Read Worm: The First Digital World War Online
Authors: Mark Bowden
They were psyched!
But we are getting ahead of ourselves . . .
In mid-December 2008, the chat channel was up, a private Listserv—the List!—where these real-life X-Men, Rick Wesson, Rodney Joffe, Andre DiMino, and the others, plotted strategy, shared insights, coordinated efforts, and kept up a running dialogue. Anything posted to the List was available to the entire group, and most of it dealt with the minutiae of technical analysis, code-breaking, sinkholing, etc. Much of it read like this:
MD5: 38c3d2efdd47b1034b1624490ce1f3f2
>> SHA1: c6c1ed21ea15c8648a985dbabc8341cf1e3aa21e
>
>> That’s the unpacked version and it was sent by VirusTotal on Monday.
Or like this:
> <
> A fixed src port and linux pOf; dozens of GETs in under 3 seconds . . . this suggests a likely script. Others have noted a python 2.6 urllib user-agent:
But from time to time various members would use the List as a soapbox or sounding board, speculating, proposing, arguing, praising, lamenting, criticizing, sometimes with real eloquence. Mining these exchanges and ventings reveals a detailed chronicle of the effort, often minute by minute. So the history of this remarkable technological drama, which might be called the First Internet World War, and which took place almost entirely out of the public eye, unfolds as a series of missives, like an epistolary novel. Shades of Samuel Richardson!
As the threat mounted, working with the X-Men became a mark of status. Here was a band of warriors for the Internet, which is to say warriors for civilization. It sounds corny, but it was true. Most of the core members knew one another well: Paul Vixie wrote in one of his first postings to the List, “Whenever I’m added to a security list, I look around for [the usual suspects] and a bunch of other regulars, and if they’re not there yet I know they’ll be along in a few weeks. Sometimes I even nominate them myself just to cut down on the suspense.” Those who wished to join had to be vouched for by others already on the List, and some were turned away: “I feel like we are in high school,” wrote Rick Wesson. But there were only a few hundred people in the world capable of the work.
By the end of December, the X-Men were regularly pulling all-nighters, trying to stay one step ahead of the evil botmaster. T.J. was working until ten o’clock most nights in his office up in one of Microsoft’s Redmond sprockets. His boss would stop by, surprised to see him in so late.
“What are you doing?” he’d ask.
“Conficker.”
“Everything okay?”
“Well, the Internet’s melting. We’re just keeping it from melting completely.”
The bad guys behind Conficker, its unknown botmaster, would prove to be worthy adversaries. They were villains in the truest sense, talented programmers bent on using their powers for evil. And the world war was about nothing less than the soul of the future,
the soul of the new global mind
. As for as the X-Men, what could be cooler than to be right in the middle of it, showing off your chops?
6
Digital Detectives
THIS MAY NOT BE MUCH OF A WORLD . . . MAY
NOT EVEN BE THE WORLD IT IS SUPPOSED TO
BE . . . BUT IT IS OUR WORLD NEVERTHELESS.
AND WE WILL FIGHT FOR IT.
—The Amazing X-Men
At the October 2008 botnet conference in Arlington, Virginia, the one where T. J. Campana unveiled Microsoft’s “out of band” emergency patch, he had handed a sheet of paper to Andre DiMino.
“Do you know anything about this?” he asked.
It was a printout of information about Gimmiv, the first piece of malware that used the Chinese kit to exploit the newly discovered Port 445 vulnerability. Andre didn’t recognize the strain offhand, but he was the right person to ask.
On a Monday morning ten years earlier, Andre had stumbled into the malware wars when he discovered that over the weekend someone had broken into the computer system he was managing for a small company in New Jersey. Andre has an undergraduate degree in electrical engineering with an emphasis in computer science, but most of what he knows about botnets he has taught himself. At forty-five, he is a tall, slender man whose dark hair is cropped close to his scalp. He is affable and quietly idealistic, and he has a selfless passion for his work. His day job is doing computer forensics for the Bergen County prosecutor, but the work that drives him most is done before a small array of computers in an upstairs bedroom of his suburban New Jersey home.
Andre has a sense of mission, of higher purpose. He hunts bad guys in cyberspace for free. His email arrives with a New Testament admonition, from Saint Paul’s first letter to the Thessalonians: “Make sure that nobody pays back wrong for wrong, but always try to be kind to each other and to everyone else.” He has a very particular code of ethics about his work, which makes him something like a photographic negative of those he combats, and a rarity even among those fighting the good fight. A whole industry has grown up around protecting vulnerable computer networks for profit. Andre is determined
not
to profit from his work; once he hunts down a compromised computer network he informs the owner of the problem free of charge . . . just because it is
the right thing to do
. Then he kills the botnet.
Back when he discovered that weekend break-in at his old employer’s offices, Andre assumed it was the work of a hacker, a vandal, or possibly a disgruntled former employee, only to discover, from an analysis of the IP addresses of the incoming data, that the company’s network had been invaded by someone from Turkey or Ukraine. What would someone halfway around the planet want with the computer network of a small business-management firm in a New Jersey office park? Apparently, judging by what he found, his invader was in the business of selling pirated software, movies, and music. Just as T.J. Campana had discovered at FSU, the pirates had gone looking for large amounts of digital storage space in which to hide stolen inventory. They appeared to have conducted an automated search over the Internet, looking worldwide for vulnerable systems with large amounts of unused disc space—Andre compares it to walking around rattling doorknobs, looking for one door left unlocked. His network fit the bill, so the crooks had dumped a huge bloc of data onto his discs. He erased the stash and locked the door that had allowed the pirates in. As far as Andre’s employer was concerned, that solved the problem. No harm done. No need to call the police or investigate further.
But Andre was intrigued. He reviewed the server logs for previous weeks and saw that this successful invasion was one of many such efforts. Other attackers had been rattling the doors of his network, looking for vulnerabilities. If there were bad guys actively exploiting other people’s computers all over the world, designing sophisticated programs to exploit weaknesses . . . how cool was that? And who was trying to stop them?
He set about educating himself on the fine points of this obscure battle. He eventually founded, along with a like-minded botnet hunter named Nicholas Albright, The Shadowserver Foundation, a nonprofit partnership of defense-minded geeks at war against malware, effectively transforming himself into a digital Sam Spade—indeed, the graphic atop Shadowserver’s home page features a Dashiell Hammett–style detective emerging from shadow. Today the organization coordinates the donated labor of like-minded cybervigilantes all over the world, tracking and, whenever possible, killing botnets. With the help of scores of volunteers and automated software like the program that monitors Phil Porras’s net at SRI, they snare and catalog every new strain of malware that appears. Then they dissect it and trace it back to its source, all the while monitoring it to chart its activity and reach. This is time-consuming, sometimes tedious work, and apart from the satisfaction of slaying Internet dragons, there are few rewards.
In the beginning, Andre was rarely even thanked. At first Shadowserver’s discoveries and notices were more likely to be met by disbelief and suspicion. Shadowserver would spot a new botnet taking shape and track the flow of data back to a particular network, and then to a specific IP address on that network, and then notify the service provider of the problem.
“This is not an attack from the outside,” Andre would tell the ISP’s security chief, who may or may not have noticed an uptick in traffic on his network. “This is something from the inside.”
More often than not, the information was received grudgingly. Here was someone unknown—“They probably thought we were just a bunch of garage hackers,” says Andre, “calling to tell the professional that his network had a flaw. They tended to react defensively.” The fact that some amateur ninja had been sniffing around their network didn’t go over too well, either. Most security managers were conditioned to treat such people as the
threat
, not realizing that the problem had outgrown the hacker stage. Either that or the IT manager just felt Andre was some smart-ass trying to show him up. The idea that there was selfless hacker offering managers useful information about their own network, for
free
, was hard to believe.
Brian Krebs, then one of just a handful of newspaper reporters (he was working for the
Washington Post
at the time) covering computer security, was so impressed that he wrote a cover story for the paper’s Sunday magazine about Shadowserver.
Botnets were becoming a big problem, and Krebs thought the work Andre and Nick were doing was very much needed. He was surprised to find that there were these guys doing what he had hoped
someone
was doing. The industry was full of sellouts; people with a good idea would approach a big company with it and cash in. Here were a group of guys doing this work, which not many people even know how to do, infiltrating and cataloging botnets, and doing it as a public service. Krebs himself found it hard to believe.
In the 2006 article, “Bringing Botnets Out of the Shadows,” Krebs wrote: “Botnets are the workhorses of most online criminal enterprise today, allowing hackers to ply their trade anonymously—sending spam, sowing infected PCs with adware from companies that pay for each installation, or hosting fraudulent e-commerce and banking sites. . . . Constant attack and setbacks can take an emotional toll on volunteers who spend countless hours not only hunting down bot herders but in many cases notifying the individuals or institutions whose networks and systems the hackers have commandeered. This is largely a thankless job, because in most cases the victims never even respond.”
Gratitude started to come once Kreb’s article put Shadowserver on the map. The cause brought like-minded geeks out of the woodwork, and the organization grew. It started getting requests for information from the FBI and Secret Service. Some consideration was given at that point to taking Shadowserver commercial. The data the foundation collected were undeniably valuable: this information clued large servers and networks in to looming threats and cataloged vulnerable systems. Charging would at least enable Shadowserver to pay people for their time, effort, and talent. But the group decided to keep doing the work for free. Andre saw it this way:
If you knew someone’s house was in danger of catching on fire, would you simply warn him or offer to sell him the information?
By early 2009, the group had a ten-member core, and lots of carefully screened volunteers. Andre wanted to do the work full-time, and fantasized about a large grant or sponsorship that would enable him and the other core members to do so, but they all still needed their day jobs. They were collecting thousands of malware strains, snaring as many as ten thousand samples in their honeypots every day. Shadowserver played a central role in battling botnets, and received thousands of requests daily from network managers for technical reports.
With that many strains to track, Andre didn’t recognize Gimmiv right away when T.J. approached him at the October conference. He checked his records. The Japanese exploit didn’t amount to much, but he could see Microsoft’s concerns. With an exploit kit available for a fee, and with MS08-067 advertising the vulnerability, he could see just as Microsoft did that something worse was probably on its way.
There is no formal relationship between the various computer security companies, labs, or organizations, so Conficker’s arrival in late 2008 was noted and assessed by each in its own way. Eventually Hassen Saidi’s reverse-engineering of the worm out in Menlo Park would prove to be the most definitive, but dozens of other experts were trying. Conficker was too big to ignore. Andre also took notice of it right away, not because he connected it immediately with Gimmiv, but because of its rapid and remarkable success. Within days, Shadowserver’s honeypots all over the world were filling up with it the same way Phil Porras’s was at SRI. Andre was alarmed. He learned from a colleague working for F-Secure in Finland that the worm was using a domain-name-generating tactic similar to Srizbi’s.
So he had begun tracking it. Andre was accustomed to seeing botnets with a few hundred thousand drones. As this one reached a million, then two million, then three, then four, it felt scary. Its potential to do harm grew with its size. Nobody was more accustomed to dealing with botnets than he was, but the scale of this one was daunting. It was clearly more than your average spambot. What if this was the work of a nation-state? What was it for? How did you begin to stop it?