Read Worm: The First Digital World War Online
Authors: Mark Bowden
“This is the future of the Internet,” he declaimed over the speakerphone, his vehemence gaining everyone’s attention. “This is the line in the sand, guys. If we’re not gonna draw the line and we’re gonna let this pass, we’re setting the stage for kind of the next ten years of people abusing DNS—”
“Whoaa, whoa, whoa!” interrupted Twomey. “We’re on board!”
T.J. apologized.
The issues were: How do you register domains en masse? How do you arrange to just taste those domains, instead of purchasing them outright? Twomey dialed his legal staff in Marina Del Ray right from the meeting room, and instructed them to find a way in the rules for ICANN to allow the Cabal to make rapid, unilateral decisions. There would be no charge to register the Conficker domain names. Twomey recognized that Conficker was a turning point. It was a threat that demanded that the worldwide community of Internet providers function for the first time not as a loose confederation of interests, but as a single community.
He delegated the job of working with the Cabal to his subordinate, Crain, who quickly accepted. Back in his Redmond office, listening, T.J. thought, . . .
Sure, boss, I’ll save the Internet. Just let me get my cape here out of the locker!
The biggest immediate problem was tying up domain names in China,
.cn
, one of the new Top Level Domains. China was problematic for a number of reasons. For those who suspected Conficker was the work of a nation-state, or perhaps of contractors at work for a nation-state, China topped the list of suspects.
As we have seen, intelligence experts believed China was regularly hacking into sensitive U.S. government networks, including some used by the Pentagon. The network controlling the electric grid for the United States had also experienced incursions. Just looking at the sophistication of Conficker, some people found it hard to believe that anyone other than a nation—and by “a nation,” they meant China every time—to have created the worm.
So China was a sensitive subject. And now the Cabal was in the position of having to ask China’s help to contain the monster. Most in the Holiday Inn meeting room were stymied. Whom do you call? Whom do you ask? Do you want to ask? How could they collaborate with a government that rejects the very notion of a techno utopia? Rejects the ideal of
free information
, the founding principle of the Internet? China operated outside the fence, so to speak. It was the largest and most powerful of the wired countries that unapologetically monitored and censored. How do you even talk to these people? How do you ask them for help? But with the majority of Conficker bots in China, how could you pull this thing off without them?
“I know a guy there,” offered Crain, a Brit who had a home in Long Beach but basically lived out of a suitcase. “Let’s see if we can get an email to him. Figure out on the phone what we’ll do.”
They tried calling the Chinese offical right away, but there was no answer. It turned out to be the Chinese New Year. Twomey eventually spoke personally to the head of China’s Network Information Center, which governed the Internet there, and secured his full cooperation. Everyone at the Georgia Tech conference left feeling surprised and impressed by Twomey’s swift response. The Cabal felt they were really getting somewhere. With typical enthusiasm and floridity, soon after the meeting, Dre Ludwig posted to the List:
I cannot stress how important and amazing it is what this group has accomplished (and is still accomplishing). As far as I know this is the first time there has been this level of involvement from so many different groups (from ICANN, to Microsoft, to the FBI, to all the affected registries, to the AV community, even to ISPs! Now what we need to do is cement the message we want the world to hear, and effectively communicate that. This in my eyes is ANOTHER HUGE win for the good guys. . . . I cannot speak for T.J. or his organization, but based on the talks we have had prior to this mess I don’t think there will be any issues moving forward. . . . Everything we are doing and have done is a sum of everyone’s efforts, and the message as I have heard it has always been one of cooperation between the various industries and groups. . . . What we are doing here as a group in my view at least is a CRITICAL process being to build and flush out for the entire health of the Internet. We need to make sure that moving forward this process of sharing information, and capabilities between the various industries we have assembled here grows. WE RUN AND OWN THE INFRASTRUCTURE, and we all need to understand that the only way to defend it against abuse is to cooperate with the various industries that have different insights into the larger problem. . . . I just want to honestly tell everyone who has been a part in this that I personally thank them for their effort, their resources, their patience, and their cooperation. If it wasn’t for every single individual who has been involved in this to this point we would be stuck with distribution of efforts that would at best be short lived, and at worst disruptive to everyone. I think I owe everyone a beer or three the next time I see them.
Soon after the Atlanta meeting, Microsoft offered a $250,000 reward for identifying the person or persons behind Conficker. This is when the group also formally dubbed itself the Conficker Working Group (CWG). It sounded more respectable than the Cabal. Some felt that the word “cabal,” with its sinister connotation, conveyed the wrong impression. In all of its future official communications, the group became CWG. Of course, disavowing a nickname is the surest way to make it stick. Everyone, including those on the List, continued calling it the Cabal.
There was such a clamor to get involved, especially when the press got hold of the story, that subgroups were created for various and sundry aspects of the botnet: these subgroups included a large one to analyze the malware itself, another to study and maintain the sinkholing, another to handle the DNS problem, and so on. The Cabal’s List was reserved for the cream. They were, after all, the X-Men.
Whatever the title, the approach seemed to be working. To Dre, in another email from this week, their mission was “too important to fail.” The FBI agent who had been at the Holiday Inn session remarked, “We need to find a way to do this kind of thing in other cases, this issue around domains, because this is probably not going to be the last time it happens.”
The agent had not come to Atlanta out of national concern for Conficker. Rodney had just cornered him that morning and urged him to attend, as part of the continuing efforts of the Cabal to get the feds to pay attention.
Working together was something new for most of those involved. Most of the X-Men had achieved their current level of expertise on their own, and they came at cybersecurity with interests that occasionally conflicted. Pure researchers like Phil Porras, consultants like Dre Ludwig, and botnet vigilantes like Andre DiMino eyed their entrepreneurial colleagues and those employed by the big security companies with more than a little suspicion. The data being collected about the botnet had serious and growing commercial value. Participation in the Cabal might better position an AV company to cash in down the road. There was also considerable prestige attached now to the effort in the cybersecurity world. The press was growing increasingly interested in the worm, and some members of the Cabal, particularly those who had longstanding relationships with reporters like the
New York Times’
John Markoff or Brian Krebs, felt daily pressure to spill details of the group’s efforts, and tended to get their names prominently mentioned. This did not sit well with others in the Cabal, who disdained self-promotion, and who recognized that leaks of any kind would help the botmasters, who were clearly paying attention to the Cabal’s every move.
With few exceptions—like T.J. at Microsoft and Phil at SRI—members of the group were volunteers, ostensibly motivated by a sense of public purpose, by commitment to the idea of the Internet, and by the sheer excitement of the challenge. Most were fitting in work on Conficker around their day jobs, figuring the contacts they made and the things they learned couldn’t hurt them, and buoyed by a sense of doing the right thing. But suspicions started to grow that not everyone was so idealistically motivated.
These doubts came to a head when it was discovered that Rick Wesson had, on his own, decided to reach out to China.
It was typical of him. Rick had a well-known maverick disposition, an aggressive approach to problem solving, and—the propensities were related—a talent for annoying people. He also had a puckish sense of humor, as when, early on, he had started registering all of the Conficker domains in the name of the FBI’s top cybersecurity agent—a none-too-subtle hint that maybe Washington should be paying more attention. The Bureau was not amused.
When
.cn
showed up as one of the new Top Level Domains generated by Conficker B, Rick had acted swiftly to solve the problem. In a move reminiscent of the one that had earned him an F on his undergrad project at Auburn, he went ahead and reached out directly to the Chinese, handing over access to the data he had been sinkholing for months. It made perfect sense to him. Given that so many of the Conficker bots were in China, it would not have been hard for the country’s Internet snoopers to acquire much of the information themselves, at least going forward. So it never occurred to Rick that sharing what he and Chris Lee at Georgia Tech had collected would cause a problem. As he saw it, it built goodwill between China and the rest of the world, and it would help solve the Conficker problem, both the Internet’s and his own.
China kept its official hands clasped tightly around the Internet’s throat. Authoritarian societies are unquestionably better at some things than democratic ones, so if China decided to help, it could be counted on to do a good job of tracking and rerouting the botnet’s traffic. This would take the largest single portion of the botnet out of play. So Rick reached out directly to Xiaodong Lee of China’s Internet Network Information Center. He had another good reason to act quickly. He could not foresee that ICANN would wave the fees. On the last day of January alone he had charged $5,000 to his American Express card to register
.cn
domains. His estimates of how much the work and fees had cost his company threatened to top $100,000. Microsoft had balked at reimbursing him. T.J. wrote to him that the numbers were “well outside the ballpark” of what the software giant was prepared to pay. So China’s help would relieve some of the pressure there. A win-win, as far as Rick was concerned.
Unfortunately many in the Cabal did not see it the same way. Most of Rick’s colleagues were appalled. There was plenty about their effort they were not eager to share with China. For one thing, they had discovered a flaw in the programming for Conficker B that made all of the bots it infected vulnerable to hijacking by a third party—either the good guys or a rival miscreant. One of the worm’s tactics was to patch the vulnerability at Port 445, so that no rival exploit could attack it. The newer strain of worm had an error in this part of its code, which meant that anyone who owned a list of infected computers, if he could exploit the mistake, might be able to hijack the entire botnet. The exploiter would have to figure out a way to insert his own code, an effort that would ultimately fail, but at the time there were high hopes for it. It was one of the Cabal’s most closely held secrets. If Rick was out there sharing sinkholed data on his own, what else was he sharing? What if the Chinese government figured it out first? Given that there were scores of sensitive U.S. government networks, not to mention banking and corporate networks, on the list of infections, who would want the Chinese government in possession of a tool to remotely control them? And given that China was high on the list of suspects behind the worm, why would anyone with the public interest at heart just hand over detailed information about the Cabal’s effort against it?
Dre Ludwig, in particular, was furious. Had Rick
sold
the data? He was already under suspicion by some in the Cabal of trying to capitalize on his insider knowledge. Everyone knew that Rick was a friend of David Ulevitch, the founder and CEO of OpenDNS, the company that had so alarmed the Cabal by marketing its own Conficker remedy. Dre smelled a rat. It was exactly the kind of thing he expected from those in the Cabal whom he called, disparagingly, “businessmen.” After all, Rick was in the business of selling data to paying customers, precisely the kind of thing that, say, Shadowserver’s Andre DiMino was against philosophically; it went back to his hypothetical question:
If you knew someone’s house was in danger of catching on fire, would you simply warn him or offer to sell him the information?
Dre Ludwig was every bit as much of a purist, and was also unyielding and confrontational in a way the other Andre was not. His rise in his field had been rapid since he flunked out of high school in California. He had taken vocational computer courses at a community college, and found work putting his formidable programming skills to use for several companies near home, where, like T.J. Campana and Andre DiMino, he got his first taste of the malware wars. He was hooked. The contest tapped his competitive core:
These people think they’re smarter than me?
And he spent the next ten years accumulating credentials and a reputation. After working for a time with Rodney Joffe at Neustar as a tech wunderkind, Dre had set himself up as an independent consultant in the rich turf of Alexandria, where for someone with his skills government contracts were as plentiful as pink cherry blossoms in springtime. He was brash and cocky. He stood big belly forward and small head back, and had a way of fixing you with a steady brown-eyed stare before saying something outrageous.