Worm: The First Digital World War

by Mark Bowden

  What would that do to the world? Not the Internet. The modern connected world? . . . How many infected hosts are there inside the Fortune 500? So what would it mean for the economy if the Fortune 500 all had their internal networks shut down for an hour? A day? A week?

  Now let me ask you this; if you were the botmaster, and had a botnet of 2 million machines, how difficult would it be for you to bring the net worldwide to a halt?

  Ahhh, you’re really clueful. The best in the world at your job, but you’re a good guy. And you wouldn’t do that kind of thing. So who the hell do you think they are? Are all the miscreants stupid? Do you think they’re all capitalists who need the net to be up so they can continue to siphon passwords, and read email, and surf porn?

  And if you’re so damn bright, why haven’t you already managed to shut A/B down? Or C? Or Waledec. Or Torpig? Could it be because those bastards on the other side are as smart as you are? Or smarter? As we sit here now, they’ve managed to update a million of the A/B suckers, and you still don’t know how they’re doing it. Right in front of you! It took you apparently 2 days to even notice. And a week later you’re still sucking wind.

  AND YOU’RE THE BEST WE HAVE!

  What happens if one of them wakes up in a bad mood tomorrow morning? Or after a night of drinking or dope or being beaten in some humongous online game decides that the rest of the world is filled with evil by their way of thinking and needs to be destroyed. Just like in the game?

  So as I said in my first heated briefing on Monday, this isn’t about Conficker. A, B, or C. Or Storm. Or Slammer. Or Torpig. Its about all of them. Those in the past, and those in the future. It’s about the one evil bastard who decides that he is going to use his botnet, or a piece of it, to punish someone else. Its about the fact that the ability to use it maliciously exists. And we have stood by and let it happen. And we haven’t marshaled all of our resources to try and deal with it. The people I talked to in Washington who make the laws and rules, and run our lives, and who we elected, and who swear to serve us—“we, the people”—have NO F**KING CLUE that this is out there. Now a few of them do, in terms that they understand. We need “them” to understand because we need “them” to give us help and resources.

  Except that some of you (or your employers) are telling them that it’s not that dire, or as bad as I say it is.

  Tell me we’re not one command away from a catastrophe. I dare you.

  A few hours later, out in San Francisco, the ever-dour Paul Vixie took up the challenge, beginning with an answer to Rodney’s dare, and proceeding to a broad, measured reflection on the fragility of our emerging digital world:

  I won’t. But I will provide some personal context, much of which is probably shared by others in this community.

  These problems have been here so long that the only way I’ve been able to function at all is by learning to ignore them. Else I would be in a constant state of panic, unable to think or act constructively. We have been one command away from catastrophe for a long time now. . . . In a thousand small ways that I’m aware of, and an expected million other ways I’m not aware of, the world has gotten dangerous and fragile and interdependent. And that’s without us even talking about power grids or the food stocks available in high population areas if rail and truck stops working for a week. AND, in a hundred large ways that I’m aware of and an expected thousand I don’t know of, ethically incompatible people out in the world have acquired and will acquire assets that are lethal to the industrial world’s way of life—criminals and terrorists using the Internet for asymmetric warfare is the great fear of our age, or at least it’s my great fear. But I’ve lived with it so long that I have lost the ability to panic about it. One day at a time, I do what I can.

  I do NOT want this to be interpreted by ANYONE as me disagreeing with rjoffe’s basic observations and predictions. I’m saying the problem is far worse than he made it out to be. Because I am not the only one who has had to learn how to tune out the constant state of danger and get on with my life. All of us have. A full accounting of the problems we are collectively deliberately not thinking about in order to stay sane would be quite a SHOCK to any of us who saw it.

  Now if people in DC have been telling other people in DC that there’s no emergency here in Internet-land, and that they’ve got it all under control, then they are certainly wrong, but as to whether they’re ignorant and confused, or self-serving liars, I could not say from what little I know.

  But if people in DC are telling other people in DC that this is not the same threat level as 9/11, then they’ve probably got a point. Tomorrow the Internet MAY die for several days, if some botherder gets jilted by a boyfriend or whatever. There WOULD be loss of life and whole lot of money as a result. But there’d be no way to politicize it the way that 9/11 was politicized, because not all the fire trucks and ambulances would be in the same place or shown on the same nightly news program. So from a DC denizen’s point of view, the Internet’s not in trouble, by the odd definition of “trouble” that most DC denizens have to use. And we all ought to be worried about a world that’s as broken as all that.

  I don’t advocate that we learn to live with this new class of threat, but I also don’t know what choices we have. In a free world it will be possible for this kind of thing to happen. We need more vigilance and more objective measurements; we need to change some fundamentals so that LE [law enforcement] can track these guys down in any country they operate from and kick in their doors and haul them away in chains and haul their computers away in trucks. We need a LOT of help from government, and we CANNOT be telling people in government that we’ve got it under control because we absolutely DO NOT HAVE IT UNDER CONTROL. At best we have it under light surveillance in-between the times one of us goes out on a donut break.

  It was a dark vision of where things were heading, but a legitimate one. C-Day was just eight days away.

  10

  Cybarmageddon

  AND IS IT ANY LESS MAD TO BELIEVE A

  HANDFUL OF MUTANTS MIGHT SAVE THE

  ENTIRE WORLD?

  —The Amazing X-Men

  John Crain had been minding his own business, literally, that evening at the Holiday Inn in Atlanta in early February at the Georgia Tech DNS symposium when his boss volunteered him to save the Internet from Conficker.

  His official title at ICANN was so complex that he would just tell people, “It’s very long and it has something to do with security,” and then hand them his card. Since the Georgia Tech conference had been convened to compare notes and discuss all the ways the Internet was at risk, it made sense for him to attend. Security issues had not been paramount when ICANN was established in 1998, taking over the role of assigning and keeping track of domain names and numbers worldwide. But as the malware problem grew in intensity and sophistication, its position as the only international body with any slight authority over the Internet had turned John’s security job into a pivotal one. The Georgia Tech conference was an effort to draw together the disparate players concerned about the threat, and John had helped set it up. He had been roped into attending the Cabal’s rump session that night by ICANN’s president, Paul Twomey.

  And when his boss turned to him to be ICANN’s point man with the Cabal, John said the only thing a man who loves his job can say in such circumstances: Yes, sir . . . now . . . what exactly are we talking about here?

  The specific task that night was to get China on board, since the newly released B strain included that country’s TLD (.cn), and because most of the infected computers were there, and because nobody else in the room had a clue as to how to go about enlisting the help of the Middle Kingdom—Rick Wesson having not yet informed the group about his own outreach to China. Perhaps because of Rick’s unauthorized outreach, the task happily proved to be a lot easier than anyone, including John, imagined. A few phone calls and a couple of emails.

  Still, John had earned a reputation for working wonders, so when Conficker C upped the ante f
rom 250 to fifty thousand domains, and the list of eight targeted TLDs to 116, all eyes again turned his way. He made a terrific ambassador, easy to talk to, fun, the kind of guy who loves to sip good whiskey and talk music. John projects no hint of his profound—really, one-of-a-kind—level of international expertise. The Internet is so new that even those capable of doing John’s job could not have accumulated his contacts and experience.

  He has a broad face with a small, pinched mouth and prominent, dark arching eyebrows, with straight dark hair that forms a striking widow’s peak. He combs it straight back, in a style that, with the eyebrows, can give him a slightly diabolical look, which is misleading, because he is both cheerful and unfailingly straightforward. He had somehow contracted a passion while growing up in the East Midlands of England, in Leicester, for 1950’s-era American country and rockabilly music. Long before he even contemplated moving to the United States he had begun affecting cowboy boots and shirts—his friends called him “Tex.” At about the same time he had begun working with computers, playing video games like Star Trek with his brother and father, and tapping into the mainframe of British Gas, where his father worked. In the three decades since—he was now forty-three—he had earned a degree in mechanical engineering and had set to work on computer networks when the Internet was still in its infancy. Dressed now in somewhat fancier cowboy boots and shirts, John has become the globe-trotting something-to-do-withsecurity man for ICANN, working when he is not on the road from an alcove in a spare bedroom of his suburban home in Long Beach, California, where he settled in search of perfect weather—“I was working with this American fellow in Amsterdam, and it was raining, and he said, ‘Why don’t you come to California? It’s not raining there.’”

  When Conficker C arrived, John had three weeks to enlist the help of nearly a third of the TLDs in the world, including every top-level country code. If a nation had its own TLD, John had to recruit it to play ball with the Cabal. This meant asking the Domain Name Server (DNS) in countries on every continent . . . well, the pitch might have gone something like this:

  Kind sir, with apologies, would you mind terribly setting aside this long list of domains? (Since the servers made money for every domain name they sold, this was asking them to essentially give away hundreds or perhaps eventually thousands of revenuegenerating items.) And would you also set up a system to intercept inquiries sent to these domain names by this nasty botnet Conficker beginning on April 1, and redirect them all to a sinkhole operated by this grad student named Chris Lee at an American university in Atlanta, Georgia, called Georgia Tech—you know, “The Ramblin’ Wreck”? Everybody over here has heard of it. Really. In doing so, kind sir, you will be performing a heroic service to the health of the Internet, and, need I mention, for the reputation of your registry and country. (Just think how bad you are going to look if you don’t play along!) . . . And (forget about getting any credit for your generosity here) would you mind keeping this all secret? We’ll supply you with the lists, trust us . . . and . . . and . . . oh yes, if any of those randomly generated domains happens to be owned already, for every “collision,” we’ll be needing you to authenticate its ownership and then contact the poor sap and work out arrangements to shut him down . . . but only for a few days! . . . in order to protect him from being swamped by the evil botmaster . . . and . . . did I forget to mention? . . . just one more little thing . . . would you please do this every day for . . . ever? From now until the end of time?

  Okay. It sure didn’t sound like an easy sell. Some members of the Cabal had concerns about even making the pitch. What if this country-by-country effort succeeded, and then resulted in breaking a law somewhere, or prompted some TLD, acting at the Cabal’s behest, to anger one of the website owners whose domain “collided” with Conficker’s daily list?

  “I do not have to want to avoid travel to certain parts of the world because ‘XX’ years ago I tried to help the Internet, and someone felt I violated some privacy law and filed a suit which resulted in a warrant for my arrest in YY country,” wrote Dre Ludwig.

  The botmaster was, of course, counting on this being an impossible sell, and John had little quarrel with that logic. He expected to fail. It was his job . . . but . . . are you serious? Really? Remember, ICANN has no authority whatsoever. There are no little black helicopters to swoop in and enforce the global will. There is no applicable international law. And who could even characterize this as the global will? This was coming from an ad hoc group of volunteers—the X-Men!—with no official role even in the United States, much less in the world community. Chris Lee was still in grad school, for Chrissake! (He did, however, already have a PhD.) Few of the people running these things—in Africa? in South America? in Asia?—had ever heard of Conficker, much less of the Cabal. ICANN had no leverage beyond an appeal to international fellowship and John Crain’s charm. And yet . . . wasn’t it in everyone’s interest to keep the Internet functioning smoothly? The global network rested upon a common commitment to good sense and goodwill. Didn’t it?

  Some of the TLDs involved began asking why Microsoft wasn’t just buying up all of the Conficker-generated domains itself. After all, it was Microsoft’s leaky software that allowed the worm to flourish, and everybody had been reading for years about Bill Gates’s countless billions. This touched upon widespread resentment of the giant software company for owning such a huge share of the market worldwide, and in some cases for corporate practices considered predatory. Some of this discussion found its way to the List, where T.J. remained conspicuously silent on the subject. When one of the TLD operators complained that Microsoft should have to pay for “cleaning up its own mess,” Paul Vixie responded with frustration:

  Then perhaps you should organize a class action lawsuit. But it’s not in scope for the public health crisis to wonder what company profited from creating the fragile conditions. (or else the board and CEO of McDonald’s would be in prison for the world’s diabetes problems.) We REALLY digress.

  Even Paul, who shared this view of Microsoft’s responsibility, could see the folly of assigning blame while the Internet was . . . on fire!

  The Cabal set upon working out various technological solutions, some way of automating the process of blacklisting or blocking the never-ending list of potential command locations. How better to fight a computer than with a computer? But the problem was less technical than political. In order to put an automated process to work, they would still need the full cooperation of every one of those TLDs. The biggest problem was collisions. In these cases the owners of the sites had to be checked out and enlisted in the effort, and if even one balked, if even one was owned by or paid off by the botmaster, the whole effort could fail. The authors of the worm had already managed to upgrade it twice by registering several domains right under their noses.

  John began shipping off the “ask” in mid-March. In those cases where there were collisions, Chris Lee would contact the unlucky website operator directly with the request to block traffic on the given date and instructions on how to direct it to his sinkhole.

  Needless to say, this was a strange note to get. Unprecedented. Some noodle you never heard of in Atlanta, Georgia, U.S.A., writes to you out of the blue and asks you, for the good of humanity, to shut down your business for a day and reroute all your web traffic to him! One contractor, who managed a website that collided with the worm’s list, happened to be a Georgia Tech grad himself, so he wrote back to Chris:

  I believe that this email is not from you, nor is it in your general character, to send out such an email. But if somebody is sending out this email, with the “From” address spoofed to your name, thought you might like to know. Also, perhaps, you can help me solve the riddle of what the “real” intent or endgame of this email is. Technically speaking . . . it is clear that this is a hoax . . . [I cannot imagine you] sitting at home psycho-obsessively finding/predicting secret lists of likely Conflicker victim domains, researching all their whois records, and writing to every on
e of these 500 people in need of YOUR rescue, per day . . . hmm.

  This was, of course, very nearly what the Cabal was doing, except that relatively few of the domain names generated by the worm actually belonged to anyone. Chris forwarded the note to Rodney, who promptly boomed a warning shot across the contractor’s bow that opened with a weighty recitation of his credentials—senior vice president and senior technologist of Neustar, member of the ICANN Security and Stability Advisory Committee—and then explained that, improbable as it might seem, “The Conflicker binary does, as Dr. Lee noted, generate 500 random domain names each day that it then uses to contact the Conflicker C&C [command and control]. The algorithm has been decoded, and so we know in advance what domain names will be used by the C&C and bots every day from now on, subject to the malware being updated.” Rodney continued:

  Dr. Lee, and others in this core group, have compared the domain names that are due to be used by the C&C with domains that are already registered. Obviously the randomness of the malware algorithm results in some collisions with domains that have already been registered. Your client’s domain name is one of those very few. The unregistered domains have been dealt [with] . . . but the concerns are for those few domains like your client’s that will now receive millions of connections from compromised Conflicker systems on their “magical” day—in your client’s case, March 18th. And in order for the Conflicker authors to successfully operate, their best bet is to compromise the machines behind your client’s domain name by March 18th. Hence Dr. Lee’s concern, and his email to you. Please be assured, unfortunately, that the people behind Conflicker are highly sophisticated in their ability to compromise web servers, even those that are especially hardened. So I would urge you to heed Dr. Lee’s offer of help. Despite what you may believe based on looking at his public pages at GT [Georgia Tech], he is an expert in this field, and one of our best.