Worm: The First Digital World War (17 page)

The Defense Intelligence official who received Rick’s email knew him well enough to respect his judgment. He had helped the Pentagon deconstruct Russia’s cyberattacks on Estonia in 2007, and on Georgia in 2008. But how seriously should this warning be taken? Rick was seen as something of a character, brilliant but unpredictable. For a more sober assessment, Rick’s email “from the trenches” was forewarded to Bill Woodcock, an internationally known Internet guru and founder of the Packet Clearing House, a web research institute based in San Francisco. Woodcock wrote back, “Yes. Conficker is serious,” and then turned down the volume of Rick’s alarm . . . but only a little.

Rick’s a very bright guy, smarter than me, but also perhaps a little more prone to getting in fights in bars than I am.

Woodcock estimated that the size of the potential DDoS attack projected by Rick was, in fact, probably too small, since by the time the botmaster was able to issue encrypted commands—he had not done so yet—the botnet would probably be much larger. The impact of such an attack on commercial websites would probably be less than Rick predicted, Woodcock said, but the wider impact would be far greater. Whereas Rick had specifically cited the potential for shutting down Google and the websites for news organizations, Woodcock thought that wasn’t likely to happen, but not for the reason you might expect. The botnet was capable of generating such an enormous DDoS attack that the routing machinery of the Internet itself would probably crash before the specific websites could feel the brunt (harking back to the problem
TrafficConverter. biz
would have had handling the botnet’s initial blitz).

You’d get cascading failures in the core . . . impeding further attacks, if the full attention of a botnet of this size were really focused on any one target inside the U.S. That’s small consolation for our buddies in Europe and Asia, though.

As for cracking the encryption, it was possible to decipher the private key to Conficker’s code, Woodcock wrote, but inadvisable. He listed four scenarios, from best case to worst case. The best case scenario would be for “no one” to have the private key; that way the botnet could not be issued any commands. Next best would be for a single “white hat” to own the key, so that the good guys would step in and take control. Next best would be for a single “black hat” to own the key (which was apparently the present case); this was clearly not desirable but had a silver lining—because if the botmaster used it, sent instructions to the botnet, he might tip off law enforcement as to who and where he was. The worst case scenario?

If multiple people have keys. So, although clearly things could be a lot better, they could also be a heck of a lot worse. Right now, we just have to prevent the intersection of the one party with the key, with any one of the many C&C [command and control] domains. We have to keep one unknown guy away from the many places where he could enter the launch code. In this analogy, that’s a relatively simple matter of placing security around the places where the launch code could be entered.

But if the code was cracked and private keys were obtained, and then the private keys were handed over to the Cabal, then “multiple parties” would have the key, a situation “which is simply inherently much more difficult to control,” Woodcock wrote. As bad as Conficker was, he argued, the present situation was more desirable. For the same reason that nuclear states strove to limit the number of countries with such arsenals, the Defense Department should worry more about the prospect of profilerating knowledge of the botnet’s private keys. It was better to simply accept that one miscreant had the keys than to risk handing them over inadvertently to many.

So the U.S. government was not going to ride to the rescue. Rick received polite responses. His plea “from the trenches” was being circulated to all the appropriate agencies, the Office of the Secretary of Defense, the National Cyber Response Coordination Group (NCRCG), the U.S. Computer Emergency Readiness Team (U.S.-CERT), and a flurry of other cybersecurity-related agencies. But the upshot of it was:
Good to hear from you, thanks for calling it to the government’s attention, we’re fighting two wars right now
. . .

In other words,
Don’t call us
. . .

Out in Menlo Park, Phil Porras decided to do more of the sleuthing he had done with Conficker A, looking to see if the author of the B variant had taken it out for a test drive before releasing it. The two strains had distinct signatures, so it was easy to tell one from the other. The very first Conficker B domain lookup would have happened on January 1, 2009. That’s how the worm was programmed. Anything earlier would have to be a test run, and would have been sent by the botmaster.

When he had tried this trick with Conficker A, he had found nothing except the tinkering of another white hat researcher doing the same thing he was. But this time he found a legitimate lead. Two Conficker B–infected bots had tried to contact one of the A strain’s domains on December 26, six days before the new variant showed up. The domains were
kyivstar.net
, in Kiev, and
alternativagratis.com
, which was in Buenos Aires. Kiev was the home of Baka software, and Buenos Aires was the location of Patient Zero.

No researcher even knew of the B strain until days later, so this was not another case of the X-Men stumbling into each other. This had been the botmaster playing with the new strain, checking out its communication function. It was the best lead yet on those behind the worm.

The Cabal turned over the information to the FBI, which thanked them politely . . . and then nothing happened.

8
Another Huge Win

REMEMBER—ABOVE ALL ELSE YOU MUST

REMEMBER
TEAMWORK!
YOU MUST FUNCTION

AS A ONE . . . ALWAYS!

—The X-Men Chronicles

So far the effort to curb Conficker had been pieced together on the run. The Cabal targeted a conference of Internet and security experts in early February to better organize themselves. The conference was scheduled to take place at Georgia Tech in Atlanta. The Cabal would do whatever they had to in the interim, and cook up a more formal plan of attack there.

In fact, through the month of January, the effort to contain Conficker A and B progressed well. Despite the blow of the B strain at the turn of the year, they had enough success with the strategy of getting out ahead of it, registering all of the potential command domains in advance and sinkholing all the requests from infected bots, that they started to get cocky, and began thinking ahead. With Conficker all but licked, how could they use the experience to develop a broad, coordinated strategy for the long term, something that might serve as a model for defending against future worms?

For most in the Cabal, one of the great successes so far had been the selfless approach taken by the big AV companies, all of which had set aside the profit motive to cobble together a coordinated defense. Conficker was a threat to the Internet itself, and everyone had, so far, risen to the challenge. If the AV companies began competing to market their own remedial software for the worm, the coalition was likely to crumble. So when a security company called OpenDNS unveiled a new product in early February to help clean up Conficker-infected networks, the Cabal was horrified. T.J. was particularly disappointed.

“This seriously undermines our efforts to protect users of the Internet,” he wrote. The problem was not confined to “just users of the OpenDNS service,” he said. He wasn’t alone. Dre Ludwig, the youngest member of the Cabal, wrote:

What I would like to make sure we stay away from is “promoting” any one or multiple commercial products/services as a “golden bullet.” Let’s face it, there is no one solution in fact what we have is a multiple front offensive on a very dynamic chunk of malicious code.

The answer was not going to be some commercial software package aimed at protecting and purging infected networks, which had pretty much defined prior anti-malware efforts. The threat was bigger than that. It could not be attacked piecemeal, and the only hope for a broad, coordinated effort was for every one to suspend pursuit of the almighty dollar.

The answer was going to be . . . the Cabal. Dre was one of the more expansive personalities in the Cabal, a towering man with short brown hair parted carefully on one side, a security consultant in the intel agency-heavy districts around Alexandria. Dre felt it was time to clearly define their approach:

What we need to do is make sure we get the right people involved and arming them with the right information (be it data, coordination info, etc.) and executing a plan. The plan has yet to be formulated to any extent beyond “let’s do something” as far as I have seen. We have plenty of the right people on this list and plenty more parties that are joining this merry band every day. Let us not rush into things by promoting solutions, ideas, thoughts, etc. as the answer. Let us try and effectively share and collaborate on ideas and build out a proper plan of attack.

I think the first thing that we should do is continue to focus on snatching up domains for this thing. This effectively buys us time and wrangles some form of control on the spread of this thing. Our second order should be to sort out exactly who is a part of this group, and follow up with who else needs to be involved. Once we have a handle on that we should then proceed to sort out a plan of attack to utilize all the resources we have mustered (commercial/ press/LE [law enforcement]/etc.). . . . Each individual will have a different perspective on things, as we produce and share these perspectives we can more effectively hash out a solution that encompasses all of our experiences and viewpoints. So again, let’s focus on forward momentum without getting stuck in the trap of brash movements or decisions that could compromise our young coalition.

T.J. agreed.

 

We need to start taking the Internet back from these bad guys . . . Well, now it is a full-blown reaction force and we are doing great things . . . learning a lot . . . but there is a long way to go. I keep saying this, “We have to be right 500 times a day . . . they just need to be right once.” Oh yeah . . . we want to find these guys and put them in jail . . . more on that later :-)

The Atlanta conference would be the first time some of the Cabal met—in person, that is. In some ways their online personas were more real than the flesh-and-blood versions, since they tended to live in front of their monitors. The Conficker mission was something distinct from the conference itself, of course, which was a mouthful: the First Annual Global DNS Security, Stability, and Resiliency Symposium. It had been set up by ICANN as a way of discussing any and all issues related to the ever-growing malware problem. The nonprofit international agency had only a narrowly defined role to play, assigning and keeping track of “Names and Numbers” on the Internet, and had no power to make or enforce policy, but it was the closest thing there was in the world to an international governing body. The worm was a new and major concern, and was clearly the front line of the larger battle, but it was not on the official agenda. It had not been around long enough for there to be completed studies and reports, but it was the primary buzz in the symposium corridors. Rodney Joffe had already been in touch with ICANN about eliminating the costs associated with registering domains, and invited the organization’s reps to a rump meeting during the conference. It would be Rodney’s first official act for the Cabal. They met after hours in a conference room at a nearby Holiday Inn where some of the conventioneers were staying off the Georgia Tech campus.

They convened in a long, narrow hotel conference room with tables arranged in a horseshoe. The Holiday Inn had to move them to a larger room at the last minute. It seemed everybody wanted in. There was even an FBI agent in attendance, a real coup for the Cabal. The tables were covered with starched white linen, with bowls of hard candy set at intervals. A speakerphone was placed in the center of the room inside the U-shaped table arrangement, so that those who weren’t in Atlanta could participate. The session lasted for almost two hours. Rodney was there, of course, as were Dre Ludwig and Chris Lee, who brought beer. Andre Di Mino and various others participated by phone hookups. The guests of honor in the room were Paul Twomey, the head of ICANN; John Crain, one of his colleagues; and the FBI man, of course. It was clear that long-term global efforts to contain the worm would require more formal involvement from both agencies.

It was late afternoon across the continent on Microsoft’s campus in Redmond, where T.J. participated via telephone from his office high in one of the sprockets. He just listened for a while, and then, when he was introduced, explained how the registry-buying strategy worked.

“I think the overriding issue at this point is, you know, there’s a question about the fee that they have to pay to ICANN in order to get these,” he said. “That could quickly become unsustainable if they’re being asked to register, you know, we’re asking at this point to register two hundred and fifty domains per day, in perpetuity. This is obviously for the common good.”

Twomey didn’t need much convincing. His feeling was that the threat required an “alliance of response.” But something in his words conveyed an opposite impression to T.J., who thought the president of ICANN was waffling, and called him on it loudly.