Read Worm: The First Digital World War Online
Authors: Mark Bowden
Particularly troubling was the USB drive capability. It meant that even “closed” computer networks, those with no connection to the Internet, were vulnerable to the new strain, since users who cannot readily transmit files from point to point via the web often store and transport them on small USB drives. There had been just such a security breach at the Pentagon, one of the biggest closed networks, a notorious episode that confirmed the adage about a chain being only as strong as its weakest link. Someone had hurled fistfuls of USB drives out of a car window into a parking lot outside the gigantic military headquarters in Arlington. A defense department employee (the weak link) had picked one up off the pavement and, curious enough to be heedless, plugged it into a computer at the complex, thereby injecting a nasty virus into the large, supposedly sealed and secure military network. This had prompted a ban on all USB drives at all secure government computers (about which more later).
The USB feature was a game-changer, as far as T.J. was concerned. In the first weeks of January, Conficker B would revitalize the botnet dramatically. It began infecting more than 1.5 million new computers every day, according to an F-Secure study in mid-January. The study estimated that as of January 16, the botnet numbered 8.9 million.
The level of sophistication on the B strain wasn’t just dazzling; it was scary. Out in Menlo Park, Phil and Hassen thought at first that someone else had stepped in. The worm had upped its game so expertly that it was as though the firststring team had taken over.
But there were also signs that this was the work of the same adversary. There were distinct structural similarities with Conficker A. There was also a new feature that Hassen read as a direct challenge. The B strain blocked any infected computer from accessing SRI’s websites. It was as if the worm’s creator had sent him a message:
We know you are after us. We’ll do this to let you know that we know
. In the beginning, for Hassen, it had seemed that the botmaster lived in some parallel universe. He had no idea who he was or where he was . . . he was just
out there
somewhere, like a malevolent spirit. But with the B strain he was coming into better focus.
First of all, the botmaster was almost certainly more than one person. The worm’s authors had become people, personal adversaries. They were very clever, and they were competitive, as competitive as he was. As his appreciation for their talent grew, the personal nature of their challenge really grabbed him. He found himself thinking day and night about it. The B strain showed that, so far, the botmasters had anticipated all of the Cabal’s moves. They were showing off a little. Hassen knew for sure now that he was not dealing with “script kiddies,” his way of thinking about pimply hackers. These guys were pros.
In Phoenix, Rodney Joffe, the Cabal’s elder, also felt certain now that the worm could have been created only by a team of experts. There were simply too many levels of expertise involved; no single villain could be that profficient in so many obscure disciplines. It demonstrated deep knowledge of Windows, as if the programmer had helped write Microsoft’s code, and much of the programming and packaging (as Hassen had discovered at the start) showed a fine and original hand. It showed an insider’s understanding of the computer security industry worldwide, as well as a high-level understanding of Internet traffic—Rodney’s own specialty. He was particularly impressed by upping from five to eight the number of TLDs tapped by its domain-name algorithm. Only people who knew exactly what they were doing would recognize how much harder that would make things for Rick Wesson and other web gurus in the group. The cryptography stuff was mind-blowing. How many people in the world were clued in to the international competition for SHA-3? It was like being a back surgeon with a rare specialty dealing with one particular vertebra, who was also a high-level astrophysicist, an astronaut, and the starting third baseman for the Philadelphia Phillies! And it was very clear that the botmasters were watching the Cabal. Conficker B could be understood only as a countermove, and a good one.
Phil agreed. After conferring with some federal agents in Washington about the nature of the threat, he wrote a note to Rick expressing a new level of concern:
Conficker may indeed represent a multimillion-dollar business infrastructure. If they are indeed producing the kinds of revenue that we think they are, then there is a good chance they may have connections to [a] Russian or Ukranian mob. You never know, this could even have nation-state ties. If so, you realize that these folks are capable of extreme violence to those that threaten to disrupt their business. Some of the things that you’ve been thinking about do represent severe disruption. With that in mind, I would recommend significant discretion and anonymity. I know you’re not naive about this stuff, but some of the conversations I had this week were quite eye opening for me.
T.J. began that night to address the worsened domain name problem. Rick estimated that it would now take about $100,000 per month to register all of the domain names generated by variants A and B in advance. T.J. called Ramses Martinez, the director of information security for VeriSign, Inc., a firm in Dulles, Virginia, that operated two of the thirteen root servers. It is also the registrar for some of the largest TLDs:
.com, .net
, and some of the country codes. He had worked with Ramses on the unsuccessful effort to contain Srizbi, which was seen as the big fish that got away. (Rick felt Ramses had, in fact, blown it on that one.) T.J. still believed the strategy against Srizbi had been correct, getting out ahead of the worm’s Internet connections, but everyone involved realized that a higher level of diligence would be required if it was going to be made to work against Conficker.
“Hey, guy,” he told Ramses. “
Dot-com, dot-net
, a lot of Conficker domains there.”
“I knew you were going to be calling,” said Ramses. Together they spoke to Pat Kane, the head of VeriSign’s naming division, and agreed that they had to join the effort.
“Listen, this is the right thing to do for the Internet,” said T.J.. “Let’s figure out a way that we can either register or block these domains.”
Given the open-ended nature of the threat, this was likely to rack up some major fees. But the three agreed to sort that problem out later. In the meantime, they set to work nailing down the next few weeks’ worth of domain names that Conficker B was going to generate. T.J. was steered by Andre DiMina to Dre Ludwig, who in turn recommended that he contact Neustar, Rodney Joffe’s Washington base, a clearinghouse and directory service for mobile telephone and Internet services that manages the directories for the top-level Internet domains
.us
and
.biz
, and acts as the worldwide “registry gateway” for China’s
.cn
and DNS for the United Kingdom (
.uk
), Australia (
.au
), Japan (
.jp
), and other countries.
Rodney had already been approached by Rick about getting ICANN to waive the cost of registering the worm’s daily list of domains. He assured T.J., “We’ll do the right thing.”
Just as the Cabal felt it was getting a handle on the worm, news about the expanding botnet finally broke out of the exclusive chat rooms and websites of the computer security industry. Joel Hruska, the
Ars Technica
reporter who had somewhat complacently noted the appearance of the worm in early December, returned with a post on January 16 that noted its accelerating spread, offering the figure of 5.5 infected computers as a “conservative estimate.” John Markoff picked up the story a week later in the
New York Times
, calling Conficker “a new digital plague.”
“[It] seems to be the first step of a multistage attack,” he wrote. “Experts say it is the worst infection since the Slammer worm exploded through the Internet in January 2003, and it may have infected as many as nine million personal computers around the world.”
Markoff quoted Rick: “If you’re looking for a digital Pearl Harbor, we now have the Japanese ships steering toward us on the horizon.”
Rick was not exaggerating to pump up the reporter’s story. He was increasingly alarmed by Conficker’s potential. On a flight back to San Francisco from Dallas on January 31, he wrote a detailed email to friends in the military and intelligence community, including John Rendon, a well-known Washington political operative who ran an information consulting firm with connections to the CIA, and who had played a critical role in lobbying for the overthrow of Iraqi dictator Saddam Hussein. The email was also sent to a top official in the DOD’s Defense Intelligence Office with whom Rick had worked in the past. Rick was not alone in worrying about the seeming lack of government awareness or interest. He entitled his email “A note from the trenches,” added that he hoped “this is not new news,” and teased the recipients by promising, “a twisting plot of cyber warfare” and “international intrigue.”
There is a botnet that has blossomed into one of the most significant threats we have faced. The methods employed are most devious. Whether developed by children or professionals they are propagating with amazing effectiveness. . . . I need your help in this defining moment in cyber security policy. . . . Today the botnet size is bounded at a low of 8 million hosts and a high of 25 million. Using the low census (note this is not an estimate, it is a measurement) of 8 million hosts: If each host were to generate a single 512 byte packet at the same time destined for a single end point, it would be a 32Gbps DDoS [a 32 gigabytes per second Directed Denial of Service attack]. A DDoS of this size would strain critical infrastructure and cause general chaos. No network attached to the Internet could mitigate a DDoS that this botnet could generate
at its lowest estimate
.
He sketched various disaster scenarios. The botnet could “take out Google or all the e-commerce on the network.” A coordinated attack on Internet media outlets and websites for CNN and Fox News would shut them down for half an hour and attract worldwide attention. “Add a kinetic event [a real-world terror attack], and chaos,” he said, and left to their imaginations what kind of panic such a sequence of events might arouse. He warned that the Conficker botnet could “cripple” international telephone communications, and that it was still growing. “[It] is attempting to download its second stage. . . . The second stage could do anything. . . . 8 to 25 million drones is an army even our nation-state should be worried about.”
He described his scramble over the previous two months to register domains ahead of the worm daily in order to keep it from communicating with its controller.
The criminals need to register one domain out of 100,000 in the next year. They need to keep it alive for three hours to win. This is the battle. We have to be 100%; they need one out of 100,000 in the next 360 days for three hours—they win. They win a weapons-grade botnet that has penetrated many of the Fortune 500 in the USA. . . . The military is mostly clean. I’m not worried about them—everyone else is owned or getting owned. We found thousands inside companies like HP [Hewlett-Packard], Cisco, CBS. The botnet has penetrated all industries—Financial, Media, Health Care, and all levels of Federal, State, and Local government. . . . It is growing more successfully than anything we have seen since Code Red. [It] is the most hardened [protected] we have ever seen. . . . To take out this botnet we need China’s cooperation. Do I have your attention?
Rick requested help in reaching out to China, and also requested help from military computers powerful enough to crack the worm’s high-level encryption. He envisioned this as a potential trump card. It was theoretically possible to decipher Conficker’s private key from the public key, which Phil had extracted from both strains of the worm. The NSA and DOD were most likely the only entities in the world with computers powerful enough to accomplish it. If they agreed to crack Conficker’s code, the Cabal could send orders to the botnet from any of the domains it contacted. They would own it.
We are working to have all the domains registered by early next week, but Microsoft is worried that something will happen during the Super Bowl. Lots of attacks happen on holidays; more home users leave their computers on holiday weekends. . . . I will keep you informed as this situation develops. I beg your assistance with a diplomatic effort with the Chinese. I look with gleeful excitement for two private keys that will allow us to defuse a most serious situation.
Rick was stoked about this email, and felt confident enough that it would spur the feds into action that he emailed T.J. privately:
There are going to be real resources brought to bear on this bot and they are going to be looking for someone inside of MSFT [Microsoft] to decide what to do if the private keys were available. . . . How does this affect your game? policy implications?
T.J. appreciated Rick’s aggressive efforts, but did not share his confidence that the feds would turn their most powerful, top-secret supercomputers to such a task. He was impressed with the level of cooperation and knowledge he saw at lower levels of law enforcement, particularly in his work with the Seattle FBI office, but he sensed that those at the highest levels of government did not fully grasp the nature of the threat.