfuscated code,” he said, “but they didn’t.”
“Meaning?”
“Some compilers will mess with the object code to make it harder to decompile. Whoever created REAMDE didn’t do that. So I was able to get some pretty clean source code files. Then I looked for unusual character sequences in those files and googled them.”
“You wanted to see if anyone else had gone down the same path before you,” Zula said, “and posted their results.”
“Exactly. And what I found was a little unexpected. I found a security discussion group where someone had indeed posted some decompiled code that matched what I got. But it wasn’t from REAMDE. It was another, older virus called CALKULATOR that made a little bit of a splash about three years ago.”
“Okay,” Zula said, “so you’re thinking that the creators of REAMDE recycled some of the source code from CALKULATOR.”
“They must have. There’s no way this could have happened by accident. And the interesting thing is that the CALKULATOR source code was never found—it’s never been posted.”
“So it’s not the case,” Zula said, “that the Troll just downloaded the CALKULATOR source files from a server somewhere and then incorporated them into REAMDE.”
Peter was nodding, and a smile was on his lips. Zula continued: “REAMDE and CALKULATOR were made by the same people.”
“Or at least people who know each other, who privately exchange files with each other.”
“So the obvious question then becomes—”
“What do we know about the creators of CALKULATOR?” Peter said. “Well, it was a far more devastating virus than REAMDE because it infected anyone who used Outlook—whereas REAMDE is endemic to hard-core T’Rain users. For about a week, it was the virus du jour, it made quite a sensation, and there was a big law enforcement effort devoted to tracking down its creators. They weren’t nearly as clever about hiding their tracks as the Troll has been, and so it was eventually traced to a group in Manila.”
“Hmm. That’s a twist.”
“Yeah, we’re focusing on Xiamen and suddenly we get this clue in Manila. But here’s the thing. A couple members of the Manila group were caught and prosecuted. But everyone knows that most of those involved were never identified, never caught. And then the other thing is that a lot of Filipinos are ethnic Chinese and still have family ties to China.”
“So maybe the Troll is a Chinese hacker living in Xiamen,” Zula said, “but he’s got family ties in Manila…”
“… and that’s how the source code ended up here and got recycled into REAMDE.”
Zula had been keeping an eye on the safe house as this conversation had proceeded. Csongor was closeted in an office with today’s notes, doing some data entry work on his laptop. Sokolov was in the conference room being debriefed by Ivanov. Two of the security consultants were sleeping, two were playing Xbox, and two were on duty. But all the Russians who were awake were casting occasional glances in their direction. Keeping an eye on the hackers, wondering what they were talking about. Perhaps guessing from their body language and the expressions on their faces that they were focused on the problem at hand and making some progress.
And that, as she kept having to remind herself, was the only thing that mattered. Not catching the Troll. But making Ivanov believe that they were making progress toward catching the Troll, stringing him along, long enough for them to think their way out of this.
Long enough for Zula to do so, anyway. Because she didn’t get any vibe at all from Peter that he was interested in leaving. He had become too fascinated by the Troll hunt.
He believed that if they caught the Troll, Ivanov would be nice to them.
And maybe he was right. Maybe this was how Ivanov recruited.
Or maybe making them think so was how he kept people docile until it was time to kill them.
“What’s next?” she asked. “What do we do with this information?”
“One of my thoughts was, we have a jet at our disposal, we could shoot down to Manila and try to find some of the CALKULATOR crew, ask them questions.”
When Zula considered the meanings of those verbs “find” and “ask,” all she could think of was Wallace and the 6 mil polyethylene sheeting. Was that what Peter had in mind? Or did he really think that the hackers in Manila would voluntarily rat out their blood relatives in Xiamen? Zula didn’t want to ask that hard question of Peter because she was afraid of what she might learn about the man she’d been sleeping with. “To Ivanov that’s going to feel like a wild-goose chase,” she pointed out. “He prefers the direct approach.”
This was meant as kind of a joke, but Peter nodded soberly. “We might also look for a Filipino expat community in Xiamen. In Seattle they have their own grocery stores and hair salons. Maybe it’s the same here.”
Zula, who unlike Peter had actually seen Xiamen, was pretty sure that this was hopeless. But she stifled the urge to say as much. “Have you reported this to Ivanov?”
“I’ve been feeding him little updates.”
Zula tried to ignore the way he’d phrased this. “He knows about the possible Manila connection?”