Worm: The First Digital World War
Of course, they hadn’t, but that fact required more explanation than the nightly news was equipped to give. The government had been made somewhat more aware, and, curiously, would even declare victory! A Department of Homeland Security (DHS) “Lessons Learned” report, issued early in 2011, summed up the effort thus:
“In an unprecedented act of coordination and collaboration, the cybersecurity community, including Microsoft, ICANN, domain registry operators, anti-virus vendors, and academic researchers, organized to block the infected computers from reaching the domains—an informal group that was eventually dubbed the Conficker Working Group. They sought to register and otherwise block domains before the Conficker author, preventing the author from updating the botnet. Despite a few errors, the effort was very successful.”
The key word there would be very, as opposed to completely. As Rick had pointed out again and again, almost doesn’t cut it. All it takes is one successful link, like the peer-to-peer connection that prompted the Waladec stunt, and . . . game over. The upbeat DHS report was some kind of high-water mark for government gall—a tough record to beat. After sitting back and watching the Cabal do all the work, and nearly succeed, Uncle Sam finally found a role for himself: proclaim victory and then stick a flag in it!
It is a curious finding, given that Rodney, who has since become the official head of the Cabal (the very same Conficker Working Group celebrated in the report), has this to say about what happened:
“At the end of the day, it’s a failure. It’s a success as a model and an organization, but we actually don’t have control over Conficker. We didn’t achieve the objective.”
This DHS report, it should be noted, was also the high-water mark for government involvement in the actual battle. On page 33 of the report itself, one unnamed member of the Cabal summed up the feds’ contribution during the actual conflict:
“Zero involvement, zero activity, zero knowledge.”
Nevertheless, the new administration seemed to get it. Behind a lectern in the East Room of the White House on May 30, 2009, President Barrack Obama, who was just moving into the White House when the effort peaked, gave a speech about cybersecurity.
“We meet today at a transformational moment—a moment in history when our interconnected world presents us, at once, with great promise but also great peril.” He called the nation’s digital infrastructure “the backbone that underpins a prosperous economy and a strong military and an open and efficient government.” Cyberspace is “real,” he said, “and so are the risks that come with it.”
He cited Conficker in particular to illustrate the feds’ anemic capability to defend the Internet:
“It’s . . . clear that we’re not as prepared as we should be, as a government or as a country. . . . Just as we failed in the past to invest in our physical infrastructure—our roads, our bridges and rails—we’ve failed to invest in the security of our digital infrastructure. . . . Indeed, when it comes to cybersecurity, federal agencies have overlapping missions and don’t coordinate and communicate nearly as well as they should—with each other or with the private sector. We saw this in the disorganized response to Conficker, the Internet ‘worm’ that in recent months has infected millions of computers around the world. This status quo is no longer acceptable—not when there’s so much at stake. We can and we must do better.”
Most members of the Cabal say that the government has gotten better. Some of its members have gone to work for government agencies. U.S. CERT’s Mischel Kwon, whose performance the Cabal found singularly unimpressive, resigned just a few months after the president’s remarks—Rodney suspects that the desperate repackaging of his Conficker PowerPoint by the agency played a role. In Pittsburgh there is now the National Cyber-Forensics Training Alliance, a privately funded effort affiliated with Carnegie-Mellon University and modeled consciously after the Cabal, where federal agents work alongside industry researchers. This alliance has begun to make real progress training the kind of experts needed to deal with the growing malware threat.
“There are guys from Target and from eBay and from E*TRADE, and from other banks, who have full-time employees that are assigned there,” says Rodney. “And when they’re able to establish a case, they hand it across the desk to an agent who can now go and get an official case going. It’s highly effective. The best bang for the buck in the entire federal government from a cybersecurity point of view.”
In June 2011, the Pentagon announced that it was putting the finishing touches on a new strategy for dealing with cyberattacks. It will define any attack on important computer networks that leads to civilian casualties to be an act of aggression against the United States; this means that if it can be determined where the attack originated, the nation might respond in a variety of ways, including militarily. It was, however, more a statement of mounting concern than a blueprint for national defense.
“The policy says nothing about how the United States might respond to a cyberattack from a terrorist group or other nonstate actor,” wrote New York Times reporters David E. Sanger and Elisabeth Bumiller. “Nor does it establish a threshold of what level of cyberattack merits a military response.”
Despite the vagueness of the pronouncement, it became clear in July 2010 that malware was a serious weapon in the arsenals of great powers. Alarmed by a secret Iranian program to develop nuclear weapons, and the inability of international nonproliferation agreements to stop it, nations opposed to the effort (probably the United States or Israel, perhaps both) infected the computer networks in Iran’s uranium enrichment plants with a worm dubbed Stuxnet. The worm employed the same buffer overflow exploit at Port 445 used by Conficker, penetrating Windows Operating Systems, and was tailored speficially to sabotage the centrifuges used to spin uranium at high speed in order to separate out weapons-grade isotopes. Pentrating a specific variety of software sold by the German engineering giant Seimans AG, the worm caused the centrifuges to spin wildly out of control, destroying the uranium processing facilities and setting back the Iranian effort for years. Even though Stuxnet infected a great many computers outside Iran, its careful design meant that it executed harmful instructions only on the Siemens AG software at the uranium processing plants. It was the first of what are likely to be many carefully sculptured cyberattacks, and clearly learned from the successful implementation of Conficker.
These kinds of tailored, targeted attacks were considered the trend in early 2011, as I finished writing this book. Criminal attacks in recent weeks had successfully hit the International Monetary Fund, Google, Lockheed-Martin, Sony, and Citibank, among others. The difference between these and cyberthreats in the past, including Conficker, is that they do not spread indiscriminately on the Internet, and do not seek to assemble botnets, even though they may use existing botnets as a platform. They are the difference between a smart bomb and a conventional one: they zero in on specific targets and have narrowly defined goals. They illustrate once more the growing sophistication of criminals, spies, and military organizations, who remain every bit or more than a match for those who, like the Cabal, seek to preserve the Internet as a free zone for exchanging information and for commerce. This is one of the defining battles of our age, one that takes place for the most part out of the public eye.
Meanwhile, the Conficker botnet itself waits.
Most of those in the Cabal now doubt that it will ever be used. The theory here is that the Cabal’s coordinated effort, while ultimately unable to kill the botnet, made it too hot to handle. Any move the botmaster makes might help identify him (or them), pinpoint him, bring the law down on him. This is a point of view that supports the claim of victory, albeit victory of a limited sort.
“Somebody got pissed that we shone a light down their hallway or in their bedroom or whatever,” says Dre Ludwig. “I mean, realistically that’s what it looks like. Too much attention. Too dangerous to play with anymore. And it demonstrated [how to mount an] effort, concerted effort, to mitigate it. If that thing ever
fired up again we’d get the old band back together. It’s been done once.”
Others, like Andre DiMino of Shadowserver, are more inclined to believe that Conficker’s controllers are simply biding their time.
“They are watching us watch them,” he says. “I’m thinking that it’s really either that somebody let this thing get bigger, or it’s advanced bigger and farther than they ever dreamed possible. A lot of people think that. But in looking at the sophistication of this thing and looking at the evolution of this thing, I think they knew exactly what they were doing. I think they were trying something, and I think that they’re too smart to do what everybody figured they were going to do. You have to remember, the world was watching this thing on April 1st, waiting for the world to end on April 1st. The last thing you’d want to do if you’re the bad guy is make something happen then. You’re going to wait until . . . say, May 28th of 2010, or, pick any other date, to do something. You’re going to do something when you’re least suspected. These guys are sophisticated. They have good code. And just even seeing the evolution from Conficker A to B to C . . . these guys know exactly what they’re doing.”
Rodney agrees, and more so. Just because no one has seen Conficker make a move, he says, doesn’t mean that it has not.
“People are saying that Conficker is not really used for anything because it’s not—it’s just too visible. What’s your point that it’s too visible? How does a weapons platform become too visible? Do you mean that it’s so visible that we know how to stop it? It’s really hard to get rid of on infected machines. But [Conficker] has the Holy Grail of malware, which is something called stability. There are six million machines and tomorrow there will be six million machines, give or take. You can count on this botnet. What a botmaster wants always is to know that his machines are going to be up—that someone isn’t going to take them down. This thing has proven . . . that it is rock-solid, and that the good guys, and the antivirus guys, and the Microsoft guys can’t do shit. It is the Holy Grail of a botnet. So what we have in place is a weapons platform that’s capable, and it’s going to stay capable.”
Rodney has a theory. Every day, on average, the botnet loses about half a million machines and gains another half million. The Cabal’s researchers track this. Some machines disappear because they are turned off, wear out, or are replaced, and some because they are disinfected (the Cabal has distributed a free, easy-to-use tool to tell if a computer is infected). Others are added because the worm continues to spread via its peer-to-peer capability. But what if some of those machines that disappear vanish because the botmaster is selling off pieces of the botnet every day to criminal spammers?
It’s plausible, because the botnet is valuable in any number of ways. It can be used to generate a great deal of computing power, or just as a known store of vulnerable machines to exploit. All of the machines on Conficker’s lists have stopped receiving security updates.
“So when people say Conficker’s doing nothing . . . I don’t believe that,” Rodney says. “We think it’s doing nothing because we don’t observe anything. But we don’t know. And a perfect way for this group to actually be monetizing it in a way that just, like, generates revenue every day and would never be noticed, is by sending off targeted pieces either to criminals of some kind. Whether they are a nation-state or just criminals selling off these small pieces [they] would just never be noticed. And I believe that’s what’s happening.”
So while the Cabal may have pointed the way toward a cooperative defense against Internet threats, and may have smartened up the government a little, the worm itself survives. Both sides of the Conficker battle took away valuable lessons.
Paul Vixie has plenty of new material for his “Internet Rant,” that speech he gives in his affectless monotone about the Internet as an example of “historical folly.” His hope two years ago, the day Cybarmageddon didn’t happen, was that after everyone got over the laugh, the Conficker scare might spur efforts toward remediation—a concerted effort to rid machines of the worm. That hope has been disappointed, and he is back to predicting doom.
He is also fed up with Microsoft. In a note to the List later in 2009, Vixie fingered what he believes is the heart of the problem:
This whole thing is Microsoft’s fault. Really. One company brought us Conficker. Stock symbol, MSFT. . . . The pink elephant in this living room is: Microsoft did this to us. I am not referring to Microsoft’s continuing . . . monopoly by which they forced all kinds of end users and resellers to include Windows on the ten million computers now infected by Conficker. That’s evil, and if I ever meet a space alien I will be ashamed for all of humanity at the way we herd our sheeple into pens and suck their blood in this way.
Paul pointed out that Microsoft had issued a patch years earlier dealing with exactly the same kind of vulnerability as the one at Port 445, but that the company’s security software engineers had failed to check to see if the flaw existed elsewhere.
What this means, gentlemen, is that some employee of Microsoft patched it in one place without patching it in the other place, even though they were both in the same source file. This means the employee who did the patch, and the reviewers, and the managers, and the QA [quality assurance] teams, for MS06-040, all had a chance to do a thorough review of the source module for any similar code sequence or vulnerability, and they flubbed it.
He concluded:
Yo, T.J., nothing personal, man.
T.J. has been busy. In the last two years, he has helped put together a cooperative Microsoft/law enforcement initiative that has taken down, with the help of the U.S. Marshal Service, Waladec and Rustock, two infamous spamming operations, targeting the servers that hosted the criminal enterprise. As a result, he says the company has seen at least a temporary decline in the amount of spam on the Internet.
The Conficker botmaster is still out there. In June of 2011, authorities in Ukraine, in cooperation with the FBI, arrested sixteen hackers in Kiev, who had reportedly used the Conficker botnet to drain $72 million from international banking accounts. The investigation was run out of the Seattle FBI office, the one which has worked closely with T.J., and was assisted by the National Cyber-Forensics Training Alliance. Servers in several countries were raided in a coordinated international police action. Those rounded up were all young men between the ages of twenty-six and thirty-three, who police said had “splendid technical educations.” It remained doubtful, however, that among this group was the Conficker botmaster, the designer. More likely, these hackers were customers of the botnet’s creator, using its stable platform to launch their targeted thievery, in exactly the way Harvard’s Shecter and Smith predicted in their 2003 “Access for Sale” paper. Agents were still questioning the suspects as this book was going to press. There were hopes that this group might lead authorities to the botmaster, the true architect, or architects, of the worm. Rodney is optimistic, even confident on some days, that he, or they, will be caught.
More than a year after the anticlimactic April 1 Waladec stunt, Rodney, John Crain, Phil Porras, and Andre DiMino met with representatives from the White House in Rodney’s Neustar office—it was the first time Phil had ever met Rodney personally. Paul Vixie added his gloomy perspective by phone hookup. Andre had prepared lists of Conficker infections on .gov and .mil networks. The scope of the worm’s inroads clearly startled the Obama team. Rodney was particularly alarmed that here, more than a year after he had sounded the alarm on Capitol Hill, the Commerce Department, the government’s chief computer network guardian, was still not tracking the infection closely itself.
At a follow-up meeting several months later, Andre says, CERT acquitted itself much better, and the infection rates on .gov and .mil had gone down significantly.
So who is the botmaster? Who are the bad guys behind the worm?
Ramses Martinez is in charge of security for VeriSign, the Dulles, Virginia, company that operates two of the root servers for the Internet. He was a member of the Cabal. One o
f the things he does, patrolling the perimeter at VeriSign looking for threats, is occasionally dip into the obscure digital forums where cybercriminals converse, where those who write sophisticated malware boast and threaten and compare notes. After all, theirs is a rarefied community, and those engaged in this game have certainly encountered the Glaze themselves often enough. The chat rooms are a community of the like-minded, a place where they can show off their chops among those who appreciate their skills, where they can compare notes, learn. White hats like Ramses sometimes venture in to collect intelligence, or just out of curiosity, or for fun. Often they pretend to be malware creators themselves, but not always. Sometimes they enter as themselves, and indulge in a little cyber–trash talk.
“In the past you were just sort of making sure they didn’t steal your database of credit cards,” he says. “Now we go in to engage them. You talk to them and you exchange information. You have a guy in Russia selling malware working with a guy in Mexico doing phishing attacks that’s talking to a kid in Brazil who’s doing credit card fraud, and they’re introducing each other to some guy in China doing something else.”
Martinez said he recently eavesdropped on a dialogue between a security researcher and a man he suspects was at least partly responsible for Conficker. He won’t say how he drew that connection; he says only that he had good reasons for believing it to be true. The suspect in the conversation was Russian. The standard image of a malevolent hacker is the Hollywood one, a brilliant twentysomething with long hair and a bad attitude, and in need of a bath.