Ashkeph Investigation - Computer code analysis

BH1Pd8X.png
Stardate 93624.8
Security Level 2: Restricted
TO CMDR Aloran
CC CAPT Thiessen; CMDR Everhart
FROM CMDR Mandra
SUBJ. Analysis of malicious computer code
4OB3P0J.png

After being tasked to research the code used to force the three ships into simulation mode I set up either times to directly visit and interface with the Vanguard, Axiom, and San Jacinto, or get access to their computer cores remotely from base to access the systems.

After a dive into each system I was able to dissect specific details about the code and how it was installed and executed. The first important thing to note is the lack of any specific coding instruction to replicate and spread any code to other targets, nor any instructions to send itself to other networked location. This means that the code is not a virus, nor a worm as it does not carry the traits associated with those terms. As shown later, the best term to use would be malware, which is an old term for software with malicious and often hidden intent. It was typical to disguise malware as legitimate programming. Although the spyware variation still exists and is common, overt malware is seldom seen these days since Federation computer networks of the modern day are so good at self-examination and filtering that it is next to impossible to install without being detected (this situation requiring the help of someone with Admiral level privileges).

Based on the upload package data in each ship (though specifically Vanguard which was the first ship to be installed with the package) everything was run as a form of benign executable file which was bundled with the Echomet planetary data metrics update package, which was legitimate data the ships were receiving for the mission. The actual executable file used in the deception was interspersed and hidden as junk data by splitting it up into part files. The original batch file contained specific code instructions to look into appropriate locations to piece it together when activated.

When the Admiral had the planetary metrics package uploaded to Vanguard it executed a network instruction protocol with the other task force ships to enable them to receive the update package as well, which of course is how the malware files got on all three ships. At this stage none of the ships would have been easily able to detect any issues as the actual malware had not yet been executed.

When it came to examining the specifics of what the program actually did I had to breakdown the actual execution instruction code. At this point it became clear the coding was done by someone (whether it was the Admiral or someone else is beyond my level of speculation) with a good knowledge of Starfleet computer systems. Upon execution the program used pre-programmed administrator credential bypasses to access a suit of ship systems simultaneously to silence the alert systems and override automatic system self-diagnosis programming which would normally have detected the malware activation immediately. It is likely the Admiral also used her credentials before execution too for some aspects of this. This can be likened to leaving the door ajar for the program to get it, at which point it proceeded to prop the door open while it worked.

The Admiral had embedded her credentials in several steps of the programmings code so it could be applied automatically without her assistance as well, which would have required her to rip the physical link encryption key from her badge to do, compromising it from a security standpoint as you know. The fact that she left the badge for us to find later ensured this compromised code is of no harm to our systems as the physical badge would be needed to complete the multi-factored authentication needed for any future access (a moot point as standard procedure would require all those codes changed after the fact, but the point is, there are no ongoing vulnerabilities).

After disabling or silencing all the necessary systems to allow the main program to run unhindered, the malware proceeded to extract and execute a now obsolete version of thee simulation software used for Starfleet war games. As you know this simulation software is updated regularly to repair security vulnerabilities, if she had tried to run the up to date version of the simulation software it would have hit an error as the new version requires a remote file confirmation from Starfleet Command networks to verify the war games scenario has been scheduled. This would have also tipped everyone off when the nearest Starfleet network beacon recorded the attempt to start a war game simulation outside of schedule. The older version still ran on a system like this but had a backdoor via the debug mode that allowed it to be run off the network in local system mode for testing new enemy attack scenarios. The new version required even debug testing to be logged now. Once simulation mode was on, the cracked debug mode was given instructions to remove special testing notices and main screen markers so no one on the ships could immediately tell by looking that what they were seeing were simulation images (another issue the newer version sealed up). The code finally instructed the simulation to set for an Undine ship attack and programmed the local network for the three ships.

Once the simulation completed (with an enemy or Starfleet win, in this case a Starfleet win), the simulation programmed ended and returned the ship to normal functionality. At this point the malware code was done working and no longer active. It was only at this point that anyone could have noticed anything going on, as is what happened.

My final notes on this are that the writer of this malware code was knowledgeable in what they were doing and knew a decent amount about the computer systems on most Starfleet ships in order to plan for which systems needed to be bypassed using the Admiral authorization codes. The latter point is important, as without the Admiral's codes this program would never have been able to run the way it did. While she did program some of her authorizations in, the first action (which I likened to pushing the door ajar earlier) required personal action on the Admiral's part. To this end I can say there is very little anyone could have done to circumvent this without knowing of her intentions or having a specific reason to keep the Admiral from using computer systems which no one did. While the work of someone knowledgeable, the code itself is rather straightforward, and not designed to fool or be used for subterfuge (like some spyware programs still encountered today). One way or another this program would have been found eventually, and it is my determination that the Admiral could not have used this and then continued on feigning ignorance if she had chosen not to desert, she would have been found out eventually.

To that last point and summarizing other mentions earlier, there is no continued threat or harm that can come from this code and all exploited vulnerabilities are incapable of being exploited a second time. This ends my analysis.

//SIGNED//
Commander Alina Mandra
Assistant Chief of Sciences / Lead Computer Science Researcher, Deep Space 13
7 Likes