Read Worm: The First Digital World War Online
Authors: Mark Bowden
Meanwhile, more and more major computer networks were discovering the invader. There were headlines worldwide, marking invasions large and small. In the United Kingdom, the Defense Ministry and Parliament had been hit. So had the military computer networks for France and Germany. The Houston municipal court. Southwest Airlines. The Greater Manchester Police. India and Brazil had huge outbreaks. By the end of February 2009, estimates of how far and wide the botnet spread varied, with some security companies placing the number between ten million and twelve million.
But alarm still generated only an off-key response. Ironically, the biggest actual problem it posed so far came when organizations acted to get rid of it. It wasn’t all that hard to kill, but banks, government agencies, and corporations incurred tremendous cost and inconvenience shutting down their networks for the procedure. For many, it was easier to simply leave Conficker alone than to attack it; this, too, may have been part of the worm’s genius.
Techies were getting used to it. Someone posted a playful poem to the geek discussion board Slashdot on February 20.
If you’re on the highway and Conficker goes beep beep,
Just step aside or you might end up in a heap.
Conficker, Conficker runs on the road all day.
Even the coyote can’t make him change his ways.
Conficker, the coyote’s after you.
Conficker, if he catches you you’re through.
Conficker, the coyote’s after you.
Conficker, if he catches you you’re through.
That coyote is really a crazy clown,
When will he learn he can never mow him down?
Poor little Conficker never bothers anyone,
Just runnin’ down the road’s his idea of having fun.
Everybody got a kick out of the poem. But if the rest of world was merely overwhelmed, the X-Men knew better. All it would take was one successful connection to turn cute catastrophic. All they had to do was miss one domain, one command. In the
New York Times
, Markoff called Conficker “a ticking time bomb.”
Then, on March 6, the worm turned.
9
Mr. Joffe Goes to Washington
TODAY A MASSIVE SHADOW FALLS ACROSS
THE CITY . . . AND FEAR BECOMES A REALITY.
—The X-Men Chronicles
The news hit the List early Friday evening, March 6.
“Greetings to all,” posted Dean Turner, a Symantec analyst. “As some of you may be aware, we’ve identified a new variant.”
Phil Porras got the news in a phone call, and immediately tapped out a summary and marching orders to his team. They would all be working over the weekend:
Guys,
Results from the Phone:
—SRI, Symantec, MS are taking the reverse engineering lead.
—Media blackout til at least Mon, til we know what to say
—How does it work
—What’s our plan to block it
—Do we have signatures/
—We need a thoughtful understanding of
—what are the DNS/Network mitigation strategies
—how can we collect future Conficker telemetry
—Forensic details of how this works
—Any and every detail to help fight it
The really bad news came almost simultaneously. Jose Nazario, a well-known computer security expert working for Arbor Networks, posted:
Save everyone the browsing trouble. Highlights: 50,000 domain names a shot instead of 250.
Fifty thousand domain names per day?
The Cabal had scrambled and fought and cajoled to preregister 250 domain names per day. The effort had strained their relationships and Rick Wesson’s credit cards. It had required unprecedented international cooperation, coordinated by ICANN, which was not set up for this kind of thing. Getting 250 domains per day locked down had been considered a triumph.
But fifty thousand? It was flat-out diabolical! Conficker C was programmed to kick in on April 1, upping the ante so high that . . . well, after you gasped you almost had to laugh. Infected machines were to check in for commands on that date. To prevent the worm from making contact with its controller, the Cabal would have to identify and register all fifty thousand, and this would mean tracking down those that were already owned worldwide, and coaxing their owners into shutting down for a few days. And they would have to do that
every day
from April 1 forward. How in the world were they supposed to do that?
“F&*king Hell,” posted Rodney Joffe, from his office in Phoenix.
Dave Dagon of Georgia Tech was struck by what it would mean if they somehow pulled it off.
Have we got the grapes to ask for the removal of 50K domains per day? That would signal to the botmaster this organization is using policy, and not money, to accomplish this goal. It may end this cat-mouse run, or escalate further. . . . This is interesting times, folks.
Rodney quickly followed up with another note, just ticking off the issues that occurred to him immediately. At least some of the the TLDs involved might simply decide to draw the line—anticipating that even if the Cabal could corral Conficker C, what would stop the botmaster from introducing D? Then E? Then F?
I suspect that some of the TLDs will be forced to say, “We can’t possibly cope with D [whatever ridiculous number the botmaster might crank Conficker up to next], so we don’t want to have to ramp up just to deal with C if there’s no exit strategy.” We knew it would happen. Now it has. What’s plan C?
Out in his office in the Redmond sprocket, T. J. Campana scheduled an immediate conference call, and attempted to rally the demoralized troops in an email:
We either take the fight to them or go home at this point. I vote that we try . . . and when they go for 100,000 we try that. . . . We are being tested people. The DNS [Domain Name System] infrastructure is being tested. . . . Let’s get this thing reversed and at the very least try.
As details of the new variant emerged—Phil and his staff, working straight through the weekend in Menlo Park, produced a remarkable portrait of its anatomy in record time—there was even more consternation.
Rodney lamented:
The techniques employed should scare us since they are the next evolutionary step. We knew early on that our mitigation technique for A/B wasn’t going to work at the next level, and now it’s been demonstrated. (I don’t hold out hope [of all the TLD] operators being able to hear us, much less trust us, much less add this burden to their workload, much less do so in an error free manner.)
The X-Men began to doubt themselves.
“This is starting to stink of an inside job,” wrote a security geek at Bell Aliant, the Canadian telecommunications company.
“I am going to repeat here what I have said privately,” wrote Rodney. “The people behind this are us.”
This cryptic line set some of the more literal-minded in the Cabal to speculating that Conficker’s author was, in fact,
one of them
. Rodney promptly explained that what he meant was this: the sort of people behind the worm were the same sort of people as those in the Cabal. They were gifted, experienced, and hardworking
fellow mutants
. And what’s more, they had a built-in advantage in this game. They were on the offense. The botmaster had just waited for the Cabal to make a move, like, say, tying up all 250 domains generated by the worm every day, and then had boosted the worm’s algorithm, and the level of difficulty, into the stratosphere.
“How do we level the playing field?” asked Rodney.
Ever the ray of sunshine, Paul Vixie shot back:
We don’t. We lose. Now that we’ve LOST and/or we know WE WILL LOSE, we decide how to carve up the Internet into defensible neighborhoods and leave the rest to the drug lords. It’ll be like
Escape from New York
, except our gated community will be on the inside, not the outside.
In the midst of this general shock and awe, Dave Dagon suggested that it was time to seek help:
If we go this route [trying to corral Conficker C], I suspect we’d need high level engagements: Dept. of State—to address the questions, “Why should our country help your Cabal?” DOJ—reprioritize the Conficker investigation. DHS/US-CERT—for all the SIGINT [Signals Intelligence] out there, I do hope someone has insight into the creators of this botnet, and can take action before further critical infrastructure is impacted. . . . Call this weekend and warn our friends.
It was definitely time to shake the feds into action. From the beginning of this effort the Cabal had politely shared data with the appropriate government agencies, those charged with cybersecurity and law enforcement. To all of the X-Men it seemed that the efforts had been exclusively one-way. Whatever they fed the alphabet soup just disappeared into its giant maw. Nothing ever came back out. Here the Cabal were busting their collective butts, working overtime and on weekends, racking their brains, tapping every source and contact they had worldwide, battling to save the Internet . . . where were the people who got paid to do this?
Rodney packed for Washington.
When Phil and his team were ready with their full report on Conficker C on Tuesday, the prospect had never looked worse. C-Day, the day the new strain would wake up and seek instructions, was just twenty-one days away.
The original strain of the worm had a domain generating algorithm that spread its 250 potential command and control locations over five TLDs. Conficker B had made things more difficult by adding three more TLDs to the mix, which meant Rick Wesson and John Crain of ICANN and the others had to bargain with eight. Conficker C pulled out all the stops. Not only was it going to spit out fifty thousand potential domains daily, but they would be spread out over every country TLD in the world, 110 of them, and six more besides, for a total of 116 TLDs!
It got even worse. As Hassen Saidi broke into the new strain, he noticed that there was a scrambled section in the code for this new algorithm. Whatever was hidden in this obfuscated section, it was causing an infected computer to open several ports that controlled communications. There was every kind of speculation about what this meant, but no one could decipher it.
Again, for Hassen, the challenge was personal. The botmaster had handed him another puzzle. The segment of code in question was unreadable in any of the computer languages he knew, so he began the painstaking process of breaking the source code down to object code, the basic ones and zeros of machine language. It took him three weeks. It turned out to be very simple, even elegant. The worm’s creator had designed an original peer-to-peer protocol.
With the first two strains, every infected computer in the botnet had to contact the right domain in order to receive instructions. In effect, the botmaster sat behind one of the many doors and doled out instructions to each bot individually. He had to, in effect, touch every one. This was a relatively inefficient way to disseminate a command. Peer-to-peer greatly simplified the process. Bots could now talk directly to each other. The botmaster had to touch only one machine. So long as one received the command, it could spread the message on its own. Conficker machines infected with C were just pinging each other, asking, “Hey, do you have a copy? Do you have a file for me?”
It occurred immediately to the Cabal that this peer-topeer innovation might afford them an opening. They were running Conficker bots in any number of honeypots now. Why not poison the botnet by having one of their own use the new direct method of communication to spread some worm-crippling code? It would be less invasive than trying to push corrective software to infected machines over the Internet, and not the white hats but the worm itself would be reaching into the bots. But as Hassen looked deeper, he saw that the worm’s authors were one step ahead again. They had anticipated the move. They had designed their peer-to-peer protocol to be cagey. The connected computers compared lists of twenty-five Conficker bots—
These are the people I know, by the way
. This gave both computers fifty potential domains to choose from, and each chose only one. Each was programmed to favor its own list over those it obtained from the other. The upshot was that any attempt by the Cabal to drop a poisoned seed into the botnet would spread glacially, at best. Again, Hassen was impressed.
In a way, the fifty thousand domains per day, the piece of the new strain that caused so much alarm, may have just been a diversion. Peer-to-peer was the real innovation. Hassen could now put himself inside the head of the worm’s creator. Why not freak out the Cabal by giving them an impossible task? Send them chasing all over the world to tie up fifty thousand domains every day. And then quietly slip in the
real
zinger, the peer-to-peer protocol, which was far worse. After all, even the best efforts of the Cabal to preregister the 250-domain daily output of Conficker B had been beatable. The new strain had spread from one of the domains missed by Rick and John and the others helping them. Rick had warned continually that 99 percent wasn’t good enough, and he had been proved right. On the worm’s daily list of domain names, which was just randomly generated strings of letters, every once in a while there were domains that were real, that had already been registered. It was easy to assume that the botmaster would not be so bold as to preregister a domain that every white hat security geek in the world was watching, but that’s exactly what he had done, right under the Cabal’s nose. The botmaster had won that game. And if he could pull that off with a 250-per-day scheme, why did he need fifty thousand?