Worm: The First Digital World War

BOOK: Worm: The First Digital World War
12.74Mb size Format: txt, pdf, ePub

 

 

Also by Mark Bowden

 

Doctor Dealer

Bringing the Heat

Black Hawk Down

Killing Pablo

Finders Keepers

Road Work

Guests of the Ayatollah

The Best Game Ever

Worm

The First Digital

World War

Mark Bowden

Atlantic Monthly Press

New York

Copyright © 2011 by Mark Bowden

All rights reserved. No part of this book may be reproduced in any form or by any electronic or mechanical means, including information storage and retrieval systems, without permission in writing from the publisher, except by a reviewer, who may quote brief passages in a review. Scanning, uploading, and electronic distribution of this book or the facilitation of such without the permission of the publisher is prohibited. Please purchase only authorized electronic editions, and do not participate in or encourage electronic piracy of copyrighted materials. Your support of the author’s rights is appreciated. Any member of educational institutions wishing to photocopy part or all of the work for classroom use, or anthology, should send inquiries to Grove/Atlantic, Inc., 841 Broadway, New York, NY 10003 or
[email protected]
.

Published simultaneously in Canada
Printed in the United States of America

FIRST EDITION

ISBN-13: 9780802195128

Atlantic Monthly Press

an imprint of Grove/Atlantic, Inc.
841 Broadway
New York, NY 10003

Distributed by Publishers Group West

www.groveatlantic.com

11    12    13    14    15      10    9    8    7    6    5    4    3    2    1

For the inimitable James M. Naughton, aka, Swami, who in a typical moment of inspired whimsy thirty years ago, named me “science writer.”

Contents

 

Principal
Characters

 

T. J. Campana
, Senior Manager for Investigations for Microsoft’s Digital Crimes Unit. He now works out of Microsoft’s Redmond, Washington, campus, and was the primary representative of the software giant in the Cabal.

John Crain
, ICANN Senior Director for Security, Stability, and Resiliency, the British-born point man for ICANN contribution to the Cabal, who secured cooperation from Top Level Domains worldwide. He lives in Long Beach, California.

Andre DiMino
, a cofounder of
Shadowserver.com
, a nonprofit botnet-hunting service, was one of the first to sinkhole and study Conficker, from his home in New Jersey.

Rodney Joffe
, South African–born head of security for Neustar, Inc. A successful entrepreneur now based in Phoenix, he holds several patents and is an internationally known expert in Internet security. He has been a White House adviser on cybersecurity issues and is the official head of the Cabal (The Conficker Working Group).

Chris Lee
, Georgia Tech grad student who took over the Cabal’s sinkholing operation. He now works for the Department of Homeland Security.

Andre “Dre” Ludwig
, a North Virginia–based consultant, now a senior manager for Neustar, Inc., handling Top Level Domain security, who was responsible for technical strategy within the Cabal, technical verification, and was liaison to the security industry.

Ramses Martinez
, Information Security Director of VeriSign, Inc., which operates two of the Internet’s thirteen root servers from Dulles, Virginia.

Phil Porras
, Program Director for SRI International in Menlo Park, California, was one of the first to study Conficker and spearheaded efforts to predict its behavior and defeat it. He led the Cabal’s reverse engineering subgroup.

Hassen Saidi
, a native of Algeria with a PhD in computer studies, who was the primary reverse engineer on Phil Porras’s staff at SRI International. He dissected the various strains of Conficker as they appeared.

Paul Twomey
, CEO and President of ICANN in Marina Del Rey, California, during the fight to contain Conficker.

Paul Vixie
, an American Internet pioneer based in San Francisco, outspokenly critical of the way the Internet is structured and the flaws in the Windows Operating System. Founder, Chairman, and Chief Scientist for the Internet Systems Consortium.

Rick Wesson
, CEO of Support Intelligence and owner of Alice’s Registry, based in San Francisco, one of the founding (and most controversial) members of the Cabal, who initiated the strategy of containing Conficker by anticipating and buying up domain names generated by the worm’s algorithm.

1
Zero

 

NEW MUTANT ACTIVITY REGISTERED

—X-Men; The Age of Apocalypse

 

The new worm in Phil Porras’s digital petri dish was announced in the usual way: a line of small black type against a white backdrop on one of his three computer screens, displaying just the barest of descriptors—time of arrival . . . server type . . . point of origin . . . nineteen columns in all.

The readout began:

17:52:00 . . . Win2K-f . . . 201.212.167.29

(NET.AR): PRIMA S.A, BUENOS AIRES,

BUENOS AIRES, AR. (DSL) . . .

It was near the end of the workday for most Californians, November 20, 2008, a cool evening in Menlo Park. Phil took no notice of the newcomer at first. Scores of these digital infections were recorded on his monitor every day, each a simple line on his Daily Infections Log—actually, his “Multi perspective Malware Infection Analysis Page.” This was the 137th that day. It had an Internet Protocol (IP) address from Argentina. Spread out across the screen were the infection’s vitals, including one column that noted how familiar it was to the dozens of antivirus (AV) companies who ride herd on malicious software (malware). Most were instantly familiar. For instance, the one just above was known to all 33 of the applicable AV vendors. The one before that: 35 out of 36.

This one registered a zero in the recognition column: 0 of 37. This is what caught his eye when he first noticed it on his Log.

Zero
.

Outside it was dark, but as usual Phil was still at his desk in a small second-story office on the grounds of SRI International, a busy hive of labs, hundreds of them, not far from Stanford University. It is a crowded cluster of very plain three-story tan-and-maroon buildings arrayed around small parking lots like rectangular building blocks. There is not a lot of green space. It is a node of condensed brainpower, one of the best-funded centers for applied science in the world, and with about seventeen hundred workers is the second-largest employer in Menlo Park. It began life as the Stanford Research Institute—hence the initials SRI—but it was spun off by the university forty years ago. It’s a place where ideas become reality, the birthplace of gizmos like the computer mouse, ultrasound imagery machines, or tiny robot drones. The trappings of Phil’s office are simple: a white leather couch, a lamp, and a desk, which is mostly taken up by his array of three computer monitors. On the walls are whiteboards filled with calculations and schematics and several framed photos of vintage World War II fighter planes, vestiges of a boyhood passion for model building. The view out his window, through a few leafy branches, is of an identical building across an enclosed yard. It could be any office in any industrial park in any state in America. But what’s remarkable about the view from behind Phil’s desk has nothing to do with what’s outside his window. It’s on those monitors. Spread out in his desktop array of glowing multicolored pixels is a vista of cyberspace equal to . . . say, the state of Texas.

One of the inventions SRI pioneered was the Internet. The research center is a cornerstone of the global phenomenon; it owned one of the first two computers formally linked together in 1969, the first strand of a web that today links billions. This was more than two decades before Al Gore popularized the term “information superhighway.” There at the genesis, every computer that connected to the nascent network was assigned its own 32-bit identity number or IP address, represented in four octets of ones and zeros. Today the sheer size of the Internet has necessitated a new system that uses 128-bit addresses. SRI ceded authority for assigning and keeping track of such things years ago, but it retains ownership of a very large chunk of cyberspace. Phil’s portion of it is a relatively modest, nothing-to-brag-about-but-damned-hard-to-get, “slash 16,” a block of the original digital universe containing 65,536 unique IP addresses—in other words, the last two octets of its identity number are variable, so that there are two to the sixteenth (2
16
) possible distinct addresses, one for each potential machine added to its network. It gives him what he calls “a large contact surface” on the Internet. He’s like a rancher with his boots propped on the rail on the front porch before a wide-open prairie with, as the country song says,
miles of lonesome
in every direction. It’s good for spotting intruders.

Other books

Casca 22: The Mongol by Barry Sadler
Black Bird by Michel Basilieres
The War of the Roses by Timothy Venning
Hunter's Curse by Ginna Moran
The Sixth Family by Lamothe, Lee
Secrets of Midnight by Miriam Minger