by Bowden, Mark
Dre Ludwig, in particular, was furious. Had Rick sold the data? He was already under suspicion by some in the Cabal of trying to capitalize on his insider knowledge. Everyone knew that Rick was a friend of David Ulevitch, the founder and CEO of OpenDNS, the company that had so alarmed the Cabal by marketing its own Conficker remedy. Dre smelled a rat. It was exactly the kind of thing he expected from those in the Cabal whom he called, disparagingly, “businessmen.” After all, Rick was in the business of selling data to paying customers, precisely the kind of thing that, say, Shadowserver’s Andre DiMino was against philosophically; it went back to his hypothetical question: If you knew someone’s house was in danger of catching on fire, would you simply warn him or offer to sell him the information?
Dre Ludwig was every bit as much of a purist, and was also unyielding and confrontational in a way the other Andre was not. His rise in his field had been rapid since he flunked out of high school in California. He had taken vocational computer courses at a community college, and found work putting his formidable programming skills to use for several companies near home, where, like T.J. Campana and Andre DiMino, he got his first taste of the malware wars. He was hooked. The contest tapped his competitive core: These people think they’re smarter than me? And he spent the next ten years accumulating credentials and a reputation. After working for a time with Rodney Joffe at Neustar as a tech wunderkind, Dre had set himself up as an independent consultant in the rich turf of Alexandria, where for someone with his skills government contracts were as plentiful as pink cherry blossoms in springtime. He was brash and cocky. He stood big belly forward and small head back, and had a way of fixing you with a steady brown-eyed stare before saying something outrageous.
He had no illusions about the Cabal. He saw all the different motivations, personal and professional, and he had no big problem with them in principle. But Dre drew the line at the point where these private motivations trumped the overarching goal. He was tipped off to Rick’s Chinese outreach when a fellow researcher noticed some Chinese IP addresses popping up on logs and servers of the Cabal’s subgroups. He emailed Dre, “Dude, do you know what your boy is doing?”
Dre thought he knew exactly what “his boy” was doing. He guessed that Rick was leveraging his insider access, the data, and his knowledge to execute a project with whomever over there, without concern for anything but his own gain. That, for him, as he told a friend, “Is like you’re pissing in my pool, dude. Don’t piss in my pool and tell me it’s lemonade. Like, fuck you, dude.” This was now alpha-geek stuff. Who did Rick think he was? It aggravated another, subtler divide in the Cabal. As its youngest member, Dre felt squarely on the youthful side of the X-Men. He and grad student Chris Lee at Georgia Tech had more in common with the teams of geeks who were now flocking into the Cabal’s various subgroups than with their fellows on the List. To them, despite his youthful style, Rick was one of the elders, someone who had achieved a big reputation in their field just for showing up early. There was a fear that the volunteer labor being performed by the younger element out of an idealistic commitment was going to be exploited by the elders for their own profit. This was the nerve struck by word that Rick was dealing with China on his own. Fuck it, thought Dre; this dude’s crossed the line for me. I’m going to put him on blast.
On T.J.’s next conference call, when the subject came up, Dre lost it. Not right away. He listened for a while. Everyone was being very polite and upbeat. Chris Lee was listening on his cell phone as he walked to work across the Georgia Tech campus. He knew Dre wanted him to join in blasting Rick, but he resisted, hoping Rick would explain himself satisfactorily. Dre thought: Nobody else is saying shit, he thought. No one else seems to care. Then he started peppering Rick with direct questions: Who are you talking to? What data are you giving them?
When he found the answers evasive, he exploded, making sure everyone could feel his anger—the word prick was used.
“What are you doing?”
“Why did you do this?”
“Did you understand the impact? What you’re effectively doing is handing over, you know, potentially control of millions of people’s home PCs to effectively unknown parties!”
He didn’t get direct answers. Dre left the meeting more convinced than ever that Rick was not only capitalizing on all of their work for his own profit, but undercutting the effort in the process. Rick had afterward emailed Andre DiMino, the even-tempered, universally respected head of Shadowserver, and asked, “Man . . . what did I do to Dre?”
Andre, ever the soul of diplomacy, just responded by sending Rick a passage from a note Dre had posted earlier, which strongly suggested that he and his hotheaded young compatriot were on the same page:
We are all on the same team, we may have different motivations/ views/angles/perspectives/religions/sexual preferences/ favorite colors/favorite foods/etc. but in the end WE RUN/OWN the infrastructure and the bad guys just wish they did. So let’s put our differences aside for a little while and get things done and try not to let things devolve. There should only be one motivation at play within this group and that should be focusing on mitigation of this threat, and setting a precedent for future threats (processes/contacts/relationships/ etc.). Everything else just gets in the way and does our (note the use of that word) cause no good. So let’s all try and set aside our egos, profit motives, and past experiences with each other for a little while so we can do what has never been done before.
Rick denied it all, vehemently, but Dre was not the only member of the Cabal who wondered. If he had not in fact sold the data, had he offered it in hopes of currying favor with the despots, in hopes of doing lucrative business with them down the road? For some the fact that he had acted alone and in a way that struck them as furtive confirmed his guilt.
In the end, it was this last question that prompted a move to oust Rick from the Cabal. He was pressed to divulge everything he had given to the Chinese, and to acknowledge that he had violated his privileged position in the group by acting without putting the matter to a vote. There was no way to prove he had profited from his approach to China, but there was no getting around the fact that he handed the Chinese the keys to valuable data without getting permission from the others. Some of their membership, especially the lurking feds, had security clearances to protect. If they were members of the Cabal, and the Cabal was sharing information with China, did that make them complicit in leaking sensitive data? They felt that at the very least they should have been consulted. To some in the inner circle it smelled like betrayal.
Dre posted his complaint formally to the List, where he tried to state his concerns in a more restrained fashion—avoiding singling out Rick, for one:
Was everyone aware of this change? Was every party that is a part of this process represented in the decision making process? . . . The reason why I am raising this point is that it would appear that a few members of the group made a call that affects every individual and organization that has publicly stated that they are a part of this process. There are very real implications to various organizations’ reputation if this group or process falls apart. . . . No matter what any one group or individual wants to think they do not own this process, they are not the sole provider of the capabilities that are utilized in this process, nor are they the “deciders.” They are only merely cogs of varying criticality in a much larger machine whose importance is greater then any one part. . . . Unfortunately we are now in a WHOLE NEW REALM of scrutiny for each of us as individuals, as participating groups, and as a larger group. . . . I am not calling into question the validity of the decision to move the data, or the location it is being moved to. What I am calling into question is the buy in of the entire group. . . . Everything needs to be laid out in the open and there should be strict guidelines for transparency in place. . . . This also calls into question issues of ownership of the data that is produced. Do the individuals who are sucking up the data own it? What are the guidelines for distribution and use of the d
ata, are they outlined beyond just various conference calls and gentlemen’s agreements, nods, and winks? This sort of wiggle room produces the opportunity for this process to get sideways and off track in a very quick and real manner. Avoidance of such a situation should be every one’s number one priority! I am sorry for such a longwinded and “heavy” email, but I wanted to make sure at the very minimum I expressed my own personal thoughts and worries with the group as a whole. These very issues are very familiar to me due to my involvement with other industry groups and private groups where they have appeared before. They are very important to properly think through and deal with as the scale of the task we are undertaking here is on such a scale as to be nearly impossible to grasp or quantify. This is due to the fact that we aren’t solving technical problems, we are in essence addressing societal issues that have direct impact on technical controls. If you need evidences of this simply look how quickly the technical controls were put in place vs. how long it took to get the right people’s ears.
On a sunny day in February, Paul Vixie met with Rick on a bench in San Francisco’s Yerba Buena Gardens, atop the Moscone Convention center. It got touchy. Paul was there to act as a mediator, but Rick was insulted to be confronted again by unfounded suspicions. Paul was mostly in agreement with Rick’s reasoning for sharing the data, but pointed out that, as part of the group, Rick really ought to have consulted with the others beforehand.
Tempers cooled in subsequent days. Rick was never booted from the Cabal. But the sinkhole operation was consolidated with Chris Lee at Georgia Tech. Rick continued to play an active role, but never fully emerged from the cloud of suspicion.
Despite these occasional flare-ups, by the end of February the Cabal was feeling pretty good about itself. There was a growing sense that Conficker was contained, or very nearly. There was some talk about preparing a postmortem on the whole project. They all agreed that this was a watershed battle. They wanted their triumph remembered. There was a lot of credit to be shared, and there were lots of reasons for grabbing some of it. So in addition to the reward money, members of the Cabal agreed to start pushing for press coverage. It was a good idea to let the world know how dangerous this botnet was potentially, and about how all these members of the Tribe had come together on their own in a selfless effort to combat it. Their efforts at first produced only a trickle of coverage in the mainstream press. The subject matter was just too esoteric for most . . . at first. Once they started that ball rolling downhill, it would continue to pick up speed. The heightened press attention did attract scores of botnet hunters eager to join the battle. Since its beginning, back in early December, the battle against Conficker had grown from an initial core of fewer than a dozen, to, when you counted all the new subgroups, more than three hundred. As it appeared the project was closing in on final success, involvement was a feather in any geek’s cap, whether in academia, industry, or government. This was cutting-edge stuff, and the effort was . . . well, there was no other word for it: heroic!
By early March, millions of Conficker A and B bots were in check. China was handling its Conficker problem with ruthless efficiency. Each of the millions of bots was checking in regularly to the scores of domains generated daily, and nearly all of these requests were now being routed directly to the sinkhole at Georgia Tech, where members of the Cabal could count, observe, and analyze them.
What they had accomplished was amazing, but it still wasn’t good enough. In his cheerleading email in early February, T.J. had written: “The fact that we have so many people willing to help is a WIN! We are sink-holing a ton of traffic for analysis . . . WIN! We know a lot about this threat based on analysis done by many people on this thread . . . WIN!”
Dripping with sarcasm, Rick had promptly responded, “This is really filling my sails,” and reminded everyone, “We had over 99% yesterday . . . only 100% counts.” They were edging closer to that goal.
And still Conficker had done nothing. When the B strain appeared, most of the Cabal assumed it was about to take action in some way. This is what had prompted Rick’s alarm “from the trenches” to the Defense Department. It looked as though the enormous botnet was about to wake up.
But then . . . nothing. It did not make sense. The mystery around the worm deepened. Who was behind Conficker? What was it for?
Toni Koivunen, a Finnish analyst with F-Secure, wrote that he found the lack of profiteering by Conficker “simply amazing.”
The creators of this botnet are curiously not interested in the (likely millions) a network of this size could reap for spam delivery, credit card fraud, etc. Yet the world’s spam traps are not dry, phish scams are plentiful, and there appear to be no market inefficiencies in employing other recent and revived botnets for spam delivery. If they wanted to use [Conficker] for spam, there are buyers. We may put aside for now the “fake AV” feint [the programmed original contact with Trafficconverter.biz]. We may also put aside the interesting notion (mentioned in some circles) that this was a spam botnet, but it exceeded the authors’ expectations in terms of size, and cannot be managed. . . . This botnet, in terms of unique IPs (not just hosts), is by conservative estimates solidly in the million-host level. This is orca huge; yet supposedly it just sits there?
Conficker’s dormancy fed the theory that it was really a weapon. A nation-state wanting to arm itself for almost any kind of cyberattack could do no better than a vast, stable botnet. It could be used to launch anything. But if this was so, wouldn’t they have been smart enough to disguise it better? In some ways, creating something this big without using it invited a level of attention anyone in this game would prefer to avoid.
Rick wrote:
It is my current hunch that this is not a botnet run by cyber criminals. This one is curiously “idle,” like no others have been before. If this one does turn out to be state-sponsored, I would give it high marks for penetration, but a low score for its present failure to act like a criminal spam botnet. And so I’m in the unexpected position of actually hoping this one sends spam. At least that suggests a class of adversary with familiar, economic goals.
Tying up the domains generated every day might keep Conficker from doing anything, but it would not stop the worm from spreading. Would the Cabal tire of the time, effort, and expense involved with registering scores of new ones every day? They had sustained it for two full months now. Were they prepared to keep doing it for additional months? For years? Maybe this, too, was part of the botmaster’s strategy. If the botnet was built for the long term, the botmaster could afford to wait until the Cabal’s interest and patience was exhausted.
Meanwhile, more and more major computer networks were discovering the invader. There were headlines worldwide, marking invasions large and small. In the United Kingdom, the Defense Ministry and Parliament had been hit. So had the military computer networks for France and Germany. The Houston municipal court. Southwest Airlines. The Greater Manchester Police. India and Brazil had huge outbreaks. By the end of February 2009, estimates of how far and wide the botnet spread varied, with some security companies placing the number between ten million and twelve million.
But alarm still generated only an off-key response. Ironically, the biggest actual problem it posed so far came when organizations acted to get rid of it. It wasn’t all that hard to kill, but banks, government agencies, and corporations incurred tremendous cost and inconvenience shutting down their networks for the procedure. For many, it was easier to simply leave Conficker alone than to attack it; this, too, may have been part of the worm’s genius.
Techies were getting used to it. Someone posted a playful poem to the geek discussion board Slashdot on February 20.
If you’re on the highway and Conficker goes beep beep,
Just step aside or you might end up in a heap.
Conficker, Conficker runs on the road all day.
Even the coyote can’t make him change his ways.
Conficker, the coyote’s after you.
Conficker, i
f he catches you you’re through.
Conficker, the coyote’s after you.
Conficker, if he catches you you’re through.
That coyote is really a crazy clown,
When will he learn he can never mow him down?
Poor little Conficker never bothers anyone,
Just runnin’ down the road’s his idea of having fun.
Everybody got a kick out of the poem. But if the rest of world was merely overwhelmed, the X-Men knew better. All it would take was one successful connection to turn cute catastrophic. All they had to do was miss one domain, one command. In the New York Times, Markoff called Conficker “a ticking time bomb.”
Then, on March 6, the worm turned.
9
Mr. Joffe Goes to Washington
TODAY A MASSIVE SHADOW FALLS ACROSS
THE CITY . . . AND FEAR BECOMES A REALITY.
—The X-Men Chronicles
The news hit the List early Friday evening, March 6.
“Greetings to all,” posted Dean Turner, a Symantec analyst. “As some of you may be aware, we’ve identified a new variant.”