Worm: The First Digital World War (14 page)

No one was deeper into those questions than Phil. He and his team had already seen that the initial fraudware scam, the effort to download fake antivirus software from the now defunct
TrafficConverter.biz
, was not the ultimate purpose of this botnet. They had come to believe that Conficker was unlike anything they had seen before. It was not some quick moneymaking scheme. It was not an effort to show off. The worm itself carried no specifically harmful payload. It had bigger ambitions. It was quietly and effectively building an infrastructure, a sturdy platform for malicious activity. It was a tool, one that could be used to launch whatever its controller wanted, from a simple spam operation to an all-out attack on the world’s digital vitals. And it was hard to believe that anyone with the ability to create such a tool would not have big ambitions for it.

At heart, the Internet is a protocol, a carefully choreographed method of moving data from one computer to another. The specific protocol that defines it, that makes it possible, is Transmission Control Protocol/Internet Protocol (TCP/IP), a suite of programs for sharing data created by the U.S. Defense Department when Richard Nixon was president. In order to move data from one machine to another, you have to know what is being sent, and how it is going to look at the other end of the transaction. Protocol, a word borrowed from diplomacy, defines how to package and send data so that it can be recognized and processed between computers. Home users are usually customers of an ISP, which enables them to connect with the Internet. It assigns each machine on its network an IP address, and usually has a different set of IP addresses with which it identifies those machines to the world. Every packet of data sent from a computer is given a header, which is essentially the same information as that on the outside of an envelope in traditional mail—the home address and the destination address. The ISP ships this packet to a router, a large computer that governs traffic flow.

Conceptually speaking, the Internet has three layers. Layer One consists of the actual Network Interface Cards (NICs), the extensions inside computers that enable it to link with a network, and cables. Layer Two is made up of routers and switches, the subnet of computers that direct traffic, and the software that breaks Internet messages into packets. Governance of this layer was primarily in the hands of the Internet Assigned Numbers Authority. The American Registry for Internet Numbers (ARIN) is responsible for keeping track of IP addresses in the United States, Canada, and parts of the Caribbean. Layer Three consists of “applications,” the domains created by organizations or individuals to be their public face in cyberspace. This was the layer overseen by ICANN, which is primarily responsible for the domain name registries, which authorize the registrars who actually serve customers who purchase domain names. Most malware attacked this upper level, Layer Three. Conficker utilized Layer Two, using the IP address system to set up an ever-shifting command center.

Blocking access to that command center was the immediate challenge. Hassen Saidi had grafted the worm’s domain generating algorithm to his own clock in the lab. When he set the clock forward, the worm would dutifully spit out the list of 250 prospective domain names for that future date. To get out ahead of the worm, the X-Men would have to register all 250 of those domains in advance. If they succeeded, then the worm’s creator would have no way to communicate with the botnet. Checkmate.

The side benefit, once you controlled all of the places contacted by the botnet from day to day, was to own a running tally of infected, vulnerable computers. As that list grew each day, it gained in value. Whoever owned it would possess the most precious feature of the botnet. To actually seize control would require breaking the worm’s code, but the list itself could be sold or leased to web scammers, thieves, or even nation-states. And any botnet the size of Conficker would contain some particularly valuable networks, those owned by corporations, banks, or government agencies.

Phil needed someone more familiar with the whole domain name system than he was, but also someone he could trust. He approached Rick Wesson, who had worked with him before, and who lived right in the San Francisco Bay area. Rick owned, among other things, a small domain name registrar. Indeed, Rick had been among the first people in the world to even know what one was.

He was part of the Internet’s first wave of cocky young entrepreneurs, one of the many young geeks who moved to California twenty years ago to catch the coming digital wave. He dressed informally; a short man with an often messy, close-cropped head of reddish brown hair, he had, despite his forty-some years, the looks and manner of a college student. He favored T-shirts and jeans and despite his accomplishments and success still clung to an undergrad sensibility—for example, telling an audience at a 2007 symposium where he was invited to speak that he was “hungover,” so he planned to keep his presentation “light.” He spoke in a high-pitched, soft, singsong that disguised his natural bluntness and irreverence, and somehow made them more startling. This soothing tone was absent from his written messages, which could be jarring—“I’m not going to stop telling you what I think,” he wrote to one offended colleague, “Get used to it.” Rick was largely self-taught, and since personal computers were still relatively new, there were few elders around who could match his expertise. He had first used his hacking skills in Florida to print fake report cards for himself and his friends, which got him kicked out of high school. So he landed a computer security job while completing the course work to get admitted to Auburn University. It was there, as a freshman in the late 1980s, that he started his first business selling T-shirts decorated with cool fractal images he generated with the university’s engineering school computers.

Rick had hippie leanings, but about two decades too late. He graduated from Auburn in 1992 and took a job teaching at Summit High School in Breckenridge, Colorado, where the principal was planning to float a bond issue to fund a computer network to connect all of the district’s schools and libraries. Rick got excited about the project—he had actually written a book while still a student at Auburn about computer networking. The principal had a friend with IBM, and together they envisioned a closed computer network that the big computer company would install and manage. Rick saw the project as a boondoggle. See, there was this amazing new tool called the Internet that offered to same connectivity . . .
for free
. Building the network would still have costs, but only a small fraction of IBM’s proposal. It was a no-brainer. Except, of course, that when Rick tried to explain, the principal said no. A little too preemptively, in Rick’s estimation. There was a scene. Rick might have thrown some binders around the principal’s office. It led to his resignation.

So instead of steering the Breckenridge, Colorado, school system into the Internet vanguard, Rick worked for a few months washing dishes at a ski resort, and then he and his girlfriend, Pilar, got a bus, which they called the “Green Tortoise,” and—shades of Ken Kesey and the Merry Pranksters—loaded it with pot and few dozen friends, and pointed it south, touring and smoking and drinking, all the way to Guatemala—Rick was more of a beer man himself, but fitted right in with the potheads. His wanderings next took him to Europe, through Spain, to Paris, and eventually to Turkey, where Rick met a German who was determined to set up the first Internet domain name registry in his country. The Internet was taking off, and it was clear that domain names were going to be the primary sorting mechanism for it. He followed the fellow to Düsseldorf, where they set up the business, and then Rick decided that the United States was ripe for the same kind of project.

Before most people had ever heard of the Internet, Rick recognized it as an opportunity. The world was going to become a more efficient place, with detailed expert advice on every conceivable subject right at your fingertips! Answers to difficult problems waiting to be downloaded for free! When he was a senior at Auburn, a professor had sent him with a group of other students to a local office supply company, in an exercise to design a computer-based solution to an actual workplace problem. The issue presented to Rick’s team was tracking inventory. The other members consulted with the company about the problem, and wrote a program themselves that ultimately didn’t work. Rick was not wired to play well with others, and, besides, he had a better idea than his teammates. Why write a bad program when you could borrow one that worked well? He tapped into the nascent Internet and found some free inventory-tracking software that worked like a charm. He downloaded it and implemented it successfully at the local company. The company was happy. Problem solved! His professor flunked him, explaining to Rick that the essence of the assignment had been to cooperate to design an original solution. He could see his teacher’s point, but it irked him.
Come on!
Why waste your time trying to invent something that had already been invented? The real problem, as Rick saw it, was the same one that would lose him the teaching job in Breckenridge. These guys had never heard of the Internet! The failing grade had left him several credits shy of graduation, and set him back a full semester.

He returned from Düsseldorf in the early 1990s with a clear business model in his head. He landed an IT job in Silicon Valley, and the owners helped him set up a consulting business and signed on as his first client. In the ensuing years he started and sold a string of businesses. Pilar joined the organic food boom, and they moved out to a farm. Rick’s work led him to some early work on Internet governance and technology. He was involved in writing some of the early protocols for ICANN, and as a result knew the workings of that system like the back of his hand.

The Internet, unlike roads, pipelines, or electrical grids, is not organized along physical pathways. Given the packet-switching method it employs to move data, more teleportation than straight transmission, there are no clearly defined pathways for its unceasing traffic. It is organized more like a phone book than a road map. The keys to routing packets were “identifiers,” the domain names given to specific locations. There are nearly two hundred million domain names registered. The names are sold, cataloged, and maintained by commercial registrars, which are governed by registries. The registries themselves are overseen by ICANN, which functions as the primary phone book, the job it took over from SRI in 1998. At the low end of this system is the local ISP, which provides routing services for computers linked to its network, whether home users who buy a connection from a commercial provider or an office computer linked to an in-house network with its own server. These millions of small servers are grouped under three hundred or so Top Level Domains, signified by the letters that come after the period at the end of an email or web address—
.com, .biz, .edu, .de
, etc. If your email address ends with
Loyola.edu
, then Loyola (Loyola University) is your local domain, and
.edu
is your Top Level Domain, the designation for universities.

So domain names are the postal addresses of cyberspace. Each individual computer has its own address, which is assigned to it by its ISP. In order to connect with a website on the Internet, your computer sends the address to its ISP. To make things easier for human users, that address, which consists of a long line of numbers and symbols in computer language, is translated into a recognizable word—e.g.,
www.google.com
, or
harvard.edu
. Keeping track of all of these millions of names is an industry made up of thousands of small registrars. Each registrar operates a server, which makes sure there are no duplicate names, and which can route messages to that domain.

At a time when few people outside Silicon Valley had ever heard of such things, Rick used the experience in Düsseldorf to form his own registrar. He named it
ar.com
, short for “Alice’s Registry,” after the famous talking blues performance by Arlo Guthrie, and obtained a license from ICANN to sell domain names. Ten years later, Rick was regarded as a pioneer. In 2002, he was appointed to ICANN’s committee on security.

Security issues had begun to intrigue him primarily as an intellectual challenge. He saw the threat posed by botnets, and that few even in the IT business knew how to stop them. Not just stop them but how to track and monitor them. When he joined ICANN’s security committee, he learned that the agency did not even knew how many botnets there were. Nobody was paying attention. So he formed a new company called Support Intelligence, and set about filling the need. He used the large Internet interface afforded by
ar.com
to assemble honeynets, and begin compiling research data. If he could measure them and capture their traffic, he could identify which computer networks—academic, corporate, government—were
pwned
. Then he could sell that information—he did not share Andre’s compunction about profit. Rick had, partly by design but largely by happenstance, maneuvered his way into the leading edge of Internet security.

So when Phil was looking for somebody who would know how to tie up in advance all 250 of the domain names Conficker would generate daily, he thought of Rick, who had become a well-known player in Internet governance circles. Rick knew all about the new worm, of course. When Phil contacted him on December 15, it had already been spreading for three weeks. There were known infections in 106 countries. It was the talk of the computer security world.

“We’ve fully recovered the Conficker assembly and have been plowing through it in detail,” Phil emailed him. “We’ve cracked the domain generating algorithm and have a full listing of domains that will be generated for the next 200 days.”