by Bowden, Mark
Phil Porras got the news in a phone call, and immediately tapped out a summary and marching orders to his team. They would all be working over the weekend:
Guys,
Results from the Phone:
—SRI, Symantec, MS are taking the reverse engineering lead.
—Media blackout til at least Mon, til we know what to say
—How does it work
—What’s our plan to block it
—Do we have signatures/
—We need a thoughtful understanding of
—what are the DNS/Network mitigation strategies
—how can we collect future Conficker telemetry
—Forensic details of how this works
—Any and every detail to help fight it
The really bad news came almost simultaneously. Jose Nazario, a well-known computer security expert working for Arbor Networks, posted:
Save everyone the browsing trouble. Highlights: 50,000 domain names a shot instead of 250.
Fifty thousand domain names per day? The Cabal had scrambled and fought and cajoled to preregister 250 domain names per day. The effort had strained their relationships and Rick Wesson’s credit cards. It had required unprecedented international cooperation, coordinated by ICANN, which was not set up for this kind of thing. Getting 250 domains per day locked down had been considered a triumph.
But fifty thousand? It was flat-out diabolical! Conficker C was programmed to kick in on April 1, upping the ante so high that . . . well, after you gasped you almost had to laugh. Infected machines were to check in for commands on that date. To prevent the worm from making contact with its controller, the Cabal would have to identify and register all fifty thousand, and this would mean tracking down those that were already owned worldwide, and coaxing their owners into shutting down for a few days. And they would have to do that every day from April 1 forward. How in the world were they supposed to do that?
“F&*king Hell,” posted Rodney Joffe, from his office in Phoenix.
Dave Dagon of Georgia Tech was struck by what it would mean if they somehow pulled it off.
Have we got the grapes to ask for the removal of 50K domains per day? That would signal to the botmaster this organization is using policy, and not money, to accomplish this goal. It may end this cat-mouse run, or escalate further. . . . This is interesting times, folks.
Rodney quickly followed up with another note, just ticking off the issues that occurred to him immediately. At least some of the the TLDs involved might simply decide to draw the line—anticipating that even if the Cabal could corral Conficker C, what would stop the botmaster from introducing D? Then E? Then F?
I suspect that some of the TLDs will be forced to say, “We can’t possibly cope with D [whatever ridiculous number the botmaster might crank Conficker up to next], so we don’t want to have to ramp up just to deal with C if there’s no exit strategy.” We knew it would happen. Now it has. What’s plan C?
Out in his office in the Redmond sprocket, T. J. Campana scheduled an immediate conference call, and attempted to rally the demoralized troops in an email:
We either take the fight to them or go home at this point. I vote that we try . . . and when they go for 100,000 we try that. . . . We are being tested people. The DNS [Domain Name System] infrastructure is being tested. . . . Let’s get this thing reversed and at the very least try.
As details of the new variant emerged—Phil and his staff, working straight through the weekend in Menlo Park, produced a remarkable portrait of its anatomy in record time—there was even more consternation.
Rodney lamented:
The techniques employed should scare us since they are the next evolutionary step. We knew early on that our mitigation technique for A/B wasn’t going to work at the next level, and now it’s been demonstrated. (I don’t hold out hope [of all the TLD] operators being able to hear us, much less trust us, much less add this burden to their workload, much less do so in an error free manner.)
The X-Men began to doubt themselves.
“This is starting to stink of an inside job,” wrote a security geek at Bell Aliant, the Canadian telecommunications company.
“I am going to repeat here what I have said privately,” wrote Rodney. “The people behind this are us.”
This cryptic line set some of the more literal-minded in the Cabal to speculating that Conficker’s author was, in fact, one of them. Rodney promptly explained that what he meant was this: the sort of people behind the worm were the same sort of people as those in the Cabal. They were gifted, experienced, and hardworking fellow mutants. And what’s more, they had a built-in advantage in this game. They were on the offense. The botmaster had just waited for the Cabal to make a move, like, say, tying up all 250 domains generated by the worm every day, and then had boosted the worm’s algorithm, and the level of difficulty, into the stratosphere.
“How do we level the playing field?” asked Rodney.
Ever the ray of sunshine, Paul Vixie shot back:
We don’t. We lose. Now that we’ve LOST and/or we know WE WILL LOSE, we decide how to carve up the Internet into defensible neighborhoods and leave the rest to the drug lords. It’ll be like Escape from New York, except our gated community will be on the inside, not the outside.
In the midst of this general shock and awe, Dave Dagon suggested that it was time to seek help:
If we go this route [trying to corral Conficker C], I suspect we’d need high level engagements: Dept. of State—to address the questions, “Why should our country help your Cabal?” DOJ—reprioritize the Conficker investigation. DHS/US-CERT—for all the SIGINT [Signals Intelligence] out there, I do hope someone has insight into the creators of this botnet, and can take action before further critical infrastructure is impacted. . . . Call this weekend and warn our friends.
It was definitely time to shake the feds into action. From the beginning of this effort the Cabal had politely shared data with the appropriate government agencies, those charged with cybersecurity and law enforcement. To all of the X-Men it seemed that the efforts had been exclusively one-way. Whatever they fed the alphabet soup just disappeared into its giant maw. Nothing ever came back out. Here the Cabal were busting their collective butts, working overtime and on weekends, racking their brains, tapping every source and contact they had worldwide, battling to save the Internet . . . where were the people who got paid to do this?
Rodney packed for Washington.
When Phil and his team were ready with their full report on Conficker C on Tuesday, the prospect had never looked worse. C-Day, the day the new strain would wake up and seek instructions, was just twenty-one days away.
The original strain of the worm had a domain generating algorithm that spread its 250 potential command and control locations over five TLDs. Conficker B had made things more difficult by adding three more TLDs to the mix, which meant Rick Wesson and John Crain of ICANN and the others had to bargain with eight. Conficker C pulled out all the stops. Not only was it going to spit out fifty thousand potential domains daily, but they would be spread out over every country TLD in the world, 110 of them, and six more besides, for a total of 116 TLDs!
It got even worse. As Hassen Saidi broke into the new strain, he noticed that there was a scrambled section in the code for this new algorithm. Whatever was hidden in this obfuscated section, it was causing an infected computer to open several ports that controlled communications. There was every kind of speculation about what this meant, but no one could decipher it.
Again, for Hassen, the challenge was personal. The botmaster had handed him another puzzle. The segment of code in question was unreadable in any of the computer languages he knew, so he began the painstaking process of breaking the source code down to object code, the basic ones and zeros of machine language. It took him three weeks. It turned out to be very simple, even elegant. The worm’s creator had designed an original peer-to-peer protocol.
With the first two strains, every infected comp
uter in the botnet had to contact the right domain in order to receive instructions. In effect, the botmaster sat behind one of the many doors and doled out instructions to each bot individually. He had to, in effect, touch every one. This was a relatively inefficient way to disseminate a command. Peer-to-peer greatly simplified the process. Bots could now talk directly to each other. The botmaster had to touch only one machine. So long as one received the command, it could spread the message on its own. Conficker machines infected with C were just pinging each other, asking, “Hey, do you have a copy? Do you have a file for me?”
It occurred immediately to the Cabal that this peer-topeer innovation might afford them an opening. They were running Conficker bots in any number of honeypots now. Why not poison the botnet by having one of their own use the new direct method of communication to spread some worm-crippling code? It would be less invasive than trying to push corrective software to infected machines over the Internet, and not the white hats but the worm itself would be reaching into the bots. But as Hassen looked deeper, he saw that the worm’s authors were one step ahead again. They had anticipated the move. They had designed their peer-to-peer protocol to be cagey. The connected computers compared lists of twenty-five Conficker bots—These are the people I know, by the way. This gave both computers fifty potential domains to choose from, and each chose only one. Each was programmed to favor its own list over those it obtained from the other. The upshot was that any attempt by the Cabal to drop a poisoned seed into the botnet would spread glacially, at best. Again, Hassen was impressed.
In a way, the fifty thousand domains per day, the piece of the new strain that caused so much alarm, may have just been a diversion. Peer-to-peer was the real innovation. Hassen could now put himself inside the head of the worm’s creator. Why not freak out the Cabal by giving them an impossible task? Send them chasing all over the world to tie up fifty thousand domains every day. And then quietly slip in the real zinger, the peer-to-peer protocol, which was far worse. After all, even the best efforts of the Cabal to preregister the 250-domain daily output of Conficker B had been beatable. The new strain had spread from one of the domains missed by Rick and John and the others helping them. Rick had warned continually that 99 percent wasn’t good enough, and he had been proved right. On the worm’s daily list of domain names, which was just randomly generated strings of letters, every once in a while there were domains that were real, that had already been registered. It was easy to assume that the botmaster would not be so bold as to preregister a domain that every white hat security geek in the world was watching, but that’s exactly what he had done, right under the Cabal’s nose. The botmaster had won that game. And if he could pull that off with a 250-per-day scheme, why did he need fifty thousand?
There was another astonishing new wrinkle. Everyone had been impressed by the unique high-level encryption method utilized by Conficker B. The worm’s creators had adopted—really, they had been the first to ever adopt—the Secure Hash Algorithm proposed by MIT professor Ron Rivest in the international contest to establish a new, higher standard for public encryption—SHA-3. This was to ensure that no one could hijack the botnet; only the worm’s author had the keys to that code. In the months since Rivest had originally crafted and submitted this proposal, however, a minor flaw had been discovered in it. So he had quietly withdrawn the proposal, had reworked it to repair the flaw, and had then resubmitted it. Conficker B had employed the flawed proposal. Conficker C used the revised version. It showed once more the rare expertise of this worm’s authors, and also how sedulous they were in tending their creation.
There was one piece of good news in Hassen’s dissection. It was quickly realized that even though the worm generated fifty thousand new domain names every day, each bot attempted to contact only five hundred of those domains. If every one of the millions of infected computers had reached out to fifty thousand new ones every day, the volume of traffic had the potential to crash the Internet’s DNS infrastructure. Initially, members of the Cabal had begun computing, or trying to compute, exactly how much traffic it would take to shut down telecommunications in North America, or to crash Google or Amazon. But much of the immediate alarm eased with this information.
Rick wrote:
So far it’s not as bad as you might assume. It randomly generates a list of 50K domains but then it only tries 500 every 30 to 90 minutes. The authors realize that 50K queries would have caused issues with internal DDoS of DNS infrastructure. I suspect DNS loads will increase worldwide but the local effect should not be as bad as the worst case appears. As we get more information on how the bot works I’m sure we can estimate load more accurately.
Of course, the botnet still had the potential to overload the Internet’s critical nodes at any time, but the Cabal had begun to sense something about their adversary. Conficker’s botmaster had no interest in crashing the Internet, anymore than the worm wanted to interfere with the normal functioning of the computers it infected. It was building something to last. It needed the Internet.
But if there ever was a time to haul out the big guns, it had arrived. Among the long list of targeted TLDs was .us, the country code used by many U.S. government agencies. That ought to warrant federal attention. Rodney was head of security for Neustar, which, among other things, managed .us, so the feds were among its major clients. Apart from the broader public interest, Neustar had a professional obligation to inform official Washington. So on the same weekend when Phil and his Menlo Park staff were engrossed in dissecting Conficker C, Rodney flew to Washington.
He was the eldest and arguably the most heavily credentialed member of the Cabal, the one the feds might actually listen to. He was a charming man, full of rowdy energy and puckish humor, with a very understated intellect. If you ran into him in a bar you might think he worked as a trucker—and, indeed, in addition to his other skills, he was a trucker, owner of a Class A heavy duty commercial driver’s license. Just as he was a smart man who did not behave like one, he was a rich man who didn’t behave like one—although he did have one rich man’s hobby: he collected and raced classic sports cars. Rodney had built himself into a major figure in the Internet world, from nothing. In South Africa as a young man he had served his mandatory tour in the army, and had then lasted only three months in college. He took a job with an insurance company, and enrolled in a course to become an actuary. The second six-month phase of the course introduced him to computers, and he had fallen in love. He took a job with Radio Shack because it offered an avenue out of South Africa, which was then ruled by an apartheid regime that Rodney found unconscionable. He began volunteering as a teacher of math and English to black adults on weekends, in a program that was not government authorized. When the regime began cracking down and arresting the students, Rodney at age twenty-two had had enough. At that point he was married and a father, and the mandatory annual tours in the army were increasingly burdensome. The brewing race war seemed to draw closer and more inevitable with each passing year, and here he was, trained and conscripted to fight on the wrong side. So he moved his family to London, and from there to Los Angeles, learning more and more with each new position about emerging global computer networks.
In addition to his day job, perhaps partly out of the habit of military service he had acquired in his home country, Rodney volunteered to work as a specialist reserve officer for the Los Angeles Police Department. When a police unit responded to a call in his Sherman Oaks neighborhood in 1983, Rodney chatted them up and discovered that among the officers in the unit were reserves who were ham radio operators—he had owned a ham radio license since 1971. They specialized in electronic snooping, which Rodney found fascinating. So he signed up. He worked two or three nights a month, usually on stakeouts in safe locations, work that freed up regular officers to kick down doors. He saw all kinds of opportunities to apply computer networks to fighting crime, and strong-armed the deputy chief for his region into letting him compile a database for local crimes on his Apple 2E,
and eventually on his IBM PC. He produced daily printouts of criminal activity, which were handed to patrol officers at the beginning of each shift. This practice was successful enough to be adopted department-wide. He was then selected to be trained as a drug recognition expert, and eventually became an instructor. Later he obtained that heavy-duty commercial driver’s license and drove one of the department’s eighteen-wheel emergency response tractor/trailers. He was behind the wheel of the Mobile Command Post during the 1992 riots over the Rodney King case.
All the while, Rodney was accumulating a high level of skill with computer networks, just as the Internet began to blossom. When he was ready to start his own company, he and his wife shopped for a place to finally plant roots. Was there a city in the world that wasn’t threatened by race war and riots, and that didn’t live under the constant threat of a giant earthquake? They were ready for some peace and quiet. They wanted a place where there were no wildfires, floods, snow, ice, or tornadoes. Rodney found that the only two spots in the country that met all those requirements were Phoenix and Las Vegas. His wife vetoed the gambling capital, so Phoenix it was. One the companies he started there handled online sales for Robert Redford’s Sundance Catalogue, and another evolved into Genuity, one of the largest ISP data center operators in the world. Rodney had retired from GTE, but in his long and successful climb through the Internet-world, and perhaps harking back to his police work, he had become fascinated by security issues. He supervised security for Neustar now, and knew that a botnet the size of Conficker could, among others things, shut down the company’s networks, effectively dropping telecommunications off the map in North America for a period of time. So his concern about the threat was both broad and immediate.