Worm: The First Digital World War (27 page)

Of course, they hadn’t, but that fact required more explanation than the nightly news was equipped to give. The government had been made somewhat more aware, and, curiously, would even declare victory! A Department of Homeland Security (DHS) “Lessons Learned” report, issued early in 2011, summed up the effort thus:

“In an unprecedented act of coordination and collaboration, the cybersecurity community, including Microsoft, ICANN, domain registry operators, anti-virus vendors, and academic researchers, organized to block the infected computers from reaching the domains—an informal group that was eventually dubbed the Conficker Working Group. They sought to register and otherwise block domains before the Conficker author, preventing the author from updating the botnet. Despite a few errors, the effort was very successful.”

The key word there would be
very
, as opposed to
completely
. As Rick had pointed out again and again,
almost
doesn’t cut it. All it takes is one successful link, like the peer-to-peer connection that prompted the Waladec stunt, and . . . game over. The upbeat DHS report was some kind of high-water mark for government gall—a tough record to beat. After sitting back and watching the Cabal do all the work, and nearly succeed, Uncle Sam finally found a role for himself:
proclaim victory and then stick a flag in it!

It is a curious finding, given that Rodney, who has since become the official head of the Cabal (the very same Conficker Working Group celebrated in the report), has this to say about what happened:

“At the end of the day, it’s a failure. It’s a success as a model and an organization, but we actually don’t have control over Conficker. We didn’t achieve the objective.”

This DHS report, it should be noted, was also the high-water mark for government involvement in the actual battle. On page 33 of the report itself, one unnamed member of the Cabal summed up the feds’ contribution during the actual conflict:

“Zero involvement, zero activity, zero knowledge.”

Nevertheless, the new administration seemed to get it. Behind a lectern in the East Room of the White House on May 30, 2009, President Barrack Obama, who was just moving into the White House when the effort peaked, gave a speech about cybersecurity.

“We meet today at a transformational moment—a moment in history when our interconnected world presents us, at once, with great promise but also great peril.” He called the nation’s digital infrastructure “the backbone that underpins a prosperous economy and a strong military and an open and efficient government.” Cyberspace is “real,” he said, “and so are the risks that come with it.”

He cited Conficker in particular to illustrate the feds’ anemic capability to defend the Internet:

“It’s . . . clear that we’re not as prepared as we should be, as a government or as a country. . . . Just as we failed in the past to invest in our physical infrastructure—our roads, our bridges and rails—we’ve failed to invest in the security of our digital infrastructure. . . . Indeed, when it comes to cybersecurity, federal agencies have overlapping missions and don’t coordinate and communicate nearly as well as they should—with each other or with the private sector. We saw this in the disorganized response to Conficker, the Internet ‘worm’ that in recent months has infected millions of computers around the world. This status quo is no longer acceptable—not when there’s so much at stake. We can and we must do better.”

Most members of the Cabal say that the government has gotten better. Some of its members have gone to work for government agencies. U.S. CERT’s Mischel Kwon, whose performance the Cabal found singularly unimpressive, resigned just a few months after the president’s remarks—Rodney suspects that the desperate repackaging of his Conficker PowerPoint by the agency played a role. In Pittsburgh there is now the National Cyber-Forensics Training Alliance, a privately funded effort affiliated with Carnegie-Mellon University and modeled consciously after the Cabal, where federal agents work alongside industry researchers. This alliance has begun to make real progress training the kind of experts needed to deal with the growing malware threat.

“There are guys from Target and from eBay and from E*TRADE, and from other banks, who have full-time employees that are assigned there,” says Rodney. “And when they’re able to establish a case, they hand it across the desk to an agent who can now go and get an official case going. It’s highly effective. The best bang for the buck in the entire federal government from a cybersecurity point of view.”

In June 2011, the Pentagon announced that it was putting the finishing touches on a new strategy for dealing with cyberattacks. It will define any attack on important computer networks that leads to civilian casualties to be an act of aggression against the United States; this means that if it can be determined where the attack originated, the nation might respond in a variety of ways, including militarily. It was, however, more a statement of mounting concern than a blueprint for national defense.

“The policy says nothing about how the United States might respond to a cyberattack from a terrorist group or other nonstate actor,” wrote
New York Times
reporters David E. Sanger and Elisabeth Bumiller. “Nor does it establish a threshold of what level of cyberattack merits a military response.”

Despite the vagueness of the pronouncement, it became clear in July 2010 that malware was a serious weapon in the arsenals of great powers. Alarmed by a secret Iranian program to develop nuclear weapons, and the inability of international nonproliferation agreements to stop it, nations opposed to the effort (probably the United States or Israel, perhaps both) infected the computer networks in Iran’s uranium enrichment plants with a worm dubbed Stuxnet. The worm employed the same buffer overflow exploit at Port 445 used by Conficker, penetrating Windows Operating Systems, and was tailored speficially to sabotage the centrifuges used to spin uranium at high speed in order to separate out weapons-grade isotopes. Pentrating a specific variety of software sold by the German engineering giant Seimans AG, the worm caused the centrifuges to spin wildly out of control, destroying the uranium processing facilities and setting back the Iranian effort for years. Even though Stuxnet infected a great many computers outside Iran, its careful design meant that it executed harmful instructions only on the Siemens AG software at the uranium processing plants. It was the first of what are likely to be many carefully sculptured cyberattacks, and clearly learned from the successful implementation of Conficker.

These kinds of tailored, targeted attacks were considered the trend in early 2011, as I finished writing this book. Criminal attacks in recent weeks had successfully hit the International Monetary Fund, Google, Lockheed-Martin, Sony, and Citibank, among others. The difference between these and cyberthreats in the past, including Conficker, is that they do not spread indiscriminately on the Internet, and do not seek to assemble botnets, even though they may use existing botnets as a platform. They are the difference between a smart bomb and a conventional one: they zero in on specific targets and have narrowly defined goals. They illustrate once more the growing sophistication of criminals, spies, and military organizations, who remain every bit or more than a match for those who, like the Cabal, seek to preserve the Internet as a free zone for exchanging information and for commerce. This is one of the defining battles of our age, one that takes place for the most part out of the public eye.

Meanwhile, the Conficker botnet itself waits.

Most of those in the Cabal now doubt that it will ever be used. The theory here is that the Cabal’s coordinated effort, while ultimately unable to kill the botnet, made it too hot to handle. Any move the botmaster makes might help identify him (or them), pinpoint him, bring the law down on him. This is a point of view that supports the claim of victory, albeit victory of a limited sort.

“Somebody got pissed that we shone a light down their hallway or in their bedroom or whatever,” says Dre Ludwig. “I mean, realistically that’s what it looks like. Too much attention. Too dangerous to play with anymore. And it demonstrated [how to mount an] effort, concerted effort, to mitigate it. If that thing ever fired up again we’d get the old band back together. It’s been done once.”

Others, like Andre DiMino of Shadowserver, are more inclined to believe that Conficker’s controllers are simply biding their time.

“They are watching us watch them,” he says. “I’m thinking that it’s really either that somebody
let
this thing get bigger, or it’s advanced bigger and farther than they ever dreamed possible. A lot of people think that. But in looking at the sophistication of this thing and looking at the evolution of this thing, I think they knew exactly what they were doing. I think they were trying something, and I think that they’re too smart to do what everybody figured they were going to do. You have to remember, the world was watching this thing on April 1st, waiting for the world to end on April 1st. The last thing you’d want to do if you’re the bad guy is make something happen then. You’re going to wait until . . . say, May 28th of 2010, or, pick any other date, to do something. You’re going to do something when you’re least suspected. These guys are sophisticated. They have good code. And just even seeing the evolution from Conficker A to B to C . . . these guys know exactly what they’re doing.”

Rodney agrees, and more so. Just because no one has seen Conficker make a move, he says, doesn’t mean that it has not.

“People are saying that Conficker is not really used for anything because it’s not—it’s just too visible. What’s your point that it’s too visible? How does a weapons platform become too visible? Do you mean that it’s so visible that we know how to stop it? It’s really hard to get rid of on infected machines. But [Conficker] has the Holy Grail of malware, which is something called stability. There are six million machines and tomorrow there will be six million machines, give or take. You can count on this botnet. What a botmaster wants always is to know that his machines are going to be up—that someone isn’t going to take them down. This thing has proven . . . that it is rock-solid, and that the good guys, and the antivirus guys, and the Microsoft guys can’t do shit. It is the Holy Grail of a botnet. So what we have in place is a weapons platform that’s capable, and it’s going to stay capable.”

Rodney has a theory. Every day, on average, the botnet loses about half a million machines and gains another half million. The Cabal’s researchers track this. Some machines disappear because they are turned off, wear out, or are replaced, and some because they are disinfected (the Cabal has distributed a free, easy-to-use tool to tell if a computer is infected). Others are added because the worm continues to spread via its peer-to-peer capability. But what if some of those machines that disappear vanish because the botmaster is selling off pieces of the botnet every day to criminal spammers?

It’s plausible, because the botnet is valuable in any number of ways. It can be used to generate a great deal of computing power, or just as a known store of vulnerable machines to exploit. All of the machines on Conficker’s lists have stopped receiving security updates.

“So when people say Conficker’s doing nothing . . . I don’t believe that,” Rodney says. “We think it’s doing nothing because we don’t observe anything. But we don’t know. And a perfect way for this group to actually be monetizing it in a way that just, like, generates revenue every day and would never be noticed, is by sending off targeted pieces either to criminals of some kind. Whether they are a nation-state or just criminals selling off these small pieces [they] would just never be noticed. And I believe that’s what’s happening.”

So while the Cabal may have pointed the way toward a cooperative defense against Internet threats, and may have smartened up the government a little, the worm itself survives. Both sides of the Conficker battle took away valuable lessons.

Paul Vixie has plenty of new material for his “Internet Rant,” that speech he gives in his affectless monotone about the Internet as an example of “historical folly.” His hope two years ago, the day Cybarmageddon didn’t happen, was that after everyone got over the laugh, the Conficker scare might spur efforts toward remediation—a concerted effort to rid machines of the worm. That hope has been disappointed, and he is back to predicting doom.

He is also fed up with Microsoft. In a note to the List later in 2009, Vixie fingered what he believes is the heart of the problem:

This whole thing is Microsoft’s fault. Really. One company brought us Conficker. Stock symbol, MSFT. . . . The pink elephant in this living room is: Microsoft did this to us. I am not referring to Microsoft’s continuing . . . monopoly by which they forced all kinds of end users and resellers to include Windows on the ten million computers now infected by Conficker. That’s evil, and if I ever meet a space alien I will be ashamed for all of humanity at the way we herd our sheeple into pens and suck their blood in this way.

Paul pointed out that Microsoft had issued a patch years earlier dealing with exactly the same kind of vulnerability as the one at Port 445, but that the company’s security software engineers had failed to check to see if the flaw existed elsewhere.

What this means, gentlemen, is that some employee of Microsoft patched it in one place without patching it in the other place, even though they were both in the same source file. This means the employee who did the patch, and the reviewers, and the managers, and the QA [quality assurance] teams, for MS06-040, all had a chance to do a thorough review of the source module for any similar code sequence or vulnerability, and they
flubbed it
.