by Mark Bowden
This is not how Martinez sees him.
“I see him as a really well-educated, smart businessman,” he says. “He may be fifty years old. These guys are not chumps. They’re not just out to make a buck.”
Ramses joined the conversation with this fellow. He made no effort to disguise himself. And when the Russian realized whom he was talking to, he quickly retreated from the conversation.
He wrote apologetically:
You’re the good guys; we’re the bad guys. Bacillus can’t live with antibodies.
. . . And, oh, one last thing: somebody still owes Rick Wesson $30,000.
Sources
Interviews
All of the principals in this story were generous with me in both sharing their stories and reviewing the manuscript for errors, particularly Phil Porras, Hassen Saidi, Andre DiMino, Rick Wesson, Rodney Joffe, and Dre Ludwig, who went above and beyond. I also interviewed James Bosworth, T. J. Campana, John Crain, Dave Dittrich, Barry Green, Brian Krebs, Chris Lee, Michael Ligh, John Markoff, Ramses Martinez, Richard Perlotto, Mike Reavey, Joe Stewart, Paul Twomey, and Paul Vixie. It would be hard to understate my knowledge of the Internet and of computer operations before I began, so it would be hard to overstate the patience these men demonstrated trying to explain things to me. Rick Wesson and Phil Porras shared their email archives, and the Cabal (the Conficker Working Group) voted me in so that I could access the thousands of emails on their Listserv. I still wish they had official caps and T-shirts so that I could advertise my honorary membership in the X-Men.
The Conficker Working Group archives are referred to below as “CArchives,” and Rick Wesson’s and Phil Porras’s personal email archives as “WArchives” and “PArchives,” respectively. The books and articles cited in the story are itemized in the chapter notes that follow.
Notes
Chapter 1: Zero
New Mutant Activity Registered, “The Amazing X-Men, The Age of Apocalypse,” Marvel Comics, April 1995; The new worm . . . their own tribe, Porras and Saidi; They are mutants . . . normal humans, “The Amazing X-Men,” March 1995; The quote from Computer Power and Human Reason is from page 116 of the 1976 paperback W.H. Freeman edition; Phil himself . . . rested on their work, Wesson, Porras, and the CWG archives; The world they inhabit . . . how it transmitted data, drawn from Where Wizards Stay Up Late, by Katie Hafner and Matthew Lyon, Simon & Schuster Paperbacks, 1996, an excellent, highly readable early history of the Internet; more than two billion users, according to the U.N. Telecommunications Union, January 26, 2011; Its growth has been . . . nanosecond to nanosecond, Porras, Crain; . . . visual illustration . . . Bar Elan University, as reported in Technology Review, June 19, 2007; Behind his array . . . worm’s purpose, Porras; Phil had no way to stop . . . us to do, Porras.
Chapter 2: MS08-067
The world is no Longer yours, “The X-Men Chronicles,” Marvel Comics, 1995; The first reports . . . this one, Campana; Gates and Paul Allen . . . and the European Commission, Most of the summary history of Microsoft is drawn from Hard Drive: Bill Gates and the Making of the Microsoft Empire, a good early history of Gates and the organization by James Wallace and Jim Erickson; unfair and monopolistic, In the April 3, 2000 judgment in Microsoft v. the U.S., an antitrust case brought by the U.S. Department of Justice, the corporation was called “an abusive monopoly.” Microsoft settled the case with the U.S. Department of Justice in 2004. In March of the same year the European Union brought an antitrust case against Microsoft that resulted in a $613 million judgment against Gates’s corporation; Many geeks . . . share of the market, Vixie, Wesson, DiMino, Ludwig, Porras there is evidence for Microsoft’s claim that it is most-targeted because it is large. As Apple’s share of the market has grown in recent years, so has its share of problems with malware, see http://www.betancws.com/article/Apples-Mac-Detender-patch-is-already-worthless/1306953026; . . . the size of the Redmond campus . . . of the interface, Microsoft. I visited the Redmond campus in 2010 to meet with Campana, and my descriptions of the place here and earlier are drawn from that visit; He does not look like . . . less sophisticated crooks, Campana, Porras, DiMino, Porras; In September 2008 . . . the lock had been picked, Campana, Porras, Saidi, Reavey; T.J. and his team . . . it just made things worse, Campana, DiMino, Stewart, Porras; “If the bad people . . . wreak havoc,” Sites quoted in USA Today’s “Technology Live,” October 23, 2008, “Microsoft Issues Security Patch for Giant Hole,” by Michelle Kessler; Twenty-eight days . . . Campana; Campana.
Chapter 3: Remote Thread Injection
“If he came here . . . imagine, sir,” “The Amazing X-Men,” Marvel Comics, March 1995; Hassen Saidi . . . burn it down, Saidi; At the down . . . more ambitious, Stewart, Joffe; Cyberattacks were launched, For more on cyberattacks in Estonia see the BBC report from May 17, 2007, “Cyber Raiders Hitting Estonia,” http://news.bbc.co.uk/2/hi/europe/6665195.stm; For Georgia attacks see the Washington Post’s Brian Krebs, October 16, 2008, “Russian Hacker Forums Fueled Georgia Cyber Attacks,” http://voices.washingtonpost.com/securityfix/2008/10/report_russian_hacker_forums_f.html; For more on Stuxnet see the New York Times report by William J. Broad, John Markoff, and David Sanger, January 15, 2011, “Israeli Test on Worm Called Crucial in Iran Nuclear Delay,” http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=1&ref=siemensag; For more on the Zeus Trojan see the New York Times story by John Markoff, February 18, 2010, “Malicious Sostware Infects Computers,” http://www.nytimes.com/2010/02/19/technology/19cyber.html?scp=8&sq=Zeus%20Trojan&st=Search; The stakes are high maddeningly literal, Porras, Saidi; Bill Gates . . . precise statements, “Programmers at work” intr. can be found at http://programmersatwork.wordpress.com/bill-gates-1976; Say, for instance . . . protect its communications, Porras, Saidi; Breaking codes . . . not be able to decode it, The Code Book, by Simon Singh, Anchor Books, 1999, pages 268–79; This meant . . . botnet to last, Saidi; Huge amounts of money, The report by Brian Krebs, “Massive Profits Fueling Rogue Antivirus Market,” was published March 16, 2009, http://voices.washingtonpost.com/securityfix/2009/03/obscene_profits_fuel_rogue_ant.html; At first glance . . . getting started; Porras, Saidi. There remain alternative accounts of how Conficker got its name, but this one sounded the most plausible to me. I have also heard that the name was coined by researchers at F-Secure, but it seems clear that its origin is rooted in TrafficConverter.biz, the first malware contact made by the worm when it initiated.
Chapter 4: An Ocean of Suckers
Having mutant powers . . . others, “The X-Men Chronicles,” March 1995; The idea . . . it’s a neat bit of work, The Shockwave Rider, John Brunner, Harper & Row, 1975, page 222; Reference to Future Shock as a source is on the Acknowledgments page of Shockwave Rider; The Cuckoo’s Egg, by Cliff Stoll, Pocket Books, 2005; The idea was called . . . surviving nodes, Where the Wizards Stay Up Late, pages 54–66; My account of the evolution of Conficker comes primarily from interviews with Stewart, DiMino, and Porras, with specifics of the individual viruses and worms from Wikipedia entries for each. Wikipedia, while an unreliable source for many things, is, perhaps unsurprisingly, a comprehensive and reliable source for information about computers, computer history, and malware; The next step . . . such an intrusion, “Access for Sale,” Schecter and Smith, 2003.
Chapter 5: The X-Men
He and others . . . for being gifted, “The X-Men Chronicles,” Marvel Comics, March 1995; By mid-December . . . on the Internet, infection numbers were being tracked primarily by Shadowserver and by Wesson at this point. The number reflects calls to command and control locations from different IP addresses, as they arrived at the various sinkholes. Efforts were made to avoid counting more than once a computer sending multiple messages; Beyond this group . . . down the line, Hruska’s article can be found at arstechnica.com/security/news/2008/12/time-for-forced-updates-confickerbotnet-makes-us-wonder.ars; In the case of . . . effort against Conficker, Vixie. A video of his Defcon 13 speech can be found at http://www.youtube.com/watch?v=wP
5TQlaWiuE; “Private sector . . . paralyze the United States,” p. 165. The full report can be found at http://www.uscc.gov/annual_report/2008/annual_report_full_08.pdf; The ad hoc group . . . over their heads, Joffe, Porras, Wesson, DiMino, Ludwig, et al.; We are the last line . . . if not now . . . when? Conficker Archives 2/9/09; Shades of Samuel Richardson, “Whenever I’m added . . . the suspense,” CArchives. 3/2/09; “I feel like . . . high school,” WArchives 2/20/09; By the end of . . . melting completely,” Campana.
Chapter 6: Digital Detectives
This may not be . . . fight for it, “The Amazing X-Men, Age of Apocalypse,” April 1995; At the October . . . hard to believe, Campana, DiMino; Brian Krebs . . . even respond, DiMino. Krebs’s article, “Bringing Botnets Out of the Shadows,” March 21, 2006, can be found at http://www.washingtonpost.com/wp-dyn/content/article/2006/03/21/AR2006032100279.html; Gratitude started . . . begin to stop it? DiMino; No one was deeper . . . command center, Porras, Twomey, DiMino; Finding that . . . government agencies, Porras, Saidi; Phil needed . . . back of his hand, Wesson; The Internet, unlike roads . . . to that domain; Wesson, Joffe, DiMino; At a time . . . Internet security, Wesson; So when Phil . . . for the suggestion, Porras, first quote from PArchives 12/15/08, exchange with U.S. CERT, PArchives 12/15/08; Setting aside . . . just 12,292), Wesson, CArchives 12/29/08; There were . . . nation-state, Porras, Wesson, Joffe, DiMino; China was . . . overall strategy, 2008 U.S.-China Security Review, both quotes from page 165; Those who . . . wake-up call? Joffe, Wesson; When Chris Lee . . . source for the worm! Lee; Meanwhile, Phil . . . tripping over each other, PArchives, 12/21/08; Dagon would become a central player in the Cabal.
Chapter 7: A Note from the Trenches
All the training . . . put to the test, “The X-Men Chronicles,” Marvel Comics, March 1995; T. J. Campana’s birthday . . . ruined his birthday, Campana, Wesson; For one thing . . . registered in China, Joffe, Porras; While the new variant . . . far enough, Porras, Saidi, Joffe; Particularly troubling . . . 8.9 million, Porras, Joffe, Wesson. The F-Secure report can be found at http://www.f-secure.com/weblog/archives/archive-012009.html; The level of sophistication . . . were pros, Porras, Saidi; In Phoenix . . . a good one, Joffe; Phil agreed . . . opening for me, Porras, Wesson, WArchives 1/30/09; T.J. began . . . “We’ll do the right thing,” Campana, Joffe; Just as the Cabal . . . on the horizon,” Hruska’s Ars Technica article can be found at http://arstechnica.com/security/news/2009/01/conficker-worm-spikes-infects-1-1-million-pcs-in-24-hours.ars, and Markoff’s January 22, 2009, New York Times article at http://www.nytimes.com/2009/01/23/technology/internet/23worm.html?scp=1&sq=Markoff%20new%20digital%20plague&st=cse; Rick was not exaggerat ing . . . nature of the threat, Wesson, both emails from WArchives 1/31/2009; The Defense Intelligence official . . . don’t call us, Wesson. Woodcock’s email is from WArchives 2/1/2009; Out in Menlo Park . . . then nothing happened, Porras.
Chapter 8: Another Huge Win
Remember . . . ALWAYS! “The X-Men Chronicles,” Marvel Comics, March 1995; So far the effort . . . to crumble, DiMino, Joffe, Wesson, Ludwig; So when . . . almighty dollar, Ludwig, DiMino. Campana email from CArchives 2/7/2009, Ludwig and Campana emails from CArchives 2/3/09; The Atlanta conference . . . swift response, Joffe, Campana, Twomey, Crain, DiMino, Wesson; With typical enthusiasm . . . see them, Ludwig email CArchives 2/8/09; There was such . . . good guys, Ludwig, DiMino; Whatever the title . . . it happens, Ludwig email is from CArchives 2/24/09, FBI agent quote from Joffe; It was typical . . . Rick was concerned, Wesson; Unfortunately, many . . . against it? Ludwig, DiMino; Dre Ludwig, in particular . . . do to Dre? Ludwig, DiMino, Lee, Wesson; Andre, ever . . . done before, DiMino. The quoted Ludwig email is from WArchives 1/31/09; Rick denied . . . like betrayal, Ludwig, DiMino, Joffe, Wesson, Vixie; Dre posted . . . right people’s ears, Ludwig email from CArchives 2/20/09; On a sunny day . . . cloud of suspicion, Wesson, Vixie; Despite these . . . analyze them, gleaned from February traffic on CArchives; What they had . . . WIN! Campana email from CArchives 2/4/09; Dripping with . . . that goal, Wesson email from CArchives 2/4/09; Toni Koivunen . . . sits there? Email from WArchives 1/23/09; Rick wrote . . . economic goals, WArchives 1/23/09; If you’re on the highway, Conficker poem can be found at http://it.slashdot.org/story/09/02/20/239229/New-Conficker-Variant-Increases-Its-Flexibility; Markoff called . . . time bomb,” Markoff, New York Times, February 14, 2009, “Do We Need a New Internet?” can be found at http://www.nytimes.com/2009/02/15/weekinreview/15markoff.html?scp=1&sq=Markoff%20ticking%20time%20bomb&st=cse.
Chapter 9: Mr. Joffe Goes to Washington
Today a massive . . . reality, “The X-Men Chronicles,” Marvel Comics, March 1995; Greetings to all . . . new variant, CArchives, 3/6/09; Phil Porras got . . . help fight it, Porras, PArchives 3/6/09; The really bad news . . . instead of 250, CArchives 3/6/09; F&*king hell . . . for Washington, Joffe, all emails from CArchives, 3/6/09; Rodney packed . . . eased with this information, Joffe, Porras, Saidi; Rick wrote . . . accurately, WArchives, 3/7/09; So on the same weekend . . . quantify the risk? Joffe, CArchives 3/9–12/09; It led to . . . eight days away, CArchives, 3/14/09.
Chapter 10: Cybarmageddon
And is it . . . the entire world? “The Amazing X-Men, Age of Apocalypse,” Marvel Comics, April 1995; John Crain . . . daily list, Crain; I do not have . . . Dre Ludwig, CArchives, 3/16/09; The botmaster was . . . on the subject, Crain, Joffe, Lee; When one of . . . on fire! CArchives; The Cabal set . . . wrote back to Chris, Crain, CArchives; I believe . . . added stress, all emails from the CArchives; Rick kicked up . . . pick up the phone, WArchives 3/18/09; When I operate . . . to be friends again, WArchives 3/18/09; It is my humble . . . cold hard data, CArchives, 3/19/09; I am growing tired . . . so pipe down, WArchives 3/19/09; Finally, T. J. Campana . . . agreed to behave, Campana, Joffe, Wesson, Vixie. Campana and Joffe emails from WArchives 3/19/09; John and Rick . . . the message got distorted, Crain, Wesson, Joffe, DiMino; Again it was . . . stirring things up, Markoff, Wesson, Porras. The article, New York Times, March 18, 2009, “Computer Experts Unite to Hunt Worm,” can be found at http://www.nytimes.com/2009/03/19/technology/19worm.html?scp=1&sq=Markoff%20devastating%20attack&st=cse; On the last night . . . really it? The 60 Minutes report can be seen at http://www.youtube.com/watch?v=Ar-l3FRUdGw; An Unthinkable Disaster? 3/19/09. In fairness, though, as we know, blurbs seldom are fair, the full headline reads: “The Conficker Worm: April Fools’ Joke or Unthinkable Disaster?”; A Threat That Could . . . Entire Internet, from the 60 Minutes report; A Deadly Threat, London Guardian, 3/30/09.Again, in fairness, the complete headline reads: “Conficker Virus Could Be Deadly Threat or April Fools’ Joke”; Rodney had . . . wildly right, Joffe.
Chapter 11: April Fools
X-Men, our day has come, “The X-Men Chronicles,” Marvel Comics, March 1995; disaster warnings . . . sheep, MWBlog, 4/1/09. The post can be found at http://www.teamfurry.com/wordpress/2009/04/01/breaking-news-conficker-became-selfaware/; Wired . . . Me First, Wired, 4/1/09. The post can be found at http://www.teamfurry.com/wordpress/2009/04/01/breakingnews-conficker-became-self-aware/; But the prospect . . . turning back, Joffe, DiMino, Ludwig, Wesson, Porras, Crain; Some of . . . anything, WSJ Blogs. These can be seen at http://blogs.wsj.com/digits/2009/03/26/conficker-dont-believe-the-hype/; John Markoff of . . . Markoff didn’t come, Markoff, Porras; Three hours . . . giant raspberry? Joffe, DiMino. The email is from CArchives, 4/1/09; At his suburban . . . just in case, DiMino; Very early . . . created anyway? Ludwig, email from CArchives 4/1/09; Paul Vixie . . . usual state, Vixie; Rick Wesson . . . just started, Wesson, email from CArchives 4/1/09; John Crain . . . a move, Crain; One week . . . the worm won, Joffe, Wesson, DiMino, Ludwig, Porras, Crain; Of course . . . zero knowledge, “The Conficker Working Group: Lessons Learned” can be found online at http://www.conficker workinggroup.org/wiki/uploads/Conficker_Working_Group_Lessons_Learned_17_June_2010_final.pdf. The first quote is from page ii in the Executive Summary; It is a . . . the objective, Joffe; Nevertheless .
. . do better, President Obama’s complete remarks of May 29, 2009, can be found at http://projects.washingtonpost.com/obama-speeches/speech/317/; Most members . . . point of view, Joffe; In June 2011 . . . military response, from New York Times, May 31, 2011, “Pentagon to Concider Cyberattacks Acts of War.” This can be found at http://www.nytimes.com/2011/06/01/us/politics/01cyber.html?_r=1&scp=1&sq=cyber%20security%20military%20response&st=cse; Despite the vagurness . . . implemen tation of Conficker, Joffe, and the New York Times report by William J. Broad, John Markoff, and David Sanger, January 15, 2011, “Israeli Test on Worm Called Crucial in Iran Nuclear Delay,” http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=1&ref=siemensag; This whole thing, the Vixie email is from CArchives 1/19/10; T.J. has been . . . spam on the Internet, Campana; More than a year . . . gone down significantly, Joffe, DiMino, Porras; Ramses Martinez . . . antibodies, Martinez; And, oh . . . $30,000, Wesson.