Worm: The First Digital World War
Page 4
Some of the world’s youngest billionaires were minted. A generation of hopeful geeks began migrating to Silicon Valley with plans to conjure the next digital miracle. Perhaps the most remarkable thing about Microsoft was that its biggest coup was yet to come. It reached historic peaks of commercial fortune in a series of increasingly bold leaps. After getting established with an operating system for the Altair 8080, and then scoring big with MS-DOS, Gates (Allen had by now withdrawn with his billions from an active role in the company) spurred his already large and extremely successful enterprise to create Windows, the most successful software venture ever. If we look back at MS-DOS today, it seems almost comically primitive and awkward. Home users were still working with a display screen that consisted of blinking lines of type on a dark screen, little more than the video equivalent of a typewriter display. Meanwhile, a host of exciting new applications were being developed that utilized the machine’s mounting capabilities, most notably the ability to generate interactive visual images. The two primary ideas behind Windows were not new; they were known to the entire software industry in the 1980s. One was to design a Graphical User Interface (GUI) that would greatly simplify computer use by enabling users to point and click on visual images, or icons, instead of typing out commands. The second was to sandwich in a new layer of software, an Interface Manager, between the operating system and the applications—word processing, calculation, games, journalism, spreadsheet analysis, etc.—that would enable users to switch easily from one to the other, or even display multiple functions simultaneously. It would take Microsoft the rest of the decade to perfect Windows, even as Steve Jobs at Apple introduced Lisa and then the Macintosh 128K, which beat it to the market by a wide margin. Microsoft introduced two early versions of Windows in the 1980s that were widely considered inferior to the competition, but successfully overleaped everyone else in May 1990 with Windows 3.0. To accomplish it, Gates had hired experienced software developers away from competing firms, locked up agreements with more than twenty computer manufacturers to endorse the new system while it was still in development, and then strolled out on a stage in New York City to announce the breakthrough product in what he called “the most extravagant, extensive, and expensive [$3 million] software introduction ever.” The awkward teenager, whose parents once forbade him to use a computer for months for fear his personal growth was being stunted by the machine, had evolved into not just a software innovator and skillful high-stakes businessman, but a showman. Windows took off immediately and just kept on selling. Gates became the richest man in the world, a pinnacle he owned for most of the next twenty years.
From the beginning, the software business was a cutthroat enterprise. Both hardware and software were relatively easy to clone and copy, so success from the earliest days meant both artfully borrowing from the competition and ferociously policing the borders of your own products. The first Windows operating system, introduced in 1985, was influenced by (critics have said “stolen from”) ideas pioneered by other innovators. Gates became famous for his sharp elbows; to protect and enlarge Microsoft’s franchise and his fortune, he took steps that some considered unfair and monopolistic—including the U.S. Department of Justice and the European Commission. Much of the disdain for Microsoft among members of the Geek Tribe stems from this fact. The software giant’s riches and competitive excesses would probably be forgiven if Windows were seen as not just as the richest, but the best. Fairly or not, the opposite is the case. Many geeks view Windows’ various great leaps forward—Windows 95, XP (2001), Vista (2007), Windows 7 (2009)—as dubious adaptations of an inherently flawed design. One of the big problems with Windows, which the Tribe sees as preventable, is that the operating system is especially vulnerable to the predations of malware. Not everyone believes Windows is most-targeted only because it owns the biggest share of the market.
Whatever its alleged failings, and however uncool Microsoft has been made to appear in Apple’s clever advertising campaigns, Windows operating systems still run most of the computers in the world, by far. The system itself consists of literally millions of lines of code that support a virtual galaxy of applications, from the profound to the mundane. It’s organic, in that it is constantly evolving, and has become far too complex for any one person to fully grasp. The size of the Redmond campus, which employs more than ten thousand people, just over one-tenth of Microsoft’s worldwide workforce, reflects this bewildering specialization, with whole divisions of the company, whole sprockets, devoted to a growing variety of software. T.J.’s specialty is protection.
He does not look like a geek. He is tall and athletic, with long arms and legs; broad shoulders; a wide, round clean-shaven face; and rimless glasses. He spent his youth playing sports: baseball, football, soccer—“pretty much anything,” he says—and mostly misspent the early years of his college education. Now in his thirties, he still looks like a jock. He has a loose, easy gait and a resolutely informal manner. He wears his hair cropped close, and often covers it with a baseball cap—he was wearing a blue one with the gold initials FBI on the front the day I met him in 2010. The path to his present position was determined not so much by technical interest or ability as by a desire to catch bad guys. Law enforcement was his original goal. He took a somewhat lackadaisical nine-year path through Florida State University in the 1990s, overindulging (by his own account) in the ample social opportunity afforded by the steamy Tallahassee campus before knuckling down to earn an undergraduate degree in criminology, and then a master’s degree in information science. The field is only partly related to computers, but T.J. had a stronger than usual relationship with digital networks even then. When graduation appeared on the horizon, he applied for jobs with several federal law enforcement and intelligence agencies. He had his heart set on the CIA, where he might “have an impact,” he says, but a friend pointed out that his résumé might also interest a software company.
During his last few years at school, T.J. had a part-time job as an IT (information technology) aide for one of the university’s departments. He worked his way up from supporting desktop software to systems manager for the entire department. His parents had gotten him one of the early PCs in the late 1980s, when PCs were starting to become a fixture of home offices, and he had learned enough on it to understand, by the time he went to college, the advantages of linking his computer to the university’s large and powerful network. He experimented with using multiple modems to broaden his bandwidth when connecting, and apart from the convenience afforded by the network’s speed and accessibility, he discovered caches of new movies and music—places where Internet pirates had stashed their illicit goods. This was a common practice. Video and audio files took up lots of space, so pirates would hack their way into large computer networks and stash their stolen goods in obscure corners where they were likely to go unnoticed. With triple the normal bandwidth, T.J. was able to construct honey-pots, where he could study the methodology behind the over-incresing attacks. He learned a lot about how Internet predators gained access to networks . . . and watched a free movie or two now and then. He was not actually stealing the material, see; it was already stolen. . . . It also gave him a real sense for the emerging world of cybercrime.
His facility with computers and networks landed him a full time IT job, where, between installing machines, checking out applications, and building campus networks, he began dealing with increasingly frequent and sophisticated efforts to break into his department’s files. This awakened T.J.’s inner Batman. He learned to apply monitoring tools like port mirrors to snare and track the invaders. Such work was obsessively interesting—toe-to-toe with the villains!—and he was soon more driven by crime fighting than by the routine IT chores or his classes . . . hence his desire to chase bad guys for real as a federal agent. The fed jobs were competitive, particularly after the terrorist attacks of September 11, 2001, fired up patriotic instincts on college campuses, so to cover all his bases T.J. dropped off his résumé with a visting Micros
oft recruiter. He didn’t even stay for the guy’s whole presentation. So he was surprised when he got an email the next day inviting him to drop by for a “screening interview.”
Microsoft hired him a few months later, the day before he got married in December, after a grueling daylong round of interviews in Charlotte, North Carolina. The phone call offering him the job delayed his attendance at the rehearsal dinner, but his bride’s pique faded quickly when she learned her groom had landed a good job. T.J. progressed rapidly from enterprise-level network support engineering to security work, a growing concern at Microsoft just then. It was a period of rapid growth for malware, and the job handed him the challenge throughout the last decade of matching the miscreants stride for stride.
Much like Microsoft, malware had begun to embrace specialization. Among the new things T.J. saw were prepackaged exploits, essentially break-in vehicles that allowed criminals to load on whatever scam they wished. These exploit kits were marketed to garden-variety spammers and thieves, who no longer needed sophisticated hacking skills to get started. It meant that every newly discovered exploit launched not just one crime, but many, and potentially multiplied the earnings of its inventor manifold—with the added bonus that the exploit itself was not criminal. Prosecuting its creator would be like going after Black & Decker every time a thief used one of its drills to break into a safe. There were highly skilled programmers all over the world probing for a new weakness in Windows, crafting an exploit, and then openly marketing their invention to less tech-savvy crooks.
Botnets were the new big thing. Most Internet scams have a predictable rate of return; the percentage of people fooled into sending money is small, but if the net is cast widely enough, the returns can be large. Microsoft estimates that 5 percent of computer users fall for malware trickery, downloading programs that infect their computers, often despite on-screen warnings not to do so. Some “phishing” attacks on social networks, messages that trick computer operators into revealing valuable personal data or credit card account numbers, have shown a success rate of 70 percent. So an exploit that can guarantee reaching a large enough number of computers is a valuable tool, indeed, more like a license to print money. Nothing is more valuable in this context than a large, stable, secure botnet, a network of vulnerable computers not just accessible but controlled by an outside operator. The pressure it mounts on cyberdefenders is unceasing.
It is harder to defend a computer than to attack it. Microsoft’s security technicians spend considerable amounts of their time plugging newly discovered holes and issuing “patches” to mend them. This is not scary, esoteric stuff. This is as real as picking a lock, albeit not as simple. Anyone who uses Windows on their home computer is familiar with routine security updates, which Microsoft issues on the second Tuesday of each month. In the Tribe it has become known as “Patch Tuesday.”
In September 2008, a group of Chinese hackers began marketing an exploit for $37 that attacked a hitherto unknown weakness at Port 445 of the Windows Operating System. The Chinese hackers were not breaking any laws. They did not attempt any criminal acts. Their product was just a tool for breaking into the heart of a computer running Windows. The first serious effort to use the kit was seen weeks after the kit appeared, in Vietnam, on September 29. A strain of malware dubbed Gimmiv quickly spread from Hanoi to twenty-three nations. Malaysia was hardest hit. Gimmiv was identified by most security experts as a “Trojan,” a type of malware that attaches itself to a legitimate program and goes to work when the operator turns it on. The Trojan then copied all of the registry information in the invaded computer, all of its log-on and personal data, and sent it back to the attacker. As a scam, Gimmiv had serious design flaws that limited its effectiveness, but the exploit had worked perfectly. Others were sure to notice. T.J. knew it probably meant a race to exploit the newly discovered vulnerability at Port 445.
Ports are “listening” points in the system, designed to transmit and receive particular kinds of data. There are 65,353 in Windows, because users value speed, so they want their computers to be able to do many things simultaneously. A firewall is a gatekeeper. It sniffs incoming packets of code and either grants or denies or redirects them according to the rules that govern each port. To penetrate the firewall, a packet of code needs to match up with a port; it needs to present itself as something the port is designed to receive. Only certain very specific kinds of data can flow through, and then only with the appropriate codes. Some ports, like Transmission Control Protocol (TCP) 25, which handles email, are heavily trafficked. Most are not; they listen for updates and instructions that deal with narrow and specific functions, usually routine procedures that never rise to the notice of computer users.
The number of ports is determined by TCP and UDP protocols, which are used to trigger the right listening service on the operating system. If a message comes to a port that lacks the right listening service for it, the port is said to be closed, otherwise, the port is open and the computer will receive the message, oftentimes sending a reply to the sender. In Windows, there are a few ports that are open by default unless there is a firewall to control access. One of them is port 445.
On a Windows machine, port 445 triggers a service called Remote Procedure Call (RPC), which allows other computers to print or share files with it. Because of the complexity of the RPC service, the legacy of various generations of Windows, and the intimacy of the service with the heart of the operating system, called the “kernel,” there are lots of instances where an error in programming allows an attacker to deliver invalid data, instructions which may cause the service to perform tasks for which it was not intended. This is a problem common to large software systems. A vulnerability in RPC permits a level of control over the computer that a vulnerability in, say, Internet Explorer, would not. Remotely controlling Internet Explorer would enable a miscreant to compel your computer to download pornography or adware, the kind of exploit that is immediately and painfully obvious. Seizing control of the kernel gives a remote operator access deeper than a user would ever see, right to the mind and soul of the computer. He would, effectively, own it. At that point the owner of the infected computer has been pwned, royally.
The hard part was not entering through Port 445; it was fooling the operating system into downloading the exploit’s malware. To accomplish that, the Chinese kit employed a “buffer overflow,” one of the hackers’ oldest tricks. It works like this: An outside computer comes knocking at the door with a packet of code. Once it arrives, the operating system needs to find where to put it. So it dispatches a collection of programs called network services—think of network services as a “recipe book” that explains how to make various dishes, and the computer as a chef who is avidly reading this book. If the process were simple, the chef would select the correct recipe, or program, and download the new packet. But the process is not simple. Nearly every program involves a variety of subroutines, which interrupt the primary task along the way. These subroutines are, in effect, small packets of memory created within the preexisting memory stack, parentheses within parantheses, like nesting Russian dolls. For example, once the chef chooses what looks like the right recipe from the book, and starts reading, say, from page 73, he is interrupted and told that a remote client has placed an urgent order for a cake. To service the request, the chef immediately flips to the chapter (or program subroutine) that explains how to prepare cakes, say, page 141. But before he digs into the cake recipe, he creates a temporary memory stack—call it an addendum to the cake recipe—and places a bookmark there, called a “pointer,” to remind him where he left off (page 73), and where he needs to return once the cake is baked. Then he sets about making the cake, which has its own subroutines, like, say, contacting the customer to find out whether he wants angel food or chocolate.
Here is where the malware programmer performs his trick. He is the cake customer. He gives the chef a list of his requirements for the cake, and he knows from previous observation that these instructi
ons will be placed by the chef in an addendum, or the temporary stack, which is called a buffer. The evil programmer knows exactly how big that buffer is. So, in addition to giving the chef details of the cake he wants, he continues to feed the chef unrelated information. If the chef is undiscerning, as Port 445 proved to be, the superfluous data will overflow the allotted buffer space and spill into the addendum, so that the chef inadvertently overwrites his pointer, the one telling him to return to page 73 when he is finished. Instead, the cake instructions now send him in an entirely new direction, like, say, telling the chef—who is a very literal-minded fellow and follows instructions like . . . a machine!—to fetch a key and open a safe he keeps in a back room. This information, which has nothing to do with cake instructions, is duly recorded at the bottom of the addendum. So when the chef finishes with the cake, and checks his addendum to know where he needs to return, he is directed back not to page 73, but to the back room and the safe.