S1x1: hellofriend.mov

I am horribly late on this, both in terms of watching the show and this idea in particular, but I’m finally getting started on my technical review of Mr.Robot. This is a show that had some pretty high-level technical advisors such as Michael Bazzell and Kor Adana, so I’m eager to see what’s there.

Rohit’s Reprehensible TOR Enterprise

In episode 1, main character Elliot Alderson meets with a coffee shop owner named Rohit D’Temeta (who goes by “Ron” as the owner of the “Ron’s Coffee Shop” chain). Elliot liked the quality of the Wi-Fi network Rohit offered at his shop, letting customers receive Gigabit speed connections and downloads which is crazy for 2015, but this also piqued his interest.

It turns out that Elliot did some snooping on the wire and discovered that Rohit hosts an implied CSAM site named “Plato’s Boys” that serves 400,000 users via Tor on “The Dark Web.”

Onion routing is a concept where an individual’s traffic is run through several Tor nodes, each one removing a single layer of encryption from the user’s traffic to know where to send it next (like an onion’s layers). This keeps the user anonymous by only letting each node know a small piece of the user’s overall route.

The Tor nodes are run by anyone willing to volunteer their system as a network node, and Elliot states that he was able to gain control of an “exit node” which is the last node a user’s traffic passes through before reaching their destination on Tor.

This would be bad for Rohit since it seems like Elliot’s able to watch Rohit’s activity from his home computer while also watching the exit node his connection emerged from to reach the destination server. This is a known concern where, through analysis of timestamps, surveillance of the target’s home, keystrokes, and whatever other information you can glean from the user’s local desktop environment and the traffic from the exit node you can correlate the two to attain attribution.

This would be hard to achieve since Tor has a lot of users (probably a lot less in 2015 when this episode came out) so the odds of Elliott seeing Rohit’s specific traffic and catching him are low. This is something more often seen by larger government or law enforcement organizations and would be difficult for a single person to achieve.

It’s in fact the last step in how the FBI confirmed that Ross Ulbricht was the user “DreadPirateRoberts (DPR)” who ran the infamous Silk Road dark web marketplace, as seen in this article.

It’s plausible though, especially if Elliott had been watching Rohit for a long time and considering all the information he gathered from getting his e-mails. Seeing any discussion about the website between Rohit and the System Administrator he employs probably allowed Elliott to narrow his search to just people connecting to the “Plato’s Boys” server. And considering how much time Rohit probably spent on there (ew) it was only a matter of time until Elliott spotted him.

Evil Corp’s R.U.D.Y Attack

When Elliott first gets to work, his boss mentions that one of the clients of their cybersecurity firm has been experiencing their servers getting attacked for weeks. Elliott looks at the brief (or logs, it’s not clear) handed to him by the boss and states that “it’s a R.U.D.Y attack.”) which stands for “R U Dead Yet?”

This is a type of “Denial of Service (DoS)” attack, but not the usual one where a computer or server is bombarded by tons of ICMP packets or other protocols. Instead, the attacker(s) sends many unfinished HTTP POST requests to the web server starting the connection.

This type of request is used whenever you want to submit data to a website from your browser, like when you’re filling out a form, adding comments, or typing in your username and password to log in.

The issue here is that the body of the POST request is never sent, so the web server is left with an open session waiting for the content it’s supposed to “post.” Opening enough of these sessions and letting them hang can slow down performance, and eventually take the web server offline.

If that explanation didn’t work for you, Cloudflare has a decent one as well.

Elliot and Tyrell’s Preferred Linux Desktop Environments

The first time Elliott meets Tyrell Wellick, Tyrell spots that Elliott’s using GNOME, a series of graphical user interface (GUI) desktop environments for Linux. Tyrell says he prefers KDE, which is another series of Linux desktop environments. It makes sense that Elliot would be surprised by this, since Linux use for desktop computers isn’t common among consumers. Most of us are using Windows or MacOS.

A lot of times, especially in enterprise digital architecture like servers in corporate network environments or public-facing web servers, Linux/Unix is used strictly from the command-line terminal or “shell” so the user doesn’t get things like richly colored windows and backgrounds, menus, icons, etc. but for experienced system administrators this is faster.

Evil Corp’s DDoS by FSociety

DDoS = Tons of endpoints ganging up on one target. These days it’s usually botnets performing DDoS attacks.

Later in the episode Elliot’s friend and coworker Angela calls him to come into work after hours because Evil Corp, their biggest client, is experiencing a Distributed Denial of Service Attack (DDoS) attack that’s already cost them $13,000,000 due to their server outages. Elliott mentions reconfiguring DNS and stopping the services to their coworker Lloyd, but he’s already tried these things and despite trying to reboot the servers they “won’t come back up.”

It seems like Elliott logs into an admin console for the “AllSave Firewall” (a product offered by their firm, AllSafe) and scans ports to see which are open and which are closed, as well as checking on the status of running services to see current user sessions on the server. From here he can see that the attackers have a session on the root account and are running something.

When their boss Gideon gets in he mentions restarting services, load sharing, and rerouting traffic as other options they have. Usually these would be effective countermeasures through things like load-balancing and DNS sinkholes/black holes, and CloudFlare and other vendors have built services to handle this sort of thing since this episode’s release in 2015.

DNS Sinkhole = Bad traffic goes in the hole. Simple.

But those methods won’t cut it because Elliot has realized the attackers have a rootkit on the server. Like Elliot and Lloyd say, a rootkit is something that survives reboots because it lives in the bootloader of your computer. Your bootloader is what’s run first before any operating system is spun up on your hardware.

Please forgive the AI-generated diagram. For the sake of convenience it was too good to pass up.

Because the rootkit sits in the bootloader beneath the OS, it’s not visible to you in your filesystem or terminal. As Elliot says, they have to take down the servers, wipe them completely (as in remove the OS and firmware), and reinstall the OS before bringing the servers back up.

Elliot also explains that the rootkit exhibits worm-like qualities by replicating itself on other hosts every time they reboot an infected server (he calls it a “virus” but there’s no point nitpicking that). By attempting multiple reboots assuming they were strictly dealing with a DDoS attack, they’ve essentially infected their entire network by kickstarting this replication. The attackers essentially baited them into doing this, seemingly having the rootkit installed before launching the DDoS.

Gideon and Elliot fly to Dulles, VA on a private jet to the company’s server farm to make sure the servers are all taken down and wiped properly. This was back when on-prem infrastructure was everywhere and Northern Virginia does have the highest density of data centers and server farms in the US, maybe the world, so this is pretty realistic.

Once there, and after they take down all the servers and start the reboot process, Elliot realizes that one server has been missed and is still infected. There’s a mass reboot being done and if the “bad server” gets rebooted it’ll start the whole infection over again.

Using the fictional “astsu” tool which is probably something like “All Safe Terminal Super User” as mentioned in this 2016 blog post, Elliot reconfigures the infected server’s network connections cutting it off from the rest of the network in time to keep it from reinfecting the server farm. You can see him disconnecting the various “wanethXX” ethernet connections.

For the last part, he ends up having to reroute all the WAN connections to a new gateway (23.234.45.1) and a /24 subnet mask (255.255.255.0) that effectively quarantines the traffic in a routing loop.

He also uses astsu --ifconfig* --enable at the end to re-activate these modified connections. Elliot had to force this configuration by issuing a direct override command (set --force --ovr02) specifically for waneth04 since it initially failed.

If Elliot hadn’t pulled off this last step, the rootkit could have easily used its privileges sitting at the kernel/bootloader level to just re-establish the previous network connections, reach out to the other servers, and undo all his work once the server farm rebooted.

After the immediate crisis is averted, Elliot starts looking for artifacts left behind from the attack and makes a strange discovery. The attacker created their own directory within the /root directory and left a DAT file with the text “LEAVE ME HERE” inside.

Elliot’s first instinct is to delete the directory and the file inside, but for some reason he can’t bring himself to. Instead he changes the directory and file permissions using chmod to give himself (indicated by his username which seems to be his employee number) read and write privileges (600 in Linux/Unix) over the directory and its singular file.

Nowadays with cloud Infrastructure-as-a-Service (IaaS), remediating this kind of issue is significantly easier. Because AWS EC2 instances are virtual machines run on top of a hypervisor layer, an operating system-level rootkit is effectively sandboxed and can’t easily break out to compromise the underlying firmware.

Furthermore, instead of re-imaging a physical machine during an active breach, incident response teams can simply terminate the infected instance and spin up a pristine replacement from a golden Amazon Machine Image (AMI).

In the year of our lord 2026, Elliot would have handled this in about 60 seconds.

IRC Chat screenshot taken from https://aaronparecki.com/

Afterwards Elliot talks about contacting his “IRC chat friends” to chat about the attack. Internet Relay Chat (IRC) is a fairly old and simple protocol that’s been used, and still is used, for reliable real-time text-based correspondence in small communities connecting to specific servers or hosting your own channel. Think of it like Discord minus most of the features, colors, and ability to post images and GIFs.

It was more popular during the 90’s and 2000’s, but still gets traffic from people that want de-centralized chat rooms not controlled by corporations. They can easily be snooped on by law enforcement or your ISP if you’re not careful. There are ways to encrypt the traffic and try to hide your origin point, but I wouldn’t trust it too much.

Social Engineering Michael Hansen for Bank Account Access

As the B-plot for this episode Elliot has been looking into his therapist’s boyfriend, Michael Hansen, because he’s suspicious of the man due to his lack of online presence (ironically, Elliot has the same lack of presence on social media platforms). He calls Michael as “Sam from E-Bank Fraud Department” saying that his account’s been compromised. Elliot says he needs to verify some information and asks for the answers to Michael’s security questions.

Unbeknownst to Mr.Hansen, Elliot is typing out these answers in his terminal into what he says is a program he made. He’s also running a dictionary brute force attack with a massive wordlist to try and crack Michael’s password. This consists of a large text file of 9,875,894 different strings being attempted until he finds the right one.

This is a decent diagram on how password permutations can be made.

Elliot might also be using the answers to the security questions and adding them to the dictionary entries in different ways to attempt various permutations of those answers combined with the wordlist strings in the hopes that they might be a part of Michael’s password.

To get an understanding of the various ways this might be done, you can review the core attack modes for the popular cracking tool Hashcat.

Nowadays, this kind of attack would only really work if Elliot was able to get the password hash for Michael’s account and try to crack it offline. No bank network is going to allow someone to attempt millions of passwords in order to get access, and there are tons of multi-factor authentication (MFA) options to thwart this. People are also slightly less terrible at creating passwords too.

The Framing of Terry Colby for the Evil Corp Hack

In the latter half of the episode, Elliot finally meets the titular “Mr.Robot” played by Christian Slater who reveals that he and his hacker crew hiding out in an abandoned arcade in Coney Island were the source of the Evil Corp DDoS and that fsociety00.dat file that was found in the /root/fsociety/ directory.

Mr.Robot asks Elliot to implicate Terry Colby, Evil Corp’s CTO, in the hack by adding his workstation’s IP address to the DAT file before turning it over to the FBI.

This is Peter Williams. He could’ve just done his job and made tons of money. Now he’s a traitor serving 87 months in prison.

Insider threats working with cyber crime groups is definitely a real thing, but I can’t remember any stories of an executive working with them. The closest example I can think of, or maybe this is just recency bias, is the General Manager from L3 Harris/Trenchant Peter Williams who sold zero-days to Russian exploit brokers and was recently convicted.

Where Mr.Williams claimed that financial issues and professional burn out caused him to break the law, the plot of this episode states that Mr.Colby is suspected of aiding the hackers in their attack to pressure Evil Corp during contract negotiations for his compensation package as CTO.

I think having the FBI arrest him solely based on seeing his IP in a file is a little too easy, but maybe the next episodes will add more meat to the frame job like sneaking other incriminating files or e-mails onto his workstation or personal computer.

Elliot would also be the top suspect for any tampering with the file if AllSafe was a competent cybersecurity firm (which is in question outside of Elliot himself, Angela, and maybe Gideon). Proper chain of custody would make it obvious that he was the last one, and seemingly the only one, to handle the file. Letting him take the file home to his personal computer was already a huge mistake on their part.

All in all, pretty great first episode as far as cyber stuff goes. I’m surprised that in the 11 years since it premiered nothing else has come close to reaching this level of accuracy. I’m sure that’ll only become more apparent as I get deeper in.

Sound off in the comments about anything InfoSec or InfoTech.