by Bowden, Mark
If the worm served some legitimate function, it would then have been initialized and handed over to the computer user, or it would have failed to initialize and been given the boot. The latter is what appeared to happen. When the DLL timed out, svchost raised an exception and aborted the load. This was the false trail. There was nothing to suggest anything more had happened. To most people, even those monitoring the system very carefully, the incoming packet had failed to initialize and was now gone.
Of course, as Hassen well knew, the worm was not gone. It had performed a nasty trick. The first-level unpacking at svchost had released nesting dolls, not one but two distinct packets: one for code, another for data. The data packet functioned the way you would expect; it informed the system that it was incompatible, and that it had self-destructed. The other, the code packet, opened up a memory—a protected memory segment—and then decrypted and installed itself. It pushed that segment off as a “remote thread,” that is, a hidden code that executes itself within the address space of an existing, legitimate process. Thus hidden, it injected itself under a random file name into the Windows root directory, a file called services.exe, which runs background applications. At this point, the worm owned the computer. It had pulled up a chair in the very core of the operating system, the innermost kernel, what amounted to the system’s medulla, which is the lower portion of your brain that regulates autonomous functions like the in-out of your breathing, the opening and closing of the ventricles in your heart, and the contractions of the slippery linings of your intestines. Human beings operate their bodies in the sense that they can will themselves to run a sub-four-minute mile or pull an all-nighter before a chemistry test, but the really important controls, the life-and-death functions, are buried too deep for conscious control. They are safely beyond the reach of clumsy, changeable willpower. The root directory for an operating system is likewise hidden away. Computer operators who inadvertently stumble on it are sternly warned, in so many words, Don’t mess with this unless you really know what you are doing!
Hassen traced these steps with great care, until he was able to find and isolate the remote thread inside his virtual computer, and attach it to his own executable file. At that point he had the worm, in effect, splayed out on his dissection table. He could turn it on and watch it actually go to work. The program’s code was deliberately obfuscated, making it more difficult than usual to read, but over several weeks, looking at long strings of ones and zeros, Hassen managed to piece it together. One of the first things he learned was that the botnet being assembled by the worm was scheduled to wake up on November 26. Whoever launched it had given it six days to spread before activation. Because the worm kept track of time by checking with the host computer’s clock, Hassen could get an advance look at what it had in store simply by turning his computer’s internal clock forward.
One of the first things it did surprised him. After performing a few routine moves to initiate itself, disabling the computer’s antivirus programs (the infected computer could no longer receive security updates from anti-malware companies), patching the vulnerability at Port 445 (the smart burglar closes and locks the window he entered), and opening a back door through the computer’s firewall to enable it to make an outbound connection from the victimized computer to the botmaster, the worm then checked to see if its new host had a Ukrainian keyboard. That was unusual, and revealing. The Internet is global, but law enforcement is not. In many countries, and the Ukraine is one, there is no law against deploying computer scams against people in other countries. So long as cyberthieves do not prey on Ukrainian citizens, they could theoretically empty the bank accounts of every American citizen without breaking the law in their home country (incidentally, there was a large Ukrainian community in Buenos Aires, where the worm had apparently originated). If the worm discovered a Ukrainian keyboard on the machine, it would not install itself. If it did not, it proceeded.
Next, it contacted a website called maxmind.com and downloaded a Geographic Internet Protocol (GeoIP) database. This is what Phil had noted in the original readout on his Infections Log. The geo data told the worm both where it was and where the computers it sought to infect were. There were at least two reasons why this information might be useful. It could have been yet another way to avoid Ukrainian machines, but it also made the worm’s propagation more efficient. Exploiting a buffer overflow is tricky. By knowing where the targeted computer was located, the sender could tailor the message appropriately.
Once it established where the infected machine was, once it learned its IP address, the worm contacted the machine’s Internet Service Provider (ISP) and began scanning all machines on the same network for vulnerabilities—looking for Windows Operating Systems to infect. If the machine initially infected was part of a large network, say, at a university or military complex, it is likely that none of the other machines on that network were patched, so the worm spread very rapidly within networks. For a machine connected to a commercial Internet provider the process went more slowly, because there was less uniformity of operating systems on the machines that used that ISP. But once a single machine was infected, every IP address on that network was potentially vulnerable.
After it performed these steps, the worm rested. God took a full day. The worm rested for just thirty minutes.
It is doubtful at this point that any normal computer user would notice the infection. The worm so limited its use of the host computer’s resources and network bandwidth that it barely registered any activity. This was a highly effective method of hiding. So long as the normal functions of the computer seem unchanged—and they would seem unchanged even if slowed by a few microseconds—most computer users would not think to look for an infection. Fussy users who are aware of the normal bandwidth of their machine, the measure of the rate of data exchange, might notice an infection if the rate suddenly increased. This worm was so efficient that its operation registered only slightly on bandwidth monitors, so even users who made a practice of checking the bits-per-second flow of their machines would be unlikely to notice a significant change.
All of this was clever enough, but most of these moves had come before in the world of malware. They marked this worm as state of the art. What Hassen saw next as he peeled still deeper really impressed him. Its designers were, in a very real sense, his enemy, but while he might deplore the motives and character of those who unloosed this worm, he could not help admiring their craft.
On November 26 all infected computers would begin checking to see if their host computer was connected to the Internet, and if so, would begin trying to call home. The worm would begin by generating a list of seemingly random Internet domain names, 250 of them, every three hours. Every like-infected computer in the world would perform the same trick, spitting out the same 250 addresses every three hours until the end of the day. The next day it would create an entirely new list of 250 domain names. If the host computer was off-line, it would check back every minute until it could resume the exercise. The worm-generated domains appeared random, just meaningless strings of numbers and letters followed by one of five Top Level Domain (TLD) indicators—.com, .org, .net, .info, or .biz—but they were, in fact, entirely predictable if you knew the algorithm that produced them. Whoever was controlling the worm needed only to be behind one of those 250 doors to issue a command.
Phoning home had always been a botnet’s biggest weakness. Worms that created botnets were designed to do four basic things: to break into a computer, to secure it from further security updates, to spread, and to call home for instructions. Without receiving further instructions, the invader was harmless. It carried no instructions of its own beyond installing itself securely (all of the functions Hassen observed were designed to settle the invader in safely) and spreading. Once all of the infected computers started calling in for instructions, the worm was vulnerable. If the white hats could find the right domain name of the controller, they could contact a registrar and have it blocked or taken down (and su
pply law enforcement authorities with the culprit’s home office). Effectively, the botnet would be dead. But with 250 new domains being generated every day, this was not going to be an easy task. Whoever had designed this one knew something about how the white hats worked, and had planned ahead . . .
In more ways than one. Because if someone figured out which door the botmaster was waiting behind on a given day, this worm was programmed to communicate in code, and not just in any code. Whoever designed it was concerned about more than being thwarted by the good guys. The designers were also worried about competing criminals. A secure botnet was a valuable tool. If a rival botmaster could determine its command and control site and issue his own instructions, he could effectively steal it. So the new worm took no chances. It employed the most advanced public encryption method in existence to protect its communications.
Breaking codes used to be the province of clever puzzle masters, who during World War II devised encryption and code-breaking methods so difficult that operators needed machines to do the work. Computers today can perform so many calculations so fast that, theoretically, there is no longer any such thing as an unbreakable code. One applies what computer scientists call “brute force”: trying every possible combination systematically until the secret is revealed. Such an approach would take human beings thousands of years if the code was sufficiently complex, but it would take a modern computer only a few seconds. The encryption game today is about making a cipher so difficult that the amount of brute force required to break it renders the effort pointless, or too expensive —the “thief” would have to spend more to obtain the prize than the prize is worth. In his 1999 history of code-making and -breaking, The Code Book, Simon Singh wrote: “It is now routine to encrypt a message [so securely] that all the computers on the planet would need longer than the age of the universe to break the cipher.”
It is one thing to write a code that only its controller can decipher, but quite another to devise a method for two parties to communicate in code, in public. Public encryption is essential for, among other things, e-commerce, where customers send private information over the Internet.
The basis for the highest-level is a public-encryption method invented in 1977 by three researchers at MIT: Ron Rivest (the primary author), Israeli cryptog rapher Adi Shamir, and Leonard Adleman of the University of Southern California. In the more than thirty years since it was devised, the method has been improved several times. The National Institute of Standards and Technology sets the Federal Information Processing Standard, which defines the cryptography algorithms that government agencies must use to protect communications. It is also the basis for nearly all high-level encryption that allows private transactions over the Internet. The American standard is determined by an international competition among the world’s top cryptologists, and since this is the highest-level contest of its kind, the winning entry becomes the world’s standard by default. The current high-level standard is labeled Secure Hash Algorithm–2 (SHA-2).
The worm used three crypto algorithms. It utilized Rivest Cipher 4 (RC4) to encrypt its binary messages; SHA512 (one of the family of high-level standards that use 512-bit words) to ensure that even if someone broke the RC4 cipher the intruder would not be able to alter the message, because the algorithm would detect a single-bit modification in a trillion-bit stream; and RSA (Rivest, Shamir, Adleman), a signature system that guaranteed messages from the worm’s controller were authentic. The use of RSA meant that both the worm and the botmaster possessed two keys, a 1,024-bit public key and a 1,024-bit private key. The worm’s keys were different from the botmaster’s keys. In order to break the code, you needed both. The worm sent its message encrypted with the botmaster’s public key, and he could decrypt it with his private key. A return message would be encrypted with the worm’s public key, but could be decrypted only with its private one. It was theoretically possible to divine the private key from the public key, but only with one of the most powerful computers in the world, like, say, the ones available to the National Security Agency (NSA) or the Defense Department. Even if Phil and his team succeeded in intercepting a message from the botmaster, they would not be able to decode it.
This meant the worm’s author or authors were fluent at the highest levels of cryptography. As exceptional as this step was, Hassen had seen it before. It did show an unusual degree of care. These people were clever, he thought; they had designed this with a checklist in mind. They had done their homework. They were not just creating a remarkable illicit asset; they were determined to protect it, keeping one step ahead of whoever might compromise it.
That was impressive, but the next thing Hassen saw as he peeled deeper into the worm really surprised him. He had never seen it before. On the http query line for each generated web address, each of those random domain names it generated daily, was a number that at first he did not comprehend. He shelved the question for a few weeks as he worked out how to dial the Domain Generating Algorithm (DGA) forward, generating a daily calendar of the websites the worm would be trying to contact. But when he had finished with that, he returned to the number.
He finally determined that it recorded the number of machines the worm had infected from that bot. He saw immediately why that would be useful. The worm was randomly infecting any machine it could infect, but some computers were more interconnected than others. Most of us live and work within a relatively small circle of people, so our computers interact with only a small number of others. But some people, and hence some computers, are what social network theorists call “nodes.” They are widely connected. They tend to be on the Internet full-time. They exchange information with an extraordinarily large number of others. The mystery number on the http line informed the botmaster which computers on its net were the most widely connected, and the most valuable. This meant that if the white hats succeeded in shutting the botnet down, its creators would not have to start over with random infections; they could begin by targeting the nodes, which would propagate the worm much more efficiently and quickly. That, thought Hassen, was “really, really clever.” These guys were creating this botnet to last.
The new worm was to do something else on November 26. It was programmed to contact a notorious malware distributor called TrafficConverter.biz. This site offered “affiliates” cash for steering suckers its way. Each unsuspecting computer owner conned into linking with the site began receiving bogus warnings of infection on his screen that directed him to download antivirus software, which sold for anywhere from $50 to $75. The real infection, of course, was TrafficConverter’s program, which blocked the computer user from contacting legitimate antivirus companies and would continually pester the user until he paid the fee. The site’s operators offered prizes for affiliates who brought in the most business, including a Lexus sports sedan. Huge amounts of money were made this way, both by the owners of TrafficConverter.biz and by its affiliates, who were raking in as much as $3.9 million a year, according to a report by cybersecurity reporter Brian Krebs.
But two days before the new worm was scheduled to steer its botnet to the scam, TrafficConverter.biz was taken down. Major credit card companies had suspended payment operations for the site, effectively putting it out of business. This turned out to be best for all concerned, including TrafficConverter.biz, because when the worm kicked in, it steered 83 million inquiries to the site from 179,000 unique IP addresses. This would have crashed the site if it had been open for business.
At first glance, the connection with TrafficConverter.biz suggested a lead to the worm’s authors. About a month before the worm appeared, another notorious malware distributor, Baka Software, had sponsored a contest. It offered a new car to whoever could infect the most computers. Baka was responsible for a scam called “Antivirus XP,” and, as it happens, this was likely to have been the product downloaded by computers that contacted TrafficConverter.biz. The company also has a registered office in Kiev.
The connection suggested that the new worm’s des
igners might have been trying to win the contest. If the website had not been taken down, the worm would have steered an unprecedented flood of business its way—too much, as it happened. But there were other possibilities. Since the traffic generated by the new worm would have crashed the site, might it have been designed by TrafficConverter.biz’s competition? Or were the new worm’s creators toying with the white hats, creating a false trail, much as they had done with the packaging of the worm itself? Why not cover their tracks further by drawing everyone’s attention to a known malware distributor who was, in this case, innocent?
Whatever its purpose, the link to TrafficConverter.biz gave the worm a name. Some labs had been calling it “Downadup” or “Kido,” but Microsoft security programmers shuffled the letters of trafficconverter and came up with “Conficker.” Ficken is the German word for “fuck.” Blend that with English syntax and you get ficker, which this worm was, without a doubt.
The name stuck.
By December 1, Conficker had burrowed into an estimated 500,000 computers worldwide and was knocking out 250 new domains every day looking for instructions.