Trojan Horse

7

Graham Yates finished a review of the steps he and his team had taken with the infected computer. He straightened in his chair and waited for a response as Lloyd Walthrop looked on.

“Let me review this then,” Jeff said, pressing to overcome his jet lag. “Mr. Walthrop received a document, which initially refused to open and crashed the program. That sent you an alert. On his second attempt, the file executed. The incident was so minor he didn’t report it.”

“That’s right,” Yates said. He was in his forties, trim, and dressed in the blue pinstripe suit so common to UK government offices. “We noted it, however. We’ve become very proactive in dealing with such events. Like any system that interacts minute to minute through the Internet, we’ve had problems with attempts to implant malware and have been the recipients of ‘spear phishing’ directed at targeted individuals.”

Jeff had dealt with spear phishing before. It was a technique for spreading malware intended to steal sensitive information. After the recipients opened an infected document, it sought to trick them into disclosing usernames, passwords, and financial information. It did this by masquerading as something trustworthy the target dealt with frequently. It could be an e-mail or instant message. It often directed users to enter details at a fake Web site that looked and felt as if it were legitimate.

Yates continued, “We think, or strongly suspect, something’s there. Whatever it is has a bug that caused our monitoring of OfficeWorks to alert us to its presence.” He cleared his throat. “This is potentially out of our depth. You are an acknowledged expert in this field and are generally familiar with our system. I should be asking if you’ve encountered contaminated OfficeWorks document files previously.”

“Not long ago malicious PDFs were used to attack both Google and Adobe utilizing vulnerabilities and flaws in Adobe’s Reader software,” Jeff said. “Another, known as Operation Aurora, targeted Google’s intellectual property. It’s one of the reasons Google had so many issues with their presence in China. The Chinese have an ongoing army cyber warfare operation and Google is apparently a major target. RSA, the gold standard in digital cryptography with presumably the finest security in the world, was the victim of an Advanced Persistent Threat attack, which breached its security and stole very valuable authentication technology. It all but certainly was Chinese in origin.

“OfficeWorks is nearly universal. It’s the most commonly used word-processing program in the world. The recent version is as bug free as anything anywhere. I’ve not heard of any significant problems with it recently. Is this attack restricted to Mr. Walthrop?”

“There have been no other incidents. We’ve initiated manual inspection of key servers to look for suspicious activity on the systems or in our network activity without finding anything. We know that hacking techniques are sophisticated enough now to hide in the noise, so to speak, making them very hard to discover.”

Jeff suppressed a yawn. It had been a long sixteen hours since receiving the telephone call summoning him to London. He had called Daryl to tell her about the assignment. With a sinking heart he couldn’t help but notice how distracted she was by her project when they spoke. It had been in that mood he’d hurriedly packed.

Since losing his fiancée in the World Trade Center attack, Jeff had initially found it impossible to move on emotionally. Only much later, when circumstances had put him together with Daryl, had he awakened. Their frantic chase to stop the Al Qaeda cyber-attack, putting their lives at risk in the process, had served to bond them in a remarkable way. The early months of physical recovery from their wounds, of buying the town house together and joining forces professionally had been as wonderful and satisfying as any he’d ever known, the ideal joining of a personal and professional life.

In this war Jeff and Daryl were one team in a million. Jeff was in his midthirties and though he spent most of his time in front of a computer, he’d played rugby at the University of Michigan and still ran almost daily when possible. After university, where he’d obtained his doctorate, he’d taught at Carnegie Mellon, then gone to work for the Cyber Security Division of the CIA. Since 2002, he’d had his own security company.

He’d first met Daryl Haugen when she’d been with the National Security Agency, then assistant deputy executive director and head of a team at US-CERT working for the National Security Agency, or NSA. Also a Ph.D., she was a year younger than Jeff, just over average height, slender, with a fair complexion and blond, shoulder-length hair.

When he and Daryl had been brought together two years ago in their pursuit of an Al Qaeda plot to inflect massive damage to computers and the Internet in the Western world their romance had begun. Jeff had not believed he could love again but there it was, as rich, as deep, as fulfilling as before.

Jeff had rushed to reach Dulles in time for a direct red-eye flight. On the plane he’d done what research was possible on the Internet, then slept fitfully, his thoughts turning repeatedly to Daryl. Was it real? Had it ever been? Did she really feel for him what he felt for her? Or was she going to leave him? Finally, he’d escaped from his thoughts into a restless slumber.

He’d arrived in London at noon local time, been ushered immediately through immigration and customs, then driven to Whitehall where he’d been greeted by Yates. Jeff had worked with Yates before, when Jeff had been with the CIA. The UK had its own spy agency, GCHQ, which increasingly specialized in cyber operations, but their inability to match industry salaries left them short-staffed, forcing government agencies to frequently bring in outside consultants. Though there were any number of experts in malware, few carried Jeff’s security clearance. For those reasons he’d been summoned to London earlier in the year to deal with a complex infection of a portion of their network. That one turned out to be part of a generic botnet. Yates primarily maintained the intraoffice IT system and had very limited experience with viruses, other than in working to keep them out. His concern was not so much the file in question but the integrity of the system overall. He and his team could very quickly find themselves lost if they tried to tackle virus code itself and it turned out to be something serious. And there’d been enough significant problems in recent years to require that experts be brought in at the first sign of any new malware attack. It was simply too dangerous to allow new code to infect an entire system.

“Unless there is more, I should get started,” Jeff said.

“By all means,” Yates said, glancing at Walthrop, who nodded. “We’ve moved Mr. Walthrop’s computer into a free office where you can work undisturbed. This way.”

Not surprisingly the office was in the basement. Though it made no sense to place IT in desirable offices with expansive views, a window would have been a pleasant change, just once.

A man of about thirty was waiting inside. He extended his hand and introduced himself. “I’m Elliot Blake,” he said. “I’ve been the one on this bug. I know you by reputation and am delighted at the prospect of working with you. I have a great deal to learn.”

“Elliot’s my best man,” Yates said. “It was he who alerted me to this and advised against chasing it ourselves. I’ll leave you to it. Don’t hesitate if you require any services, any at all. Elliot can always reach me in seconds. It’s good to see you again.” With that and a light pat on Jeff’s back for luck, he left them alone.

Blake was a slender man with black hair and glasses. After pointing Jeff to the coffee, teapot, and biscuits he dived in. “We’ve got the latest version of OfficeWorks and we update as a matter of routine. Until now we’ve had no difficulty with it. I’m assuming Mr. Yates briefed you?”

Jeff nodded.

“So here it is from my end. None of Mr. Walthrop’s files are corrupted that we can detect. We’re told the contents of the document he received from the UN office in Geneva are reported as altered.” At this Blake made a face as if he had no idea what to believe. “I checked the digital signature and that just doesn’t hold up. It’s the one affixed in Geneva by the author. So I’d say the bloke in Geneva is lying. I ran the usual antivirus scans and came up with nothing. I even ran one for rootkits with no luck.”

Digital signatures could not be altered. Period. Invented in the late 1970s, they rely on asymmetric cryptography. In cryptography, a secret code called a key is used to encrypt and decrypt messages, much like how secret decoder rings work. With asymmetric cryptography, a user has two keys that work in conjunction. A message encrypted with one key can decrypt a message encrypted by the other and vice versa. However, a message can’t be decrypted with the same key used to encrypt it. With this scheme, a user can freely distribute one of the keys to enable others to send them encrypted messages that can’t be decrypted by anyone else. The key kept secret is called a private key and the one given out is a public key, as if many decoder rings were able to encrypt messages but only one special decoder ring could decode them.

When used for digital signing, the signer uses a hashing algorithm to produce a shortened version of the message — essentially a unique summary — they wish to sign, and then encrypts the hash with their private key. This encrypted hash is the message’s digital signature because it’s a way for a user to digitally confirm that the message is authentic. Checking to see if a message is actually the one that the sender signed requires simply regenerating the hash of the received message and seeing if it matches the one obtained from decrypting the digital signature. Any alteration of the message, no matter how small, results in a mismatch. The security of the scheme is assured by the infeasibility of determining the private key from a public key by even the most powerful modern computers.

Increasingly, governments relied on digital signature software to protect the authenticity of documents and in many cases refused to accept attachments not digitally signed. It was the system by which everyone knew a document was genuine. So it seemed the man in Geneva must be lying.

“We make every effort to determine the cause of any crash rather than take chances. We’ve found no evidence of a virus in fact.” Blake cleared his throat. “As I understand the process from this point on, to determine if the file is infected I have to trace data from the point of the crash, through God knows how many paths, each one potentially being the source of the vulnerability. Have I got that right?” Jeff nodded. “I’ve never done that before so you can see my problem. We want you to determine if there is a virus and if so, find out as much about it as you can, including who made it and what it’s up to.”

A corrupted file can be spotted, usually quite easily since it’s visibly different. But an infected file was not necessary outwardly corrupt. It could look and behave in a perfectly normal fashion. Jeff asked which antivirus programs he’d run and Blake provided the names of the five most commonly used.

“You did right,” Jeff said. “If this document is infected you could have a virus spreading throughout your network and exfiltrating data even as we speak.” He pulled out his own laptop and looked for a place to put it. “Let’s get started. Frankly, I’m dead from the flight but we’ll see how much steam I’ve got left.”

Jeff sat before Walthrop’s computer and linked to it. Next, Blake stepped him through the document’s folder and showed him the problematic file. Jeff launched a Windows virtual machine on his own laptop to serve as the laboratory and a sandbox in which he could experiment while keeping the virus contained. His first step was to configure the machine to match the characteristics of Walthrop’s as closely as he could. He then confirmed that his virtual machine was running the same version of Windows, including the updates. Then he installed OfficeWorks, also making certain it had the same updates as Walthrop’s version and configured the program in exactly the same way. Every detail could potentially be significant if the malware was specifically targeted at Walthrop.

With his test environment ready, Jeff copied the infected OfficeWorks document into the virtual machine. He now unleashed a host of automated tools so that they were ready to watch for any sign of compromise. These were scripts, sequences of commands that executed other programs, or were operating system functions, stand-alone programs that picked apart the document searching for anomalies and signs of common attack vectors. In the old days, this had been done manually and the work had been both slow and tedious.

In his laptop’s test environment where a potential virus could cause no damage he attempted to open the file. It made no difference if it crashed or not. If it did, then he could begin figuring out how to get OfficeWorks to work; if it didn’t, he could skip that step and start figuring out what the virus was ultimately trying to do.

The file failed to open. This might indicate nothing of significance as the program could have a bug that was only indirectly triggered by this particular file. Or the problem could be malware that was trying to burrow into the computer, but had hit something unexpected and failed. That was what Blake and Yates feared. If that was the case, whatever was in there had encountered an environment for which it was not programmed, meaning there was a flaw in the malware’s assumptions, causing it not to execute. For now Jeff would act with the assumption he was dealing with malware.

On his laptop were diagnostic programs that were the result of thousands of hours of work. They included the standard diagnostic and recovery tools used by everyone in his profession, but over the years he’d added a collection of very useful utilities. So valuable was the information that it was copied to several DVDs he’d secreted here and there, two of which were in safe deposit boxes. He’d once laughingly told Daryl he was thinking about having them insured.

“Okay,” Jeff said, “let’s first see if it’s a fresh variation of an existing virus.”

“Would that be good?” Blake asked.

“Oh yes, I can catch a variation pretty quickly and the fix is often a snap. We’ll know soon enough.”

New variants were the most common causes of infiltrations. An old virus became increasingly less effective as antivirus programs learned to sniff it out. The next step for the author was to alter it just enough to sneak in under the radar. Thousands of new pieces of malware were unleashed onto the Internet every month and the number was growing. Most were variations and such a variation was the most likely explanation for this problem.

Of course, no virus could actually alter an OW file, not without it looking like gibberish. Jeff didn’t want to seriously consider the alternative.

“Elliot, what do you know about the man in Geneva?” he asked while he waited.

“Only what Mr. Walthrop says, which is that he’s a civil servant with UNOG. They have a professional association. They both serve on an Iranian economic development committee.”

Jeff was inclined to think it most likely the man in Geneva was lying, as the digital signature had not been altered. It was impossible, absolutely impossible, to alter an OW document and not change the signature since it was embedded in the file. It seemed a silly claim for someone to make but he’d seen and heard of much worse from so-called professionals.

He now scanned the registry settings. Most often, malware created new entries there. This told the operating system to activate the virus whenever the computer was turned on, or when the user logged in. He spent some time checking every suspicious program reference or bit of code he didn’t recognize. Then he’d locate the code’s file and confirm it originated with a company. Malware rarely had such information. In some cases he conducted an Internet search to locate information about the file. Sometimes the suspect file had already been flagged as malware. It was tedious but had to be done.

Jeff was pleased with the level of security he found on the system, though he’d expected nothing less from such a high-priority office. Still, he knew from experience that agencies and businesses that should know better often had appalling computer security. He routinely found antivirus programs that were no longer current. Most of the malware he located had slipped in because someone had left the door open.

The scope of the harm viruses caused was enormous and not generally appreciated by the public. What they saw in their personal lives wasn’t the tip of the iceberg, not even the tip of the tip of the iceberg. Compromised government agencies didn’t want to reveal the extent of the damage for obvious reasons. It was no different with businesses. Personal and financial data was routinely stolen. Internet crime netted well over $100 billion annually and there was no end in sight. Organized cybercrime operations in Eastern Europe were becoming more sophisticated every month.

The worst part, from Jeff’s perspective, was that most individuals and companies had no idea they’d been hacked. Malware was so common he found at least some of it in nearly every computer network he examined. The only good news was that most did not do any great harm. It was obsolete or improperly designed, or cut off from its “bot herder” and left dormant.

Malware found its way into computers through two routes. The recipient inadvertently admitted the virus by opening an attachment or Web link, usually believing it was something it was not. Or the virus prowled the Internet, knocking on the doors of every connected computer, searching for vulnerability in an application or even within the operating system itself. Computers were so complicated any number of such vulnerabilities existed when software was released, whether new or an updated version. As they were discovered, usually because they’d allowed malware in, they were patched and closed. The problem with this approach was that there was always a period between infection and patching when bad things could happen.

Sometime later, Jeff said, “Okay, Elliot, I see nothing known so we can rule out the easiest solution. Whatever you’ve got is brand-new. Now let’s see if we can get the thing to execute.”

“You want it to work?” Blake said, sounding shocked.

“That way we can examine it for clues as to its origin and purpose,” Jeff said. “I’d have a seat; this will take a while.”

Once he’d started the process Jeff said, “Okay, it’s almost certainly using a zero day vulnerability.” Zero day was the term used to identify software bugs for which no fix existed because it had not as yet been discovered. Since a zero day vulnerability wasn’t yet known it was the most effective device for spreading malware as any computer with the vulnerability was wide open to cyber-attack.

OfficeWorks had improved its security enormously in recent years and was perhaps the most vetted word-processing program in existence. It was coded and built with the latest defense-in-depth antimalware technologies and only a handful of exploitable vulnerabilities had been discovered in it since the release of the newest versions. It was also designed to isolate any malware into a digital sealed room to prevent contamination elsewhere. But for all its design sophistication and vetting Jeff was not surprised that a zero day vulnerability existed in its latest manifestation. Such programs were so complex with so many authors they were never entirely secure.

Zero day vulnerabilities were a worst-case scenario for those involved in cyber-security. It had been just such vulnerabilities that had made the massive Al Qaeda attack two years before so devastating, even though the efforts of Jeff and Daryl had significantly blunted its intent. Without them the damage, and loss of life, would have been much, much worse.

Jeff rose and poured a large cup of black coffee. He drank half, then placed it down. He set his wristwatch to a two-hour timer. He’d learned the hard way that at least once every two hours he had to stretch and walk about a bit if he was to keep at this. Most problems he solved demanded a single extended engagement typically lasting eighteen hours. At that point his mental acuity declined significantly. He suspected that wasn’t going to work in this case, especially as he was already exhausted.

He sat down, took another pull of the black coffee, then loaded OfficeWorks into a debugger tool. A debugger is a program that enables a developer or, in this case, a security researcher, to control the execution of another program. It could be paused, which made it possible to step through individual CPU processor instructions, and it could be configured to pause when a specific instruction or set of conditions was satisfied. When the program was paused, the debugger enabled Jeff to view its state, including the value of all its variables. In many ways, it was like a dissection kit, letting him peer beneath the surface of the program, both observing and controlling its operation to unearth how it worked. He knew that all sophisticated malware had “anti-debugging” mechanisms, but he also knew how to defeat the most common techniques, including those that tried to prevent debugging in a virtual machine.

Once the debugger was running Jeff opened the suspect document. The debugger reported at once that OfficeWorks would not open; in so doing it accessed an invalid memory address, causing OfficeWorks to crash. So that he could more easily map the execution of the program to that point, he decided to run OfficeWorks under a special version of the debugger obtained from friends at Microsoft. It enabled him to “rewind” the program to earlier points. With this he began to step backward in the program to determine what OfficeWorks flaw the malware intended to exploit. It was as if the virus had been running an obstacle course, surmounting each barrier with ease until it came to the one it could not cross. Jeff’s job now was to find that point.

This was one of the more painstaking phases of the overall process, requiring Jeff to type notes recording all the branches the OfficeWorks program followed and the values of the data it passed. He was searching for a spot where, if something was different in one of the values, OfficeWorks would follow a path resulting in a buffer overflow, a condition in which a bug wrote data beyond the region allocated for it. Most malware infections started with just such a buffer overflow, which would cause the program to inadvertently execute code it wasn’t programmed for, code controlled by the malware’s author.

Always daunting, this time the process was especially difficult and Jeff found himself slowly overwhelmed as the day dragged on. At one point Blake had a light meal brought in, at another he suggested Jeff join him for tea. All very English, Jeff thought, munching on one of the butter cookies they called biscuits.

Throughout the afternoon and into the evening the permutations exploded and the complexity of the paths was nearly more than Jeff could grasp. But at last he located an OfficeWorks execution that accessed data in the suspect document ultimately triggering the invalid access. This, he knew, was the malware’s entry point, but there had been something about Walthrop’s environment that foiled it. If things had been as the author wanted this would have executed the OW document.

He’d suggested to Daryl at one point that afternoon that he might need her help and she’d assured him that she’d have the time. Despite her evident distraction during their brief conversation she said she was down to the final stages with her project and would be leaving shortly. Hoping she was free and home by now he sent her a message on mIRC, an encrypted chatting program used when they worked together remotely. He briefly summarized the issue and informed her that he’d found the entry point.

“Here’s the malicious data sequence,” he finished. “See what you can come up with.” The code within a virus often contained hints as to its origin, sometimes even about its author. Carelessness and vanity were two of their most powerful assets with any new virus.

A few minutes later her reply arrived. “Back home. Will see what I can do. Luv u.”

Now Jeff used the debugger to change the value at the point where OfficeWorks referenced it to the value that would allow OfficeWorks to execute the buffer overflow as the virus was intended to do.

It worked.

He watched the malware expand and decrypt itself into the memory of OfficeWorks and then activate. This part of his job was typically satisfying since it usually meant the beginning of the end, the time when he’d find a solution.

But there was more to it than that. There was something fascinatingly malevolent about a virus as it revealed itself, like a cancer spread through an otherwise healthy system. It modified everything it wanted to control, even bits of code for which it had no use. It was arrogant and self-possessing. It was, Jeff often thought, almost alive.

This was where he’d see the anti-debugging techniques. If one was in play in the execution of a CPU instruction it would behave differently than usual. Another common tell was the execution of a long string of useless instructions, one that it would take days to step through the sequence. Such a sequence was integral to the malware’s correct operation. Jeff had so much experience he knew how to spot these sequences and set “conditional breakpoints” that halted execution at key points, including one close to where the sequence was set to finish.

This virus installed itself in the memory of the OfficeWorks process, then reached out and inserted itself into a critical system process, one that kept Windows alive, performing background operations on behalf of the operating system and other processes. If things had been as the author wanted, the virus would now be in position to execute within OfficeWorks. He watched as it set a timer. That done, it quietly went to sleep.

“It’s got a timer,” he said to Blake with a smile.

“A timer?” he repeated.

“It set an alarm clock, a timer to activate randomly every twelve to twenty-four hours.”

“Why would it do that?”

“Because it’s harder to spot when it’s asleep. But we’re not waiting for it.” Jeff overrode the timer and told the virus to wake up now. This allowed him to see what it did.

It was well into the night by now. The corridor outside had been silent for some time. Blake had glanced at his wristwatch repeatedly, finally commenting that the American sure seemed to work long hours. Jeff was exhausted but his breakthrough compelled him to press on. Over the next three hours he monitored the malware’s execution using both the debugger and another tool that recorded every change the virus made.

With his monitoring tools Jeff searched for the saved or modified files it created. Seeing none he searched for an update to the registry configuration database, typical alterations done by all malware he’d looked at before. What he found was… nothing.

The virus left no tracks.

This came as a great surprise. Though this virus had been cleaner than most he encountered, until this moment he’d had no great respect for the author. The techniques he’d observed had been pioneered by others. But this was impressive. It was as if the malware had walked across virgin snow without leaving a print.

He had known this technique was coming and dreaded the day. Authors of malware knew that rootkit scans were becoming increasingly common and rootkits could no longer be relied on to conceal a virus. With this new technique the author was adopting a fresh, and very effective, method in the never ending race for digital stealth. As it spread, and it surely would, viruses would become increasingly difficult to locate.

This was the first time Jeff had seen it employed. If someone were to analyze the system at the point they’d see no sign of the infection. They’d have to know precisely where in the system process to look for the copy of the malware loaded into memory. That would be like trying to find a book in a major library without the Dewey decimal system.

He told Blake what he’d just discovered.

“You mean it makes no modifications to the system, so it can’t be discovered?” Blake said. “I’ve never heard of such a thing. I didn’t even know it was possible. How does it survive a system reboot?”

“This is a form of malware that leaves absolutely no detectable trace of itself when loaded, but for it to maintain its foothold through a shutdown it would have to download itself to a file and register the file to execute at the next reboot. After activating, it would delete the file from disk. That way, it is effectively invisible without resorting to rootkit techniques. Of course, if the system powers off without executing a shutdown, the virus won’t survive, but that’s a very small risk that the author was apparently willing to take. At least that’s what it looks like to me. I’m going to reboot now and see if it actually happens.”

Jeff left the monitoring tool running during the shutdown and subsequent reboot. He carefully examined the resulting activity log of the transition until after midnight. It was then he finally found evidence confirming his theory. That was what the virus did. Nasty. He stopped to mull the possibilities.

“Mr. Aiken,” Blake said. “You fell asleep.”

Jeff jerked his head up. “Sorry.” He rubbed his eyes, then said, “Elliott, I need to sleep. Back after a few hours’ rest, a shower, and some food. And call me Jeff, will you?”

8

Saliha Kaya stretched naked across the sheet, glanced at Ahmed snoring lightly beside her, then rose and quietly turned on the shower in the cramped bathroom. Once the water was hot she stepped in, luxuriating in the wet warmth. She had no shower in her apartment and took full advantage whenever she spent time here with Ahmed.

Recently turned twenty-eight, she was above average in height and had very long, black hair. Her traditional Turkish figure held more curves than was currently fashionable in magazines, and though attractive she could not be described as a beauty. She had a manner, however, that men found quite appealing.

Saliha was one of six children born to a very poor family in Ankara. Her father had worked in construction while her mother stayed home for the children. To help, she and her daughters made shawls, which she sold at the market. By the time Saliha was ten she could make a shawl blindfolded.

There’d been no money for more than basic school and with so many children Saliha had understood she must fend for herself as soon as she could. She’d waitressed for a time, spurned an offer to become mistress to an older banker, then traveled with a young lover to Prague, for a chance to see the world before it was too late. When their relationship soured and he’d returned to Turkey, she’d stayed on. Her appearance and personable manner had given her work in bars and the trendy clubs, which was where she’d met Ahmed.

She spoke no Farsi and he spoke no Turkish so, as was the case with so many international couples, they conversed in English. She’d once loved her handsome Iranian passionately but the flame of her love was slowly fading. Their time was coming to an end and if she found one more sign he was sleeping with other women she would end it abruptly, no matter how much he paid for her trips.

With the last of the hot water gone, Saliha turned off the faucets, then stepped from the shower and toweled herself carefully. She moved quietly into the single room, sat before an old mirror, and slowly combed out her hair, memories of her childhood flooding back as they always did at such moments. Her grandmother had lived with the family until just before Saliha left home. She’d loved her granddaughter’s long silken hair, telling her it was a gift of Allah, one she should always cherish.

Saliha didn’t know about God but men certainly liked it and every woman she knew was envious.

Ahmed moved lightly. She glanced at him through the mirror. He was a handsome man, with a fit body. He was quick, smiled easily, and was fun to be with. And there was the powerful physical chemistry between them. Whenever they were together they fell into bed at once. It was as if until after sex they couldn’t carry on even a simple conversation. She’d never before experienced anything like it.

Saliha lived in a room in an apartment she shared with three other women who worked at the same club. She’d wanted to move in with Ahmed not long after they met but he’d resisted and now she was glad. It would make ending it much easier.

The question was when.

Her best friend had told her about Ahmed’s love of European blonds. Then one of her roommates, Ayten, said that she’d seen him outside a coffee shop with a blonde and there’d been no doubt what was going on between them. Saliha had her own doubts even before hearing from her friends. This latest story was just so much confirmation. She wanted a faithful man. Was that too much to ask?

Then there was this business of Ahmed’s. She’d stopped asking about it months before but it still bothered her. He was involved in something mysterious and probably dangerous. Attending college was clearly a cover based on the caution with which he lived. He paid cash for everything. That in itself was not so unusual, as few illegals in Prague had bank accounts, but he was a legal resident student and there was no reason for him not to have an account.

Also, she could never determine just where the cash came from. He received no checks, she was certain. The money just seemed to appear. He was occasionally lavish in his spending and yet he always had enough.

He never spoke on the phone in her presence. And he had at least two phones. With her it was always the same one. Another appeared whenever he was making these mysterious calls. She’d often wondered who he talked to because if he had friends, she’d never met them.

Then there were his mysterious trips. He’d simply leave without a word. Sometimes he was gone no more than two days, sometimes as long as two weeks. When he returned he made no mention of the trip, never brought her a gift. It was as if he’d never been away. It was strange.

At first she’d suspected he was involved with drugs in some way. Not as a dealer, of course, she’d seen no signs of that, and certainly not as a distributor, but… somehow. But as she’d come to know him she’d understood the absolute contempt he felt for drugs and drug users. Ahmed might enjoy women but in his own way he was quite puritanical. He didn’t attend mosque every Friday but it was a rare month when he didn’t go at least once, which was more than Saliha could say.

No, he was involved somehow in the black market. That had to be it. But what? She couldn’t decide. Her latest theory was weapons, though she’d seen no sign of them and Ahmed had no gun, of that she was certain.

But she couldn’t help wonder what would happen to her if she was ever caught running errands for him. Ahmed had promised that what she did was harmless but he would say that, wouldn’t he?

She slowly dressed, watching him as she did. She pulled on her tight slacks, connected her bra behind her back, then slipped on a very tight white blouse. Finally she stepped into the high-heeled boots she enjoyed so much even though she towered over many men, even Ahmed, in them.

She returned to the dresser and idly fingered the key-chain thumb drive, balancing it in her hand as if she could somehow decipher its mysteries. What was on it? She’d never looked. She’d never so much as tried. She’d been concerned there might be some way for Ahmed to tell. He’d warned her that the information could only be accessed with a certain code and he had ways of knowing if she even opened the file. She slipped it into her pocket.

Saliha glanced at the dresser, then placed her hand on the cash. She didn’t like it when he paid her like this, after sex. It made her feel like a whore, though the money wasn’t for sex and they often slept together when she received no money at all. No, the money was for expenses plus a bit extra to buy things for Ahmed he couldn’t get in Prague. She’d get the balance, her fee, when she returned.

With a final glance at Ahmed she let herself out, hearing the door latch behind her. She walked down the stairs, then passed out into the late-afternoon sun under the gaze of the Hungarian. She was used to that. She lightly touched the switchblade knife in her pocket, the one she’d carried since puberty. Just let him ever try and lay a hand on her. She slipped on sunglasses and strolled toward the city center.