by Mark Bowden
Like just about everything in this field, the nomenclature for computer infections is confusing, because normal folk tend to use the terms “virus” and “worm” interchangeably, while the Tribe defines them differently. To make matters worse, the various species in the growing taxonomy sometimes cross-pollinate. The overarching term “malware” refers to any program that infects a computer and operates without the user’s consent. For the purposes of this story, the difference between a “virus” and a “worm” is in the way each spreads. To invade a computer, a virus relies on human help such as clicking unadvisedly on an unsolicited email attachment, or inserting an infected floppy disk or thumb drive into a vulnerable computer. A worm, on the other hand, is state of the art. It can spread all by itself.
The new arrival in Phil’s honeypot was clearly a worm, and it began to attract the Tribe’s attention immediately. After that first infection at 5:20 p.m. Thursday there came a few classic bits of malware, and then the newcomer again. And then again. And again. The infection rate kept accelerating. By Friday morning, Phil’s colleague Vinod Yegneswaran notified him that their honeynet was under significant attack. By then, very little else was showing on the Infections Log. The worm was spreading exponentially, crowding in so fast that it shouldered aside all the ordinary daily fare. If the typical inflow of infection was like a steady drip from a faucet, this new strain seemed shot out of a fire hose.
Its most obvious characteristics were familiar at a glance. The worm was targeting—Phil could see this on his Log—Port 445 of the Windows Operating System, the most commonly used operating software in the world, causing a buffer at that port to overflow, then corrupting its execution in order to burrow into the host computer’s memory. Whatever this strain was, it was the most contagious he had ever seen. It turned each new machine it infected into a propagation demon, rapidly scanning for new targets, reaching out voraciously. Soon he began to hear from others in the Tribe, who were seeing the same thing. They were watching it flood in from Germany, Japan, Colombia, Argentina, and various points around the United States. It was a pandemic.
Months later, when the battle over this worm was fully joined, Phil would check with his friends at the University of California, San Diego (UCSD), who operate a supercomputer that owns a “darknet,” or a “black hole,” a continent-size portion of cyberspace. Theirs is a “slash eight,” which amounts to one 256th of the entire Internet. Any random scanning worm like this new one would land in UCSD’s black hole once every 256 times it launched from a new source. When they went looking, they found that the first Conficker scan attempt had hit them three minutes before the worm first hit Phil’s honeynet. The source for their infection would turn out to be the same—the IP address in Buenos Aires. The address itself didn’t mean much. Most Internet Service Providers reassigned an IP address each time a machine connects to the network. But behind that number on that day had been the original worm, possibly its author but more likely a drone computer under his control.
The honeynets at SRI and at UCSD were designed to snare malware in order to study it. But the worm wasn’t just cascading into their networks. This was a worldwide digital blitzkrieg. Existing firewalls and antiviral software didn’t recognize it, so they weren’t slowing it down. The next questions were: Why? What was it up to? What was the worm’s purpose?
The most likely initial guess was that it was building a botnet. Not all worms assemble botnets, but they are very good at doing so. This would explain the extraordinary propagation rate. The term “bot” is short for “robot.” Various kinds of malware turn computers into slaves controlled by an illicit, outside operator. Programmers, who as a class share a weakness for sci-fi and horror films, also call them zombies. In the case of this new worm, the robot analogy is more apt.
Imagine your computer as a big spaceship, like the starship Enterprise on Star Trek. The ship is so complex and sophisticated that even an experienced commander like Captain James T. Kirk has only a general sense of how every facet of it works. From his wide swivel chair on the bridge, he can order it to fly, maneuver, and fight, but he cannot fully control or even comprehend all its inner workings. The ship contains many complex, interrelated systems, each with its own function and history—systems for, say, guidance, maneuvers, power, air and water, communications, temperature control, weapons, defensive measures, etc. Each system has its own operator, performing routine maintenance, exchanging information, making fine adjustments, keeping it running or ready. When idling or cruising, the ship essentially runs itself without a word from Captain Kirk. It obeys when he issues a command, and then returns to its latent mode, busily doing its own thing until the next time it is needed.
Now imagine a clever invader, an enemy infiltrator, who does understand the inner workings of the ship. He knows it well enough to find a portal with a broken lock overlooked by the ship’s otherwise vigilant defenses—like, say, a flaw in Microsoft’s operating platform. So no one notices when he slips in. He trips no alarm, and then, to prevent another clever invader from exploiting the same weakness, he repairs the broken lock and seals the portal shut behind him. He improves the ship’s defenses. Ensconced securely inside, he silently sets himself up as the ship’s alternate commander. The Enterprise is now a “bot.” The invader enlists the various operating functions of the ship to do his bidding, careful to avoid tripping any alarms. Captain Kirk is still up on the bridge in his swivel chair with the magnificent instrument arrays, unaware that he now has a rival in the depths of his ship. The Enterprise continues to perform as it always did. Meanwhile, the invader begins surreptitiously communicating with his own distant commander, letting him know that he is in position and ready, waiting for instructions.
And now imagine a vast fleet, in which the Enterprise is only one ship among millions, all of them infiltrated in exactly the same way, each ship with its hidden pilot, ever alert to an outside command. In the real world, this infiltrated fleet is called a “botnet,” a network of infected, “robot” computers. The first job of a botnet-assembling worm is to infect and link together as many computers as possible. Thousands of botnets exist, most of them relatively small—a few tens of thousand or a few hundreds of thousands of infected computers. More than a billion computers are in use around the world, and by some estimates, a fourth of them have been joined to a botnet.
Most of us still think of the threat posed by malware in terms of what it might do to our personal computer. When the subject comes up, the questions are: How do I know if I’m infected? How do I get rid of the infection? But modern malware is aimed less at exploiting individual computers than exploiting the Internet. A botnet-creating worm doesn’t want to harm your computer; it wants to use it.
Botnets are exceedingly valuable tools for criminal enterprise. Among other things, they can be used to efficiently distribute malware, to steal private information from otherwise secure websites or computers, to assist in fraudulent schemes, or to launch Dedicated Denial of Service (DDoS) attacks—overwhelming a targeted server with a flood of requests for response. If you control even a minor botnet, one with, say, twenty thousand computers, you own enough computing power to shut down most business networks. The creator of an effective botnet, one with a wide range and the staying power to defeat security measures, can use it himself for one of the above scams, or he can sell or lease it to people who will. Botnets are traded in underground markets online. Customers shop for specific things, like, say, fifty computers that belong to the FBI, or a thousand computers that are owned by Google, or Bank of America, or the U.S. or British military. The cumulative power of a botnet has been used to extort protection money from large business networks, which will sometimes pay to avoid a crippling DDoS attack. Botnets can also be used to launder money. Opportunity for larceny and sabotage is limited only by the imagination and skill of the botmaster.
If the right orders were given, and all bots in a large net worked together in one concerted effort, they could crack most codes,
break into and plunder just about any protected database in the world, and potentially hobble or even destroy almost any computer network, including networks that make up a country’s vital modern infrastructure: systems that control banking, telephones, energy flow, air traffic, health-care information—even the Internet itself. Because the idea of the Internet is so nebulous, it is hard for most people, even in positions of public responsibility, to imagine it under attack, or destroyed. Those who specialize in cybersecurity face a wall of incomprehension and disbelief when they sound an alarm. It is as if this dangerous weapon pointed at the vitals of the digital world is something only they can see. And in recent years they face a new problem . . . amusement. The alarm has been sounded falsely too often—take the widespread fear of an international computer meltdown at the turn of the millennium, the Y2K phenomenon, which did not happen. This has conditioned the popular press to regard warnings from the Tribe in the same way it regards periodic predictions of the apocalypse from wacky televangelists. The news tends to be reported with a knowing wink, as if to say: And here’s your latest prediction of divine wrath and global destruction from the guys who wear those funny plastic protectors in their shirt pockets. Take it as seriously as you wish. Oddly, as the de facto threat posed by malware grew, it became harder and harder to get people, even people in responsible positions, to take it seriously.
If yours is one of the infected machines, you are like Captain Kirk, seemingly in full command of your ship, unaware that you have a hidden rival, or that your computer is part of this vast robot fleet. The worm inside your machine is not idle. It is stealthily running, scanning for other computers to infect, issuing small maintenance commands, working to protect itself from being discovered and removed, biding its time, and periodically checking in with its command center. The threat posed by a botnet is less to individual computer owners than to society at large. The Internet today is in its Wild West stage. You link to it at your own risk.
Phil had no way to stop the spread of this new worm. He could only study it. And he could tell little about it at first. He knew roughly where his first sample had come from, and that it was something unrecognized. He knew that it was a genius of a propagator. It had one other curious feature that he had never seen. It had a geographic look-up capability: this worm wanted to know where the machine it had just infected was located in the real world.
The first step in dealing with any new malware is to “unpack” it, to break it open and look inside. Most malware comes in a protective shell of code, complex enough to keep amateurs from taking a close look, but Phil’s Menlo Park wizards were pros. They had invented an unpacking program they called Eureka that readily cracked open 95 percent of what they saw.
When they tried it on the new worm, it failed.
Sometimes when Phil was stymied like this, he would just wait for one of the AV vendors to meet the challenge. But this worm was flooding in so fast that waiting was not an option. His Infections Log showed the same thing over and over again, as the worm flooded in from everywhere.
As he would later explain, “There was literally nothing else for us to do.”
*This is a simplification, and is not exactly true, in the sense of there being physically thirteen servers at those locations acting as central switchboards for the Internet. Like all things in cyberspace . . . it’s complicated. Here’s how Paul Vixie attempted to explain it to me: “There are thirteen root name servers on which all traffic on the Internet depends, but what we’re talking about are root name server identities, not actual machines. Each one has a name, like mine, which is f.root-servers.net. A few of them are actual servers. Most of them are virtual servers, mirrored or replicated in dozens of places. Each root server is vital, sort of, to every, sort of, message, sort of. They are vital (but not necessarily involved) in every TCP/IP [Transmission Control Protocol/Internet Protocol] connection, since every TCP/IP connection depends on DNS [Domain Name System], and DNS depends on the root name servers. But the root name servers are not in the data path itself. They do not carry other people’s traffic, they just answer questions. The most frequent question we hear is, ‘What is the TCP/IP address for www.google.com?’ and the most frequent answer we give is ‘I dunno but I will tell you where the COM [Command] servers are and you can ask them.’ Once a TCP/IP connection is set up, DNS is no longer involved. If a browser or email system makes a second or subsequent connection to the same place in a short time, it’ll have the TCP/IP address saved in a cache, and DNS won’t be involved. A root name server is an Internet resource having a particular name and address. But it’s possible to offer the same resource at the same name and address from multiple locations. f.root-servers. net, which is my root name server, is located in fifty or so cities around the globe, each independent of the others but all sharing an identity.” Got that?
2
MS08-067
THE WORLD IS NO LONGER YOURS. . . . THE
FUTURE HAS ARRIVED . . . AND
A NATION TREMBLES.
—The X-Men Chronicles
The first reports of the new worm came to T. J. Campana from everywhere: in the form of instant messages and emails; from Phil Porras at SRI; from experts at Symantec, which markets the Norton AntiVirus software; from the network security geeks at iDefense; from F-Secure, a Finnish security firm; and from many others. This was on the first night.
“Hey, we’re seeing something really weird.”
“Something’s happening.”
T.J. wasn’t surprised. He knew what it was. He had been waiting for a worm like this one for months.
He is program manager for security at Microsoft’s Digital Crimes Unit, which is to say that he is engaged in ceaseless warfare. Since Windows is the primary operating system for computers worldwide, it is the primary target for those seeking to infiltrate, destroy, pilfer, or hijack computers for nefarious purposes. In addition to developing and marketing its operating system and software, the company is increasingly engaged in this running battle. It’s a very sophisticated contest. Malware is a thriving global industry, fleecing Microsoft’s customers with scams that range from the crude and obvious, sexual come-ons and mountebank schemes, to the more subtle, like this worm, which was rapidly and silently assembling what threatened to become a very large botnet. T.J. is in charge of disrupting these constant incursions, and helping to catch those responsible. He and his colleagues labor to be proactive. They try to spot and patch vulnerabilities before the bad guys can fully exploit them—which is precisely what they had done with this one.
Microsoft’s Redmond campus is a new and impressive corporate center outside Seattle that, at least from above, resembles . . . not a microchip exactly, although that would have been perfect, but the innards of an old watch. A spring-driven watch, with all its intricate gears, wheels, and escapement arms—albeit one with trees, sculptured lawns, and gardens. Viewed from above it contains a number of identical four-armed office buildings that curve toward rounded points at the end of each arm, like the teeth of simple sprockets. From the ground the giant sprockets are uniform in color, tan stone with green-tinted windows, and three stories high. There is an Erector Set feel to the place, a very tidy world where form rigorously follows function, where thousands of casually dressed young people in sneakers and jeans and wearing rumpled backpacks move under sheltered sidewalks like electrons marching along programmed routes, all of them fiercely pretending, in that laid-back Pacific Northwest way, not to be at work. Here is the home of the Windows Operating System, the software that mediates the computer experience for most of the billions of clueless who handle a keyboard or mouse every day. The sophisticated graphics-based wizardry of today’s Windows rests on a fulcrum of the old MS-DOS system written in the 1970s, when Bill Gates and others got the immeasurably lucrative idea that computers should be easy to use even for those who knew nothing about how they worked, perhaps the premier jackpot notion of the twentieth century.
Gates and Paul Allen, his buddy fro
m Lakeside, an exclusive Seattle prep school, had hit upon the idea of writing an easy-to-use computer operating system in 1974, after Allen saw a cover story in Popular Electronics about something entirely new, a personal computer. At a time of enormous, bulky mainframes, the Altair 8080 was a kit, marketed by a company called Micro Instrumentation and Telemetry Systems (MITS), that could be assembled into a working microcomputer in your own home. Few expected much of a market for it beyond avid computer hobbyists. If users managed to put it together correctly (many did not), they could operate it only by manipulating toggle switches to program the computer with object code, the ones and zeros of binary language. Gates and Allen were solidly in the demographic of the Altair 8080. They had fallen in love with computers at Lakeside as teenagers, and saw immediately that demand for the Altair would grow significantly if the machine were easier to use. Utilizing BASIC, one of the earliest computer languages, they tailored a program to accomplish that goal, and then sold it to MITS in Albuquerque in 1975. They incorporated as “Micro-soft” at the same time, and launched the business that would make both young men superrich, along with a fair number of techies they enlisted to help them.
From the beginning, the genius of Microsoft had depended not only on technology but just as much—maybe even more—on shrewd business sense and careful market positioning, which seemed to come naturally to Gates in particular. The most lucrative step in the company’s development came five years after the Altair, when IBM selected Microsoft (by then it had lost the hyphen) to provide the software for its entry into the burgeoning personal computer market. This was Microsoft-Disc Operating System (MS-DOS). IBM was the leading name in computers at the time. The computer giant had either been caught napping or deliberately waited out the early years of personal computer development (accounts vary), before introducing a home model designed to appeal to mainstream users, a machine that relied less on innovation than on standardization. Projecting that within the decade computers would be as commonplace in the home as TV sets, IBM intended to launch a microcomputer that borrowed the most successful features of the experimental machines being sold by Apple, Tandy, MITS, and other pioneers, and use its own manufacturing and promotional clout to grab the largest share of this emerging market. The product was a machine that could reliably and simply perform the most common tasks users asked of it—mostly word processing and simple statistical analysis. It had to be readily compatible with the large variety of software being written to capitalize on the home computing phenomenon. Gates and Allen had already proved themselves masters of this new art, and won the competition to handle the software side of the PC. When it proved successful beyond anyone’s expectations, they rode its sales straight into the stratosphere.
