Worm: The First Digital World War (6 page)

Microsoft hired him a few months later, the day before he got married in December, after a grueling daylong round of interviews in Charlotte, North Carolina. The phone call offering him the job delayed his attendance at the rehearsal dinner, but his bride’s pique faded quickly when she learned her groom had landed a good job. T.J. progressed rapidly from enterprise-level network support engineering to security work, a growing concern at Microsoft just then. It was a period of rapid growth for malware, and the job handed him the challenge throughout the last decade of matching the miscreants stride for stride.

Much like Microsoft, malware had begun to embrace specialization. Among the new things T.J. saw were prepackaged exploits, essentially break-in vehicles that allowed criminals to load on whatever scam they wished. These exploit kits were marketed to garden-variety spammers and thieves, who no longer needed sophisticated hacking skills to get started. It meant that every newly discovered exploit launched not just one crime, but many, and potentially multiplied the earnings of its inventor manifold—with the added bonus that the exploit itself was not criminal. Prosecuting its creator would be like going after Black & Decker every time a thief used one of its drills to break into a safe. There were highly skilled programmers all over the world probing for a new weakness in Windows, crafting an exploit, and then openly marketing their invention to less tech-savvy crooks.

Botnets were the new big thing. Most Internet scams have a predictable rate of return; the percentage of people fooled into sending money is small, but if the net is cast widely enough, the returns can be large. Microsoft estimates that 5 percent of computer users fall for malware trickery, downloading programs that infect their computers, often despite on-screen warnings not to do so. Some “phishing” attacks on social networks, messages that trick computer operators into revealing valuable personal data or credit card account numbers, have shown a success rate of 70 percent. So an exploit that can guarantee reaching a large enough number of computers is a valuable tool, indeed, more like a license to print money. Nothing is more valuable in this context than a large, stable, secure botnet, a network of vulnerable computers not just accessible but
controlled
by an outside operator. The pressure it mounts on cyberdefenders is unceasing.

It is harder to defend a computer than to attack it. Microsoft’s security technicians spend considerable amounts of their time plugging newly discovered holes and issuing “patches” to mend them. This is not scary, esoteric stuff. This is as real as picking a lock, albeit not as simple. Anyone who uses Windows on their home computer is familiar with routine security updates, which Microsoft issues on the second Tuesday of each month. In the Tribe it has become known as “Patch Tuesday.”

In September 2008, a group of Chinese hackers began marketing an exploit for $37 that attacked a hitherto unknown weakness at Port 445 of the Windows Operating System. The Chinese hackers were not breaking any laws. They did not attempt any criminal acts. Their product was just a tool for breaking into the heart of a computer running Windows. The first serious effort to use the kit was seen weeks after the kit appeared, in Vietnam, on September 29. A strain of malware dubbed Gimmiv quickly spread from Hanoi to twenty-three nations. Malaysia was hardest hit. Gimmiv was identified by most security experts as a “Trojan,” a type of malware that attaches itself to a legitimate program and goes to work when the operator turns it on. The Trojan then copied all of the registry information in the invaded computer, all of its log-on and personal data, and sent it back to the attacker. As a scam, Gimmiv had serious design flaws that limited its effectiveness, but the exploit had worked perfectly. Others were sure to notice. T.J. knew it probably meant a race to exploit the newly discovered vulnerability at Port 445.

Ports are “listening” points in the system, designed to transmit and receive particular kinds of data. There are 65,353 in Windows, because users value speed, so they want their computers to be able to do many things simultaneously. A firewall is a gatekeeper. It sniffs incoming packets of code and either grants or denies or redirects them according to the rules that govern each port. To penetrate the firewall, a packet of code needs to match up with a port; it needs to present itself as something the port is designed to receive. Only certain very specific kinds of data can flow through, and then only with the appropriate codes. Some ports, like Transmission Control Protocol (TCP) 25, which handles email, are heavily trafficked. Most are not; they listen for updates and instructions that deal with narrow and specific functions, usually routine procedures that never rise to the notice of computer users.

The number of ports is determined by TCP and UDP protocols, which are used to trigger the right listening service on the operating system. If a message comes to a port that lacks the right listening service for it, the port is said to be closed, otherwise, the port is open and the computer will receive the message, oftentimes sending a reply to the sender. In Windows, there are a few ports that are open by default unless there is a firewall to control access. One of them is port 445.

On a Windows machine, port 445 triggers a service called Remote Procedure Call (RPC), which allows other computers to print or share files with it. Because of the complexity of the RPC service, the legacy of various generations of Windows, and the intimacy of the service with the heart of the operating system, called the “kernel,” there are lots of instances where an error in programming allows an attacker to deliver invalid data, instructions which may cause the service to perform tasks for which it was not intended. This is a problem common to large software systems. A vulnerability in RPC permits a level of control over the computer that a vulnerability in, say, Internet Explorer, would not. Remotely controlling Internet Explorer would enable a miscreant to compel your computer to download pornography or adware, the kind of exploit that is immediately and painfully obvious. Seizing control of the kernel gives a remote operator access deeper than a user would ever see, right to the mind and soul of the computer. He would, effectively,
own
it. At that point the owner of the infected computer has been
pwned
, royally.

The hard part was not entering through Port 445; it was fooling the operating system into downloading the exploit’s malware. To accomplish that, the Chinese kit employed a “buffer overflow,” one of the hackers’ oldest tricks. It works like this: An outside computer comes knocking at the door with a packet of code. Once it arrives, the operating system needs to find where to put it. So it dispatches a collection of programs called
network services
—think of network services as a “recipe book” that explains how to make various dishes, and the computer as a chef who is avidly reading this book. If the process were simple, the chef would select the correct recipe, or program, and download the new packet. But the process is not simple. Nearly every program involves a variety of subroutines, which interrupt the primary task along the way. These subroutines are, in effect, small packets of memory created within the preexisting memory stack, parentheses within parantheses, like nesting Russian dolls. For example, once the chef chooses what looks like the right recipe from the book, and starts reading, say, from page 73, he is interrupted and told that a remote client has placed an urgent order for a cake. To service the request, the chef immediately flips to the chapter (or program subroutine) that explains how to prepare cakes, say, page 141. But before he digs into the cake recipe, he creates a temporary memory stack—call it an addendum to the cake recipe—and places a bookmark there, called a “pointer,” to remind him where he left off (page 73), and where he needs to return once the cake is baked. Then he sets about making the cake, which has its own subroutines, like, say, contacting the customer to find out whether he wants angel food or chocolate.

Here is where the malware programmer performs his trick. He is the cake customer. He gives the chef a list of his requirements for the cake, and he knows from previous observation that these instructions will be placed by the chef in an addendum, or the temporary stack, which is called a buffer. The evil programmer knows exactly how big that buffer is. So, in addition to giving the chef details of the cake he wants, he continues to feed the chef unrelated information. If the chef is undiscerning, as Port 445 proved to be, the superfluous data will overflow the allotted buffer space and spill into the addendum, so that the chef inadvertently overwrites his pointer, the one telling him to return to page 73 when he is finished. Instead, the cake instructions now send him in an entirely new direction, like, say, telling the chef—who is a very literal-minded fellow and follows instructions like . . . a machine!—to fetch a key and open a safe he keeps in a back room. This information, which has nothing to do with cake instructions, is duly recorded at the bottom of the addendum. So when the chef finishes with the cake, and checks his addendum to know where he needs to return, he is directed back not to page 73, but to the back room and the safe.

If the right check is in place, the computer at that point would simply reject the incoming packet, or complain—send up a specific warning message to the computer user that only very few comprehend. There are ways for the service to check to see if the space it allocated is large enough or if an attacker has successfully written too much information, either of which would abort the invasion. But the service must do that at every single point, and there could be thousands of such points in a complex program like RPC. The Chinese discovered one point that wasn’t adequately protected. So instead of the RPC service simply aborting the process and shutting down the buffer, just as the handle of a gas pump will automatically shut down when the tank is full, the computer, or chef, continues processing the data along this new and unauthorized path.

This is the essence of the exploit. Like all programs, network services list data and instructions, a set of procedures that the computer follows faithfully. The invading code now steers its malware package wherever the programmer has told it to go, and because Port 445 is buried deep in the operating system, the payoff for an intrusion there is big. The lock has been picked.

Microsoft learned of this new exploit as soon as the Chinese hackers began selling it, and recognized that it potentially posed a major threat. It was “wormable,” that is, it was the kind of attack that would allow for the insertion of a worm, which could then propagate itself into a botnet. It could execute a “remote procedure call”: in other words, the computer could be handed over to a remote operator. The threat was serious enough that the company decided to issue its hastily designed patch for this vulnerability, MS08-067 (Microsoft 2008—Patch 67), “out of band,” that is, it decided not to wait until the next “Patch Tuesday.”

T.J. was at a four-day International Botnet Task Force meeting in Arlington, Virginia, hosted at Carnegie-Mellon University on October 23, 2008, when MS08-067 was announced and made available for download. The timing gave him a chance to explain it in person to some of the top security researchers in the world. When the final decision was relayed to him from Redmond, he stood up with his associate Richie Lai to announce it.

“Hey, I want everybody to go onto
Microsoft.com
, slash, technet, slash, security,” he said. “There’s an out-of-band release.”

The company release accompanying the patch explained: “On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a worm-able exploit.”

Many at the meeting downloaded the patch immediately and began dissecting it. T.J. spent the next few minutes explaining it and answering questions, and then met with people from the FBI to brief them the same afternoon.

“We think this is going to be a big deal,” he told the agents. “You guys really need to start looking at that.”

In a perfect world, the patch would end the problem. But as T.J. well knew, MS08-067 was more likely to makes things worse. Anyone who downloaded it would be protected from the exploit, so Microsoft had to release it in order to protect its most diligent customers. But the patch itself was better advertising than the Chinese hackers could ever afford. It was like placing in orbit a flashing neon billboard so gaudy that it could be seen everywhere on Earth with the naked eye—
Come one! Come all! A new Windows vulnerability!

In fact, the patch itself most likely inspired the new worm’s creation. Many, many computer operators worldwide fail to diligently heed security updates. Millions of “Windows” systems around the world have been bootlegged, counterfeited, or installed without authorization. If everyone registered his software and applied new patches promptly, Windows would be nigh impregnable. But because so many people fail to do so, “Patch Tuesday,” or in this case an out-of-band patch, has become part of Micro soft’s problem. It is as if the commander of a fort made a public announcement—“The back door to the supply shed in the southeast corner of the garrison has a broken lock; here’s how to fix it.” If there were only one well-policed fort, the lock would be fixed and the vulnerability would disappear. But when you are defending millions of forts, and a goodly number snooze right through the public announcement, the patches simply point out the unlocked door. They don’t just invite attack; they provide instructions!

This was scary stuff if you allowed yourself to really think about it, which few did. It pointed up a flaw in the founding
let’s join hands and sing!
techno-utopian spirit of the Internet itself, a flaw so basic that it could not be fixed. It suggested some kind of social equivalence to entropy, an unbendable curve toward ruin. It was proof, as if further proof were needed, that nothing works exactly as intended.