Read Worm: The First Digital World War Online
Authors: Mark Bowden
Worm: The First Digital World War (26 page)
Lampooning the disaster warnings, a website devoted to malware research, MW-Blog, invoked the breakthrough, strange-loop moment from Hofstadter’s
Gödel, Escher, Bach
when a complex recursive program
pops out
of the system, blinks, and starts thinking for itself:
This is what security experts around the world have feared for a long time. The Conficker worm botnet grew big enough and 1 minute past midnight, on April 1st, it finally gained consciousness. News is rolling in from New Zealand that a photo frame with embedded XP went crazy and started displaying pictures of dirty deeds, done with sheep.
The Cabal took it on the chin. The geeks had cried wolf! Again!
Wired
magazine poked fun that morning on its website, in a clever blog written by Kevin Poulsen:
We’ll track this scourge throughout the day, so check back frequently for the latest updates. The war room will liveblog the cyber apocalypse until the Internet has melted into a smoldering pile of solder and CAT 5 cable, or Confickercontrolled androids burst down our doors and pry our keyboards from our hands.
Obviously, it’s biding its time—lulling us into a false sense of security and planning its next move. Keep watching this page.
. . .
12:20 EDT
: Reader reports, “I just got a message that said, ‘Windows has encountered a problem and will need to shut down.’ OMG!!”. . .
4:30 p.m. EDT:
First “I Survived Conficker” tee spotted on Cafe Press. Premature and smug. Might as well wear a sign on your chest saying, “Conficker, Kill Me First.”
You get the picture. And this was the friendly, geek press. To the wider world, Conficker was just another doomsday moment that fizzled, and another reason to take the frantic warnings of the Tribe with a grain of salt.
But the prospect that nothing would happen on April 1 had actually become the prevailing theory of the Cabal itself. The insight that Conficker’s botmaster had no interest in crashing the Internet had eased concern weeks earlier over the possibility of anything catastrophic. The whole point of the botnet, at least so far as anyone could tell, was to build a stable, functional infrastructure, a platform, something its creators could use whenever they wished—to sling spam, to pilfer data, maybe even to launch a cyberattack. But the Cabal would discover that once you let loose an idea as fun as a global cybermeltdown, there is no taking it back.
Some of the more sober publications had done their best. The
Wall Street Journal
had posted its verdict on its economics website:
“The truth is that the threat posed by Conficker is almost entirely theoretical, and that only a handful of dedicated professionals will notice anything out of the ordinary when [C-Day] comes around.”
The
WSJ
blog quoted Phil Porras, exactly the right person to ask.
“I don’t see anything on April 1st that will cause any significant havoc,” he said. “The most likely outcome is that the day will pass and no one will have noticed anything.”
John Markoff of the
New York Times
had asked if he could hang around Phil’s office on April 1, and Phil told him yes, but added that he would probably be bored, warning, “Nothing’s likely to happen.” The
Today Show
had invited Phil to come on C-Day morning, but he had declined. He hung around his Menlo Park office instead, keeping his eye on his digital ranch and on the List, tending to other things. Markoff didn’t come.
Three hours after the UTC [Coordinated Universal Time] clock ticked into April, T. J. Campana wryly posted:
So we are three hours into the event and I wanted to have a status check. . . . We saw a dip in our sinkhole telemetry this evening at MS [Microsoft] . . . but there are a number of factors at play that could have caused that. The Internet still works . . . :-)
In fact, s
omething
had happened. The worm did exactly what it was programmed to do. The requests for instruction came knocking, by the millions, from all of the bots scattered all over the world, to each of the five hundred domains generated for that day, and all of them appeared to have been shunted toward the sinkhole at Georgia Tech, just as John Crain and Rick Wesson and the others had arranged.
Was this victory?
They wouldn’t know for certain for at least a few days if they had blocked every potential command location; and, of course, even if they had, they would have to be perfect again tomorrow, and the next day, and the next, and every day thereafter—but that was unlikely. April 1 was just the first day it would be possible for the botmaster to issue a command. The Cabal had mounted a historic, truly heroic effort to prevent such commands, but only time would tell whether the botnet was fully contained. And with all the publicity they had generated, with everybody in the world watching, wouldn’t C-Day be the
least likely day
for the bad guys to make their move? Given the superb gamesmanship they had demonstrated so far, wouldn’t it make more sense for them to let all the hype just go pfffft? Send the X-Men a giant raspberry?
Rodney Joffe felt it. He grew increasingly incensed throughout the day with the silly press coverage. He had begun very early in his Phoenix office chairing by video hookup a three-hour ICANN security meeting, all the while scanning his email, where members of the Cabal were posting links to the mounting hilarity. Rodney flew to San Francisco later that day to give a talk, and spent the cocktail hour portion of the event railing against idiot journalists.
At his suburban New Jersey home office, Andre DiMino experienced the day as another coup for the botmaster, who had made them all look foolish. Andre had given an interview the day before to NBC reporters for a segment to air on the
Today Show
, dressed in a green T-shirt with a mike hanging from the collar, cautioning the reporter (who didn’t have a clue what he was talking about) that the botnet might not actually do anything big the next morning, that it might just generate all these new domain names and begin looking for instructions; but then he could see the Glaze descend. What could he do about the journalists’ love of doomsday predictions, and their utter lack of technical proficiency, not to mention their lack of subtlety? His cautionary words slipped off into the ether, sandwiched between the trumpets of impending doom.
Still, Andre had kept his eye on his monitors through most of the day . . .
just in case
.
Very early in the morning, in his Alexandria office, big Dre Ludwig was not letting this get him down. He had been up all night and was feeling self-congratulatory, and a little tipsy. He wrote to the List:
My thoughts are as follows.
This has been an amazing effort from the very start on both a technical and logistical level.
We made HUGE political steps . . . and did what even governments could not effectively do.
Regardless of if we completely remove Conficker form the face of the globe WE STILL WALK AWAY WITH A HUGE WIN!
This is hopefully just an example of what WE can ALL do when we work together. Collaboration vs. Competition plain and simple, this is the first time that this has happened in the REGISTRY world. That alone is worth noting in my view, us security nerds have been banding together for years now to tackle threats. This has NEVER happened before in the registry (TLD) world, the closet thing we had was little islands (one or two) of registry operators who would actually take action. Even that has been a helluva battle for some of us to even get done these last few years.
This is in my own view the fruition of years of work for me, so if you can’t tell I’m more then a bit giddy. I blame the Scotch and time of morning as well!
Dre spent most of the day watching the List and various other chat channels, not really expecting to see anything happen, but aware of what might. The worst part of it for him still was not knowing what the botmaster had in mind. No one knew. Why had the worm been created, anyway?
Paul Vixie treated it like any other workday. He was in his San Francisco office early, confident that the worm was well confined, at least for the time being. At the very least they had made the botmaster
think
. Vixie’s thoughts turned now to remediation. Time for the industry to wake up and begin fighting viruses directly, targeting infected machines with software designed to search and destroy malware. Clean up whole networks! Maybe Conficker had been the scare everyone needed. He was hopeful, though hopefulness was not his usual state.
Rick Wesson was also in his Mission District office, feeling pretty good about things, and giving lots of interviews. It was hard to believe all the press attention. He was tired. He had few illusions about their “victory,” posting to the List:
Nothing happened because our opponent is smart. They waited 2 months before they got the B => C update past me. We weren’t even lucky. If the Conficker authors had wanted it they could have it tomorrow.
Everyone deserves pats on the back, but the game isn’t over . . . it just started.
John Crain was at home in Long Beach. He, too, watched the List throughout the day, but he assumed this would be the least likely day for the botmaster to make a move.
No matter how dismissive the rest of the world might be, the Cabal knew the threat was real, and would not go away. The botnet was still out there . . . biding its time. Still, as the days progressed and Conficker did nothing, they wondered. Had their effort with the TLDs entirely succeeded?
One week after C-Day, that questioned was answered. The botnet successfully received instructions, apparently via a peer-to-peer connection from a computer in South Korea, and for the first time since it was first spotted in November, the worm did something—something really stupid. It rented itself out for two weeks to a notorious spammer called Waladec.
This enormous botnet, this potential Internet-destroyer, leased itself out briefly to distribute one of the most pedestrian, well-known species of malware in the taxonomy. And the reaction was:
This is it?
It was like a bad joke. It was like that classic scene in
Spinal Tap
when, after a breathless buildup of the band’s new Stonehenge theme, a replica of the ancient monument is dramatically lowered onstage, but the prop is only
knee high!
Or like the moment in an old circus clown act when the villain at last corners the hero, aims a huge pistol, pulls the trigger, and out pops a little flag displaying the word “BANG!”
Conficker spread Waledac for a few weeks, and then stopped.
What did it mean? For one thing, it demonstrated that the botnet was fully functional, fully capable of receiving instructions. The Cabal had apparently shut down access via a website, and this was an amazing accomplishment; but the botmaster performed a simple end run with his new peer-to-peer capability, just as Hassen had suspected when he first dissected the thing. It was taken by most in the Cabal as a message from their opponents. It said:
You know what? We know what we’re doing. We can use this thing whenever we want
.
It meant, ultimately, that the enormous effort expended to tie up all those domain names through 116 separate TLD operators, every country code in the world, had failed.
It meant . . .
the worm won
.
Or did it?
It has now been more than two years since C-Day, or
Cybarmageddon
, and except for its little stunt with Waladec, the botnet has done nothing—at least nothing obvious. And remember the two signatures of modern war: (1) You never win, exactly; you
claim
victory. (2) Perception is paramount.
So what exactly had happened? The botnet was still out there, millions of bots automatically churning out domain names by the thousands, every day, week after week, month after month, year after year. The sinkhole monitors established by the Cabal still chart the activity day by day, hour by hour, minute by minute. The Conficker botnet, this enormous concentration of computer power, had been assembled and was still in the hands of its mysterious creators. Those machines were
pwned
, or owned, and they could be turned to any task the botmaster defined. They could be leased for plunder or marshaled for attack.
The Cabal had pulled off an impressive feat, dissecting the worm, coordinating an unprecedented global response, and setting up a dynamic, smoothly functioning system to monitor the botnet’s data traffic and to sinkhole it. All of that work, the many thousands of hours, the considerable brainpower and experience, had been volunteer. There was no budget for it, beyond Rick Wesson’s credit cards. And what had it earned them, beyond a sense of satisfaction and the admiration of their small group of peers? In the larger world, it had mostly earned ridicule. They were the guys who had (supposedly) claimed the sky was going to fall on April 1, 2009.
