by Mark Bowden
If the right check is in place, the computer at that point would simply reject the incoming packet, or complain—send up a specific warning message to the computer user that only very few comprehend. There are ways for the service to check to see if the space it allocated is large enough or if an attacker has successfully written too much information, either of which would abort the invasion. But the service must do that at every single point, and there could be thousands of such points in a complex program like RPC. The Chinese discovered one point that wasn’t adequately protected. So instead of the RPC service simply aborting the process and shutting down the buffer, just as the handle of a gas pump will automatically shut down when the tank is full, the computer, or chef, continues processing the data along this new and unauthorized path.
This is the essence of the exploit. Like all programs, network services list data and instructions, a set of procedures that the computer follows faithfully. The invading code now steers its malware package wherever the programmer has told it to go, and because Port 445 is buried deep in the operating system, the payoff for an intrusion there is big. The lock has been picked.
Microsoft learned of this new exploit as soon as the Chinese hackers began selling it, and recognized that it potentially posed a major threat. It was “wormable,” that is, it was the kind of attack that would allow for the insertion of a worm, which could then propagate itself into a botnet. It could execute a “remote procedure call”: in other words, the computer could be handed over to a remote operator. The threat was serious enough that the company decided to issue its hastily designed patch for this vulnerability, MS08-067 (Microsoft 2008—Patch 67), “out of band,” that is, it decided not to wait until the next “Patch Tuesday.”
T.J. was at a four-day International Botnet Task Force meeting in Arlington, Virginia, hosted at Carnegie-Mellon University on October 23, 2008, when MS08-067 was announced and made available for download. The timing gave him a chance to explain it in person to some of the top security researchers in the world. When the final decision was relayed to him from Redmond, he stood up with his associate Richie Lai to announce it.
“Hey, I want everybody to go onto Microsoft.com, slash, technet, slash, security,” he said. “There’s an out-of-band release.”
The company release accompanying the patch explained: “On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a worm-able exploit.”
Many at the meeting downloaded the patch immediately and began dissecting it. T.J. spent the next few minutes explaining it and answering questions, and then met with people from the FBI to brief them the same afternoon.
“We think this is going to be a big deal,” he told the agents. “You guys really need to start looking at that.”
In a perfect world, the patch would end the problem. But as T.J. well knew, MS08-067 was more likely to makes things worse. Anyone who downloaded it would be protected from the exploit, so Microsoft had to release it in order to protect its most diligent customers. But the patch itself was better advertising than the Chinese hackers could ever afford. It was like placing in orbit a flashing neon billboard so gaudy that it could be seen everywhere on Earth with the naked eye—Come one! Come all! A new Windows vulnerability!
In fact, the patch itself most likely inspired the new worm’s creation. Many, many computer operators worldwide fail to diligently heed security updates. Millions of “Windows” systems around the world have been bootlegged, counterfeited, or installed without authorization. If everyone registered his software and applied new patches promptly, Windows would be nigh impregnable. But because so many people fail to do so, “Patch Tuesday,” or in this case an out-of-band patch, has become part of Micro soft’s problem. It is as if the commander of a fort made a public announcement—“The back door to the supply shed in the southeast corner of the garrison has a broken lock; here’s how to fix it.” If there were only one well-policed fort, the lock would be fixed and the vulnerability would disappear. But when you are defending millions of forts, and a goodly number snooze right through the public announcement, the patches simply point out the unlocked door. They don’t just invite attack; they provide instructions!
This was scary stuff if you allowed yourself to really think about it, which few did. It pointed up a flaw in the founding let’s join hands and sing! techno-utopian spirit of the Internet itself, a flaw so basic that it could not be fixed. It suggested some kind of social equivalence to entropy, an unbendable curve toward ruin. It was proof, as if further proof were needed, that nothing works exactly as intended.
Making computers easy for everyone to use was the germ of the idea that made Bill Gates and Paul Allen into two of the richest men in the world, but by inviting everybody to the computer revolution, they threw open the doors to the technologically ignorant, which is to say, most of us. This would prove to be enormously frustrating in later years to those who understood most and cared most about the Internet. If everyone would only take simple precautions . . . but that was never going to happen. It had been tough enough to get users to pay attention when malware was primitive, when it stomped in with muddy boots and ground its heels into their hard drives. How were you going to get them to pay attention when the malware was so stealthy that only the most alert and well-trained technician could detect it? When the thing to be protected was not so much the individual PC as the Internet itself? People simply would never understand, and even if they did, they lacked discipline. In a free society, you could not reach in and update their software for them—just imagine the howls of indignation, the bad PR, the class-action lawsuits! Big Brother tickling the innards of your very own machine? It was about as clear a violation of the techno-utopian ideal as could be imagined. The implication was that this billion-headed, globally connected marvel would always be vulnerable, and not just to predation. It could be weaponized. It could be crippled or even crashed at the whim of some technically proficient cybergang or perhaps even by some borderline Asperger’s teenager who woke up on the wrong side of the bed. And even when you did everything right, even when you anticipated the exploit and turned out the patch in record time, it just made things worse!
Sure enough, as soon as MSO8-067 appeared, demand for the Chinese exploit kit grew so fast that its creators began giving it away. There was a new outbreak of Gimmiv in Asia. Security experts were not too worried about Gimmiv, which was amateurish, but they could see the potential.
“If the bad people find out how to use this, we’re in big trouble,” wrote Eric Sites, a researcher for Sunbelt, a security software firm. He warned that a better-designed piece of malware, like a worm, “could be created very easily and wreak havoc.”
Twenty-eight days after MS08-067 appeared, the very thing popped up on Phil Porras’s Infections Log at SRI, and started burrowing its way into unprotected computers everywhere.
And nobody, nobody, was less surprised than T. J. Campana.
3
Remote Thread Injection
“IF HE CAME HERE IT WAS FOR A REASON.”
“A DARKER REASON THAN YOU CAN IMAGINE, SIR.”
—The Amazing X-Men
Hassen Saidi took it personally when the worm shrugged off SRI’s unpacking software.
The tool to pry open malware, to slice right through the layers of protective and deceptive coding, had been created by Hassen, along with Monirul Sharif, a graduate assistant. They called it Eureka. Any malware that resisted it was a personal challenge, and an opportunity to improve Eureka.
Hassen is the data flow analyst on Phil Porras’s staff. He is a native of Algeria who migrated to Menlo Park after earning his doctorate in computer science in France. He’s firmly in the Internet idealist camp. He sees the web as one of the most revolutionary developments in human history, and regards the efforts of criminals, nihilists, and terrorists to pr
ey on it as reprehensible. More and more, the world as we know it depends on the smooth interaction of computers. The Internet has become the collective mind of humanity, its eyes and ears and memory. As old paper repositories convert to digital storage, and as the new trail of modern civilization increasingly inhabits the digital realm, it has become, in a sense, the new Library of Alexandria. Better than most, security pros like Hassen recognize how easy it would be to burn it down.
At the dawn of the computer age, hackers were mostly a nuisance, motivated by a desire to show off. Today the most serious computer predators are funded by rich criminal syndicates and even nation-states, and their goals are far more ambitious. Cyberattacks were launched at digital networks in Estonia by ethnic Russian protesters in 2007 and in Georgia before Russia attacked that country in 2008; and someone, probably Israel or the United States (or both), successfully loosed a worm called Stuxnet in 2010 to sabotage computer-controlled uranium centrifuges inside Iran’s secretive nuclear program. Botnets have been employed in lucrative global scams and syndicates. In October 2010, the Zeus Trojan, a kit that can be used to create a botnet, has been responsible for infecting nearly four million computers in the United States alone. One Zeus-based scam was discovered to have plundered more than $70 million from the bank accounts of tens of thousands of unwitting victims. Those behind such efforts are often every bit as skilled as those charged with stopping them. The two sides in this war are fellow members of the Geek Tribe engaged in a highly cerebral and esoteric contest at the cutting edge of computer programming.
The stakes are high. Staying one step ahead of the botmaster, the “miscreants,” or “bad guys,” or “black hats,” as the security community dubs them, is a constant challenge. The obscure work these experts do, the work that is so hard for most people to understand, may not be as romantic or physically daring as the work of the pilots who flew those fighters on Phil Porras’s office wall, or the assault force in 2011 that killed Osama Bin Laden in Pakistan, but it is every bit as vital and compelling. The threat may be virtual, but the consequences would be all too real. A successful computer attack could compromise nuclear reactors, electrical grids, transportation networks, pipelines—you name it. Earlier this year, the Pentagon formulated its first-ever formal cyberstrategy, which found that a cyberattack on the United States originating in another country would be considered as much an act of war as dropping bombs on Buffalo, one that would justify a traditional military response. It is, of course, always easier to tear something down than to build it up, easier to break into a computer than to protect it, so the good guys work at a constant disadvantage. The tide of malware is relentless. Battling it without losing heart requires both steadfast resolve and, at some level, faith in man’s essential goodness.
With dark semicircles under his big brown eyes, Hassen has the look of the creature Weizenbaum sketched back in 1976, a man who spends too many hours bathed in the light of a computer screen. He is forty, with thick brown curls that have begun to gray at the temples. His aptitude and learning have been seasoned with decades of experience. He has honed one very specific skill to a fine art. If he is not the best at what he does, he would like to know who is.
Hassen pursued computer studies in part to avoid direct competition within his accomplished family. His father is a professor of literature and his mother an elementary school teacher. Five of his siblings have earned PhDs in various disciplines. Two of his older brothers were mathematicians, so when he graduated from high school he decided to go a different way. The math brothers advised computer science, a growing field with plenty of opportunities for both study and employment, and Hassen heeded them, even though he had no particular love for computers, a circumstance that makes him different from most of those working at his level. After SRI recruited him from the French lab, he spent several years in Menlo Park focusing on programming languages and computer reliability, but realized gradually that the real action was in the malware wars. He talked his way into the job, convincing Phil that his cutting-edge programming skills were ideally suited to dissecting the newest strains of malware. Nowadays when people ask him what he does for a living, he says, “I track criminals.”
If they press for more detail, he’ll confess that his crime fighting is relegated to the virtual space inside SRI’s computer network, “tracking viruses.” Further explanation produces the Glaze.
“At that point,” he says, “they’re not interested.”
But how could anything be more interesting? A malicious program that appears impervious to dissection is the handiwork of someone, or some group, trying to prey on honest citizens in the global community, which is to say that the predator is trying, ultimately, to outsmart him. Hassen is that rare program analyst who is comfortable working not just with source code, any of the many programming languages, but with “object code,” the long strings of ones and zeros at the core of machine instruction. At that primary layer, a program’s intent cannot be disguised or obfuscated. Once Hassen sinks his teeth into a piece of malware, the question is not if he can unpack and dissect it, but how long it will take him to do so.
What makes it hard, and what makes Hassen’s world so devilishly difficult to understand, is not just the complexity of modern computer operating systems, but the fact that much of what takes place inside them can be grasped and described only conceptually. Software is abstract. It’s also very real, of course, but not real the way an internal combustion engine is real. Inside an operating system there are no visible moving parts. It is a world of electromagnetic charges orchestrated to move along pathways that make decisions and create “memory.” There are many levels of memory, from the kind that sticks around on a hard drive forever to the kind that is so evanescent it exists for only microseconds, for as long as it takes a computer to step through some lightning-fast computation.
Every program is ultimately a list of instructions written in the ones and zeros of object code, which represent slightly different electrical charges. It breaks down complex tasks into a series of steps so basic that they can be expressed in a long series of binary decisions, or logic gates, which are executed by the computer’s central processing unit (CPU). The art of programming is breaking complex tasks into these fundamental steps. It is maddeningly precise work, because computers are maddeningly literal. Bill Gates once said, “Most great programmers have some mathematical background, because it helps to have studied the purity of proving theorems, where you don’t make soft statements, you only make precise statements.” Say, for instance, your body was a machine with a CPU, which, in a sense, it is, and you wished to stand up from a chair, walk across the room, and fix a cup of coffee. You would begin by telling each of the dozens of muscles involved in rising from a seated position to perform their functions, flex or relax, while monitoring balance readings from your inner ear and rerouting orders for muscular adjustments to make sure you don’t fall over sideways. By the time you have walked across the room, reached up to remove a cup from the cupboard, picked up the coffeepot, etc., you have executed a blizzard of binary decisions. The various source codes, or computer languages, are shorthand versions of object code, designed to make a program accessible to human programmers. If standing up and crossing the room and pouring a cup of coffee constitute a routine task, it might be rendered in source code simply as “get coffee,” which automatically refers the CPU to a standard predetermined sequence (we have all experienced the sensation of performing quotidian tasks on autopilot). But in order to perform even the simplest of tasks, the computer, just like the mind of a man crossing the room to pour a cup of coffee, must remember things, sometimes for split seconds, sometimes for longer. To make the cup of coffee we must access core memories, like which ingredients to mix and in what amounts, or how to operate the coffeemaker; and to stand and cross the room, to lift and to pour, we must create transient memories, like those continual readings from the inner ear to maintain balance. Inside the operating system of a modern computer there
are similar multilayered memory functions operating simultaneously, along pathways meticulously prescribed by the program.
To understand this new worm, either Hassen had to set it running and carefully observe it step by step, a dynamic analysis; or he had to, in effect, unspool its programming language so that he could read it, step by painstaking step, a static analysis. But first he had to find it. The worm may have been cunningly packed, but if it was to do its thing inside its host, the infected computer itself had to recognize how to open it. If you could watch that happen, step by step, you would learn how to unpack it yourself. But where inside the operating system of a newly infected computer did the worm hatch?
Malware is packed for two reasons. First, for compression, because to disseminate widely around the Internet the data packet needs to be small. Second, for self-protection, to make it harder for antivirus software to recognize it and for someone like Hassen to take it apart and study it. The worm itself consisted of only a few hundred lines of code, no more than thirty-five kilobytes, slightly smaller than a two-thousand-word document. The average home computer today has about two gigabytes of memory, well over 1.5 million times greater. If you were not looking for it, and unless you knew how to look for it, you would never see it. The worm drifts in like a mote. In order to prevent the kind of analysis Hassen wished to perform, its designers had made it particularly hard to follow once it entered a new machine. They had, in effect, covered the worm’s tracks, and they had provided a false trail to throw pursuers off the scent. They also applied a dual-layer encryption method, like Russian nesting dolls, capable of defeating most unpacking software and security ninjas.
Most.
Hassen is not easily fooled. He minutely traced the code’s tricky pathway into his virtual computer. The worm used the Chinese Exploit to enter Port 445, taking advantage of the buffer overflow to write itself in as a Dynamic-Link Library (DLL)—the device Microsoft programmers crafted to enable computers to exchange data. Regular users know nothing about program languages or varying exchange protocols. They just want the thing to run. So Microsoft invented a way to bundle executable programs and data, the DLL, that allows them to be smoothly exchanged by computers on different networks. Once inside, the worm (now a DLL) proceeded along a standard path. It was directed to svchost.exe (short for “Service Host”), which is a check-in point for incoming files of this type. Svchost then ran its “LoadLibrary,” function, which does what it says it does: it uploads the new file.
