by Mark Bowden
The Internet, unlike roads, pipelines, or electrical grids, is not organized along physical pathways. Given the packet-switching method it employs to move data, more teleportation than straight transmission, there are no clearly defined pathways for its unceasing traffic. It is organized more like a phone book than a road map. The keys to routing packets were “identifiers,” the domain names given to specific locations. There are nearly two hundred million domain names registered. The names are sold, cataloged, and maintained by commercial registrars, which are governed by registries. The registries themselves are overseen by ICANN, which functions as the primary phone book, the job it took over from SRI in 1998. At the low end of this system is the local ISP, which provides routing services for computers linked to its network, whether home users who buy a connection from a commercial provider or an office computer linked to an in-house network with its own server. These millions of small servers are grouped under three hundred or so Top Level Domains, signified by the letters that come after the period at the end of an email or web address—.com, .biz, .edu, .de, etc. If your email address ends with Loyola.edu, then Loyola (Loyola University) is your local domain, and .edu is your Top Level Domain, the designation for universities.
So domain names are the postal addresses of cyberspace. Each individual computer has its own address, which is assigned to it by its ISP. In order to connect with a website on the Internet, your computer sends the address to its ISP. To make things easier for human users, that address, which consists of a long line of numbers and symbols in computer language, is translated into a recognizable word—e.g., www.google.com, or harvard.edu. Keeping track of all of these millions of names is an industry made up of thousands of small registrars. Each registrar operates a server, which makes sure there are no duplicate names, and which can route messages to that domain.
At a time when few people outside Silicon Valley had ever heard of such things, Rick used the experience in Düsseldorf to form his own registrar. He named it ar.com, short for “Alice’s Registry,” after the famous talking blues performance by Arlo Guthrie, and obtained a license from ICANN to sell domain names. Ten years later, Rick was regarded as a pioneer. In 2002, he was appointed to ICANN’s committee on security.
Security issues had begun to intrigue him primarily as an intellectual challenge. He saw the threat posed by botnets, and that few even in the IT business knew how to stop them. Not just stop them but how to track and monitor them. When he joined ICANN’s security committee, he learned that the agency did not even knew how many botnets there were. Nobody was paying attention. So he formed a new company called Support Intelligence, and set about filling the need. He used the large Internet interface afforded by ar.com to assemble honeynets, and begin compiling research data. If he could measure them and capture their traffic, he could identify which computer networks—academic, corporate, government—were pwned. Then he could sell that information—he did not share Andre’s compunction about profit. Rick had, partly by design but largely by happenstance, maneuvered his way into the leading edge of Internet security.
So when Phil was looking for somebody who would know how to tie up in advance all 250 of the domain names Conficker would generate daily, he thought of Rick, who had become a well-known player in Internet governance circles. Rick knew all about the new worm, of course. When Phil contacted him on December 15, it had already been spreading for three weeks. There were known infections in 106 countries. It was the talk of the computer security world.
“We’ve fully recovered the Conficker assembly and have been plowing through it in detail,” Phil emailed him. “We’ve cracked the domain generating algorithm and have a full listing of domains that will be generated for the next 200 days.”
Phil started supplying Rick with daily lists of domains, and Rick used his contacts in the Internet governance community to purchase them. He then rented S3 storage space from Amazon to park the domains and “sinkhole” the millions of requests that poured in each day. The requests were simply routed to a dead-end location.
At the same time, Phil emailed the U.S. Computer Emergency Readiness Team (U.S. CERT), the agency responsible for protecting government computer networks, suggesting that it begin doing the same. That way the agency could scan all of the infected IP addresses and find out whether any government systems had been invaded, particularly whether any Defense Department networks had been breached. He received a return email thanking him for the suggestion.
Setting aside 250 domains a day was a big task, but not overwhelming. Rick stayed busy registering sites, and compiling sinkholing data on his Amazon account. He began pulling others into the effort, or connecting with others who were already at work on it, and started the List to coordinate their efforts. Georgia Tech grad student Chris Lee eventually offered his laboratory network as a home for the growing sinkhole, and some of the incoming botnet traffic began accumulating there. Andre was also sinkholing some with Shadowserver, and charting the botnet’s growth.
By the end of December, Conficker had infected 1.5 million computers in 195 countries. The one with the largest number of infected bots was China, with more than four hundred thousand—it had the greatest number of pirated Windows Operating Systems. This was more than twice the number in Argentina, second on the list. From there, in descending order, the top twenty were India, Taiwan, Brazil, Chile, the United Kingdom, Russia, the United States, Colombia, Malaysia, Mexico, Spain, Italy, the European Union, Indonesia, Venezuela, Germany, Japan, and Korea (with just 12,292).
There were a number of theories about it. Most of those studying the worm regarded it as the work of a “dark Symantec,” that is, one of the black hat “companies” in Eastern Europe funded by organized crime, probably in the Ukraine, given the Kiev connection. There was also the possibility that Conficker was a weapon, the work of a nation-state.
China was the lead suspect.
“By some estimates, there are 250 hacker groups in China that are tolerated and may even be encouraged by the government to enter and disrupt computer networks,” said the 2008 U.S.–China Security Review. “The Chinese government closely monitors Internet activities and is likely aware of the hackers’ activities. While the exact number may never be known, these estimates suggest that the Chinese government devotes a tremendous amount of human resources to cyber activity for government purposes. Many individuals are being trained in cyber operations at Chinese military academies, which does fit with the Chinese military’s overall strategy.”
There were recent examples of China’s success. Just three years earlier, Chinese hackers had stolen data from the U.S. Army Aviation and Missile Command at Redstone Arsenal, Alabama, and from NASA’s Mars Reconnaissance Orbiter. “Including files on the propulsion system, solar panels, and fuel tanks,” the report said. Also known to have been targeted was the Non-secure Internet Protocol Router Network (NIPRNet), an unclassified military net that handles calendars for generals and admirals, troop and cargo movements, aircraft locations and movements, aerial refueling missions, and other logistical information that a skilled analyst could use to track American military intentions and tactics. Disabling the system prior to actual combat would pose severe hardships on the American military in any conceivable war scenario.
Those who held this view saw the nod to Ukrainian keyboards and the effort to download fake AV software from TrafficConverter.biz as feints. The fact that Conficker had otherwise done nothing lent credence to the weapon theory. Criminals were always eager to capitalize on their breakthroughs. A nation, on the other hand, might be content to build and simply sustain a huge, stable botnet as a platform for a future digital attack.
There was still another, more hopeful, theory. What if Conficker was nothing more than a research project? Again, the fact that it had done nothing so far, along with an appreciation for malware’s history, lent some weight to this view. Early infections like the Morris Worm and others were the work of graduate students showing off or testing the
ir prowess. If some students at MIT fooling around in the lab had unleashed Conficker, they wouldn’t be eager at this point to identify themselves. If this view was correct, then there was nothing to fear from the worm. What if it had been released as a demonstration of the Internet’s extreme vulnerability, as a wake-up call?
There were as many theories as there were experts, because Conficker afforded few clues. Efforts to track and study the phenomenon were so uncoordinated that researchers started bumping into each other. Rick and Phil were surprised when they discovered that Chris Lee had began sinkholing and experimenting with Conficker earlier that month at Georgia Tech. They began coordinating their efforts.
Meanwhile, Phil and Rick went sleuthing. Rick’s work so far involved turning the worm’s clock forward, in order to generate the domain names it would spit out in the future. He had software, called “whois,” which provided identfying details of whoever had registered a domain. Phil decided to turn the clock back, to see what sites its algorithm would have generated in the weeks and months prior to its release. He figured that anyone who was going to launch something like it would probably have taken it out for a test drive first. If the launcher had done a dry run on the domain name feature, and tested linking it with a command center, that would most likely have happened recently. The exploit of Port 445 (the Chinese kit) had surfaced only the previous summer, so it was unlikely anyone would have been testing out Conficker before then. Phil ran the hybrid in his lab backward six or seven months to produce every domain name the worm would have generated in that time. Since the site names were just random arrangements of letters and numbers—it wasn’t spitting out well-known domains like espn.com or nytimes.com—almost anyone who had bought one of them was likely to be their suspect, the worm’s author.
He wrote to Rick:
We want to go back in time to see if there were any Conficker domains prior to release that may have been reserved for testing. Perhaps we might be able to ID the author by checking out whether they did some early testing using Internet domains that they registered directly. In short, we need some help with the “whois” lookups [identifying the identity behind the IP addresses of those testing the domains]. One thing to know is that we think the hackers are domain-tasting (i.e., they reserve the domains, which is free for 5 days, but never pay). They only need to use a given domain for a day, so they can cycle through many domains for free. Anyway, we have lots of domains, and are wondering if you can help with your “whois” capabilities.
Within a week, Rick’s efforts pointed them to a distinct source. Most of the hits, 391 domain names corresponding with Conficker’s random lists, were “clearly coincidental,” Phil wrote an excited memo to his staff: However, I did find 9 HIGH CONFIDENCE hits. They start from Nov 27th to Dec 19th 2008.
All nine came from the same place, a website that he traced to a computer company.
“These guys are clearly the ones operating Conficker,” Phil wrote.
Except, they weren’t. When Phil went looking he found instead an Atlanta computer security company, Damballa, doing exactly the same thing he and Rick had been doing, running the clock backward. It was the work of Dave Dagon, who would soon join the List.
The X-Men were tripping over each other.
7
A Note from the Trenches
ALL THE TRAINING . . . ALL THE PLANNING . . .
NOW IT IS TO BE PUT TO THE TEST.
—The X-Men Chronicles
T. J. Campana’s birthday came three days before the end of 2008. He and his wife make a big deal out of birthdays, so he was at his home out in the Seattle suburbs. It was a family day in the middle of a holiday week, and every time T.J.’s wife caught him checking his phone for messages he would get this look.
But the messages were persistent, and they weren’t all wishing him a happy birthday. For the previous month a ragtag bunch of geeks led by Phil Porras and Rick Wesson and Andre Dimino and a few others—they had begun calling themselves the Conficker Cabal—had been urging Microsoft to combat the new worm.
T.J. had listened sympathetically, but at that point this botnet was one of just many threats the software giant was watching. It was particularly interesting for a variety of technical reasons, but it had not yet eclipsed all other considerations. The company had already patched the vulnerability the worm exploited to invade a computer, and so far customer impact had not been great enough to elevate its priority. There had been hardly any publicity about the outbreak, so there were no pressing public relations issues that might boost concern up the corporate ladder. There was the money issue, which would have to be addressed. Rick was racking up charges on his personal credit cards to buy up and sinkhole 250 domain names per day, using Amazon’s S3 storage services. But there was time. As the year counted down, it was looking as if the Cabal might be able to fully contain the worm on its own.
The messages kept coming. Urgent messages. Something had happened. Still, T.J. was good. He waited until that evening, after the candles had been blown out on his cake, after the dishes had been rinsed and loaded in the washer, before begging for a few minutes of indulgence to take a closer look. What he found nearly ruined his birthday.
There was a new version of the worm, which would be dubbed Conficker B. It had started crowding into honeynets within the last twenty-four hours, and it was better than the first . . . a lot better. If the Tribe had been intrigued by the original version, it was now experiencing something more like respect.
For one thing, this new B strain exploded the benevolent-accident theory. Conficker was clearly not some harmless grad school lab experiment gone awry. The worm’s creator had been watching every move the Cabal made, and was adjusting accordingly. If the botnet was to be strangled by cracking its domain-name-generating algorithm, learning its potential points of contact with its controller and shutting them down in advance, then why not make the effort harder? Instead of generating 250 domain names daily, and confining them to just five Top Level Domains (TLDs), Conficker B added three more TLDs: .ws; .cn; .cc. The designation .cn identified websites registered in China.
While the new variant was clearly a rewrite of the original, there were upgrades. The B strain did away with the check for a Ukrainian keyboard. It had two improved methods of spreading: (1) it searched out machines on the same network that were vulnerable before attempting to invade, and (2) it spread by the use of plug-in USB drives. It also had more security measures. Besides shutting down whatever security system was installed on the computer it invaded, and preventing communication with computer-security websites, it stopped an infected computer from downloading Windows security updates. So even in the unlikely event that the software company somehow wrangled approval to unleash some kind of anti-worm, or any sort of remediation, the infected machines would be out of reach. In addition, it modified the computer’s bandwidth settings to increase speed and, thus, propagate faster still.
The first strain of Conficker had utilized Secure Hash Algorithm (SHA)-2, Ron Rivest’s public encryption method, which used a public key of 1,024 bits to encode communications. This was the current Federal Information Processing Standard, which was the highest standard for public encryption. This new strain had a different encryption algorithm, and at first Hassen could not figure out what it was. It called for a 4,096-bit key, upping the level of encryption to an unprecedented level of difficulty. Hassen searched Google for Secure Hash Algorithms to match that size, and immediately found one on Rivest’s website, but it was only a proposal, not a finished product. It had been proffered by Rivest in the ongoing competition to upgrade SHA-2, sponsored by the National Institute for Standards and Technology. The agency had been accepting submissions for the new standard for months. Rivest had won every previous competition, so those in the know would certainly regard his newest effort as the front-runner for SHA-3. It was not until weeks later, still stymied, that Hassen searched further, and discovered that the new strain of worm was stealing a march on the world o
f cryptography by employing Rivest’s proposal. That was a shocker. How many people were even aware of these things?
This startling detail afforded another potential lead to the identity of Conficker’s creator. The only way to obtain Rivest’s revised proposal was to download it from his website at MIT. If the Cabal went back over Internet traffic to that website and compiled a list of those who had accessed the revised algorithm, the botmaster would have to be there. It would not be a long list, and the contents could be cross-checked with the logs of those who had visited SRI’s Conficker reports, because Phil and Hassen knew that the worm’s creators had been checking them. Bingo! But when they contacted Rivest, he told them that his department routinely purged the logs. It did not have a record that went back far enough.
Particularly troubling was the USB drive capability. It meant that even “closed” computer networks, those with no connection to the Internet, were vulnerable to the new strain, since users who cannot readily transmit files from point to point via the web often store and transport them on small USB drives. There had been just such a security breach at the Pentagon, one of the biggest closed networks, a notorious episode that confirmed the adage about a chain being only as strong as its weakest link. Someone had hurled fistfuls of USB drives out of a car window into a parking lot outside the gigantic military headquarters in Arlington. A defense department employee (the weak link) had picked one up off the pavement and, curious enough to be heedless, plugged it into a computer at the complex, thereby injecting a nasty virus into the large, supposedly sealed and secure military network. This had prompted a ban on all USB drives at all secure government computers (about which more later).
The USB feature was a game-changer, as far as T.J. was concerned. In the first weeks of January, Conficker B would revitalize the botnet dramatically. It began infecting more than 1.5 million new computers every day, according to an F-Secure study in mid-January. The study estimated that as of January 16, the botnet numbered 8.9 million.