by Bowden, Mark
The worm was becoming a punch line. It had a hint of the we’re-getting-our-comeuppance-here appeal of the old Godzilla movies. Only this wasn’t a fire-breathing dragon emerging from the depths to exact revenge on mankind for having the temerity to split the atom: it was Big Brother; it was HAL; it was the long-awaited, long-predicted confrontation with The Machine, the incomprehensible monster with a billion arms that we had foolishly entrusted with all of the details of our personal and public lives . . . only . . . it really probably wasn’t. Who schedules Armageddon for April Fools’ Day, anyway? This was a billion-armed digital monster with a sense of humor!
On the last night of March, C-Day eve, CBS TV weighed in on 60 Minutes, the most watched and most respected news program on the tube. The network had good reason to take Conficker seriously, its own computer network had been invaded by the worm. So CBS TV played it straight. After going to considerable expense and effort to scrub its networks, Murrow’s old channel found the worm no laughing matter.
But there was still the Y2K wink.
Correspondent Leslie Stahl reported soberly, telling millions of viewers, “The Internet is infected.” The story worked primarily as a warning against all forms of “creepy, crawly toxic software”—again, the wink! The segment was a terrific advertisement for commercial security firms, particularly Symantec, whose vice president Steve Trilling cheerfully explained the botnet thus: “Imagine a network of spies that has infiltrated a country. And every day, all of the spies are calling in for their instructions on what to do next.”
Stahl said, “So far, the bad guys who created it haven’t triggered Conficker. It’s just sitting out there like a sleeper cell.” Ever since 9/11, few Americans didn’t sit up straight in their living rooms at the talk of “sleeper cells.” But these malevolent terrorists were lurking right inside their home computer, perhaps right there on . . . their . . . lap! When Stahl asked what the worm might do, Trilling answered, “That’s the interesting thing. The only thing the worm is being asked to do is to ask for further instructions.”
The worm could turn menacing “in an instant,” Stahl explained, and added, “I’m hearing Jaws music.”
There it was again: the wink!
She wrapped up the report with:
“Conficker investigators have been talking about an April Fool’s attack . . . but nobody knows if the instructions will be benign, or something that could disrupt the entire Internet.”
So, there you had it. If you understood the risk and chose to actually think about it (the very thing Paul Vixie had said he consciously avoided doing), and if you followed the potential risks to where they might lead, there was more than a small chance that the word Cybarmageddon was entirely justified. Hey, what if this was really it?
The Cabal had succeeded big-time in one way: They had publicized the hell out of the worm. They had come a long way from their initial press release in early January, which got mentioned in a few cybersecurity blogs. Now it was:
“An Unthinable Disaster in the Making!”—New York Times.
“A Threat That Could Disrupt the Entire Internet!”—60 Minutes.
“A Deadly Threat!”—London Guardian. This alarm was being amplified and interpreted by countless smaller news outlets throughout the world, but nearly always with . . . the wink.
All of this made the Cabal very uneasy; their reaction was not unlike the sensations they had felt when Rodney toured the capital beating the botnet drum. One of the great risks in pushing the global panic button is, of course, making a fool of yourself. They had wanted to be taken seriously, but this hardly qualified. This was . . . like . . . virtual panic. The public was not so much alarmed as amused. What the hell was going on?
The problem was the nature of the thing. The threat was all potential. If you told people that there was a dirty bomb in Times Square, they would understand immediately. But to grasp the threat posed by Conficker, you had to under stand how the Internet worked, how vital it had become to modern society, and how much damage someone could do with millions of computers all pulling at the same time on the same rope.
Rodney had his own little prayer for the moment: “Please, God, let it be an experiment that’s gone wildly right.”
So a million eyes were watching and waiting when the atomic clocks that calculate Coordinated Universal Time ticked off the final seconds of March 2009, edging toward C-Day, the moment when the C strain would receive its instructions, when the mighty botnet would wake up . . .
and!!!
and!!!
!!!
!!
!
. . . nothing happened.
11
April Fools
X-MEN, OUR DAY HAS COME.
—The X-Men Chronicles
History is done with Appomattox moments. Wars no longer end in ways anyone can describe as satisfactory, much less triumphant. In modern warfare there is no such thing as unqualified victory, or unconditional defeat. No more Lee handing over his sword, no more Shigemitsu scratching out his signature on the deck of the USS Missouri with newsreel cameras capturing the moment of total surrender, with people dancing in Times Square, kissing strangers. Modern wars peter out. Casualties mount. The public gets surly. The treasury coffers bottom out. The ruling party gets dumped. One no longer wins; one claims victory. Often both sides do. And sometimes both are right . . . in their own way.
Another signature feature of modern war: perception is paramount! In that category, Conficker was definitely a bust. A joke.
Lampooning the disaster warnings, a website devoted to malware research, MW-Blog, invoked the breakthrough, strange-loop moment from Hofstadter’s Gödel, Escher, Bach when a complex recursive program pops out of the system, blinks, and starts thinking for itself:
This is what security experts around the world have feared for a long time. The Conficker worm botnet grew big enough and 1 minute past midnight, on April 1st, it finally gained consciousness. News is rolling in from New Zealand that a photo frame with embedded XP went crazy and started displaying pictures of dirty deeds, done with sheep.
The Cabal took it on the chin. The geeks had cried wolf! Again!
Wired magazine poked fun that morning on its website, in a clever blog written by Kevin Poulsen:
We’ll track this scourge throughout the day, so check back frequently for the latest updates. The war room will liveblog the cyber apocalypse until the Internet has melted into a smoldering pile of solder and CAT 5 cable, or Confickercontrolled androids burst down our doors and pry our keyboards from our hands.
Obviously, it’s biding its time—lulling us into a false sense of security and planning its next move. Keep watching this page.
. . . 12:20 EDT: Reader reports, “I just got a message that said, ‘Windows has encountered a problem and will need to shut down.’ OMG!!”
. . . 4:30 p.m. EDT: First “I Survived Conficker” tee spotted on Cafe Press. Premature and smug. Might as well wear a sign on your chest saying, “Conficker, Kill Me First.”
You get the picture. And this was the friendly, geek press. To the wider world, Conficker was just another doomsday moment that fizzled, and another reason to take the frantic warnings of the Tribe with a grain of salt.
But the prospect that nothing would happen on April 1 had actually become the prevailing theory of the Cabal itself. The insight that Conficker’s botmaster had no interest in crashing the Internet had eased concern weeks earlier over the possibility of anything catastrophic. The whole point of the botnet, at least so far as anyone could tell, was to build a stable, functional infrastructure, a platform, something its creators could use whenever they wished—to sling spam, to pilfer data, maybe even to launch a cyberattack. But the Cabal would discover that once you let loose an idea as fun as a global cybermeltdown, there is no taking it back.
Some of the more sober publications had done their best. The Wall Street Journal had posted its verdict on its economics website:
“The truth is
that the threat posed by Conficker is almost entirely theoretical, and that only a handful of dedicated professionals will notice anything out of the ordinary when [C-Day] comes around.”
The WSJ blog quoted Phil Porras, exactly the right person to ask.
“I don’t see anything on April 1st that will cause any significant havoc,” he said. “The most likely outcome is that the day will pass and no one will have noticed anything.”
John Markoff of the New York Times had asked if he could hang around Phil’s office on April 1, and Phil told him yes, but added that he would probably be bored, warning, “Nothing’s likely to happen.” The Today Show had invited Phil to come on C-Day morning, but he had declined. He hung around his Menlo Park office instead, keeping his eye on his digital ranch and on the List, tending to other things. Markoff didn’t come.
Three hours after the UTC [Coordinated Universal Time] clock ticked into April, T. J. Campana wryly posted:
So we are three hours into the event and I wanted to have a status check. . . . We saw a dip in our sinkhole telemetry this evening at MS [Microsoft] . . . but there are a number of factors at play that could have caused that. The Internet still works . . . :-)
In fact, something had happened. The worm did exactly what it was programmed to do. The requests for instruction came knocking, by the millions, from all of the bots scattered all over the world, to each of the five hundred domains generated for that day, and all of them appeared to have been shunted toward the sinkhole at Georgia Tech, just as John Crain and Rick Wesson and the others had arranged.
Was this victory?
They wouldn’t know for certain for at least a few days if they had blocked every potential command location; and, of course, even if they had, they would have to be perfect again tomorrow, and the next day, and the next, and every day thereafter—but that was unlikely. April 1 was just the first day it would be possible for the botmaster to issue a command. The Cabal had mounted a historic, truly heroic effort to prevent such commands, but only time would tell whether the botnet was fully contained. And with all the publicity they had generated, with everybody in the world watching, wouldn’t C-Day be the least likely day for the bad guys to make their move? Given the superb gamesmanship they had demonstrated so far, wouldn’t it make more sense for them to let all the hype just go pfffft? Send the X-Men a giant raspberry?
Rodney Joffe felt it. He grew increasingly incensed throughout the day with the silly press coverage. He had begun very early in his Phoenix office chairing by video hookup a three-hour ICANN security meeting, all the while scanning his email, where members of the Cabal were posting links to the mounting hilarity. Rodney flew to San Francisco later that day to give a talk, and spent the cocktail hour portion of the event railing against idiot journalists.
At his suburban New Jersey home office, Andre DiMino experienced the day as another coup for the botmaster, who had made them all look foolish. Andre had given an interview the day before to NBC reporters for a segment to air on the Today Show, dressed in a green T-shirt with a mike hanging from the collar, cautioning the reporter (who didn’t have a clue what he was talking about) that the botnet might not actually do anything big the next morning, that it might just generate all these new domain names and begin looking for instructions; but then he could see the Glaze descend. What could he do about the journalists’ love of doomsday predictions, and their utter lack of technical proficiency, not to mention their lack of subtlety? His cautionary words slipped off into the ether, sandwiched between the trumpets of impending doom.
Still, Andre had kept his eye on his monitors through most of the day . . . just in case.
Very early in the morning, in his Alexandria office, big Dre Ludwig was not letting this get him down. He had been up all night and was feeling self-congratulatory, and a little tipsy. He wrote to the List:
My thoughts are as follows.
This has been an amazing effort from the very start on both a technical and logistical level.
We made HUGE political steps . . . and did what even governments could not effectively do.
Regardless of if we completely remove Conficker form the face of the globe WE STILL WALK AWAY WITH A HUGE WIN!
This is hopefully just an example of what WE can ALL do when we work together. Collaboration vs. Competition plain and simple, this is the first time that this has happened in the REGISTRY world. That alone is worth noting in my view, us security nerds have been banding together for years now to tackle threats. This has NEVER happened before in the registry (TLD) world, the closet thing we had was little islands (one or two) of registry operators who would actually take action. Even that has been a helluva battle for some of us to even get done these last few years.
This is in my own view the fruition of years of work for me, so if you can’t tell I’m more then a bit giddy. I blame the Scotch and time of morning as well!
Dre spent most of the day watching the List and various other chat channels, not really expecting to see anything happen, but aware of what might. The worst part of it for him still was not knowing what the botmaster had in mind. No one knew. Why had the worm been created, anyway?
Paul Vixie treated it like any other workday. He was in his San Francisco office early, confident that the worm was well confined, at least for the time being. At the very least they had made the botmaster think. Vixie’s thoughts turned now to remediation. Time for the industry to wake up and begin fighting viruses directly, targeting infected machines with software designed to search and destroy malware. Clean up whole networks! Maybe Conficker had been the scare everyone needed. He was hopeful, though hopefulness was not his usual state.
Rick Wesson was also in his Mission District office, feeling pretty good about things, and giving lots of interviews. It was hard to believe all the press attention. He was tired. He had few illusions about their “victory,” posting to the List:
Nothing happened because our opponent is smart. They waited 2 months before they got the B => C update past me. We weren’t even lucky. If the Conficker authors had wanted it they could have it tomorrow.
Everyone deserves pats on the back, but the game isn’t over . . . it just started.
John Crain was at home in Long Beach. He, too, watched the List throughout the day, but he assumed this would be the least likely day for the botmaster to make a move.
No matter how dismissive the rest of the world might be, the Cabal knew the threat was real, and would not go away. The botnet was still out there . . . biding its time. Still, as the days progressed and Conficker did nothing, they wondered. Had their effort with the TLDs entirely succeeded?
One week after C-Day, that questioned was answered. The botnet successfully received instructions, apparently via a peer-to-peer connection from a computer in South Korea, and for the first time since it was first spotted in November, the worm did something—something really stupid. It rented itself out for two weeks to a notorious spammer called Waladec.
This enormous botnet, this potential Internet-destroyer, leased itself out briefly to distribute one of the most pedestrian, well-known species of malware in the taxonomy. And the reaction was: This is it? It was like a bad joke. It was like that classic scene in Spinal Tap when, after a breathless buildup of the band’s new Stonehenge theme, a replica of the ancient monument is dramatically lowered onstage, but the prop is only knee high! Or like the moment in an old circus clown act when the villain at last corners the hero, aims a huge pistol, pulls the trigger, and out pops a little flag displaying the word “BANG!”
Conficker spread Waledac for a few weeks, and then stopped.
What did it mean? For one thing, it demonstrated that the botnet was fully functional, fully capable of receiving instructions. The Cabal had apparently shut down access via a website, and this was an amazing accomplishment; but the botmaster performed a simple end run with his new peer-to-peer capability, just as Hassen had suspected when he first dissected the thing. It was taken by most in the Ca
bal as a message from their opponents. It said: You know what? We know what we’re doing. We can use this thing whenever we want.
It meant, ultimately, that the enormous effort expended to tie up all those domain names through 116 separate TLD operators, every country code in the world, had failed.
It meant . . . the worm won.
Or did it?
It has now been more than two years since C-Day, or Cybarmageddon, and except for its little stunt with Waladec, the botnet has done nothing—at least nothing obvious. And remember the two signatures of modern war: (1) You never win, exactly; you claim victory. (2) Perception is paramount.
So what exactly had happened? The botnet was still out there, millions of bots automatically churning out domain names by the thousands, every day, week after week, month after month, year after year. The sinkhole monitors established by the Cabal still chart the activity day by day, hour by hour, minute by minute. The Conficker botnet, this enormous concentration of computer power, had been assembled and was still in the hands of its mysterious creators. Those machines were pwned, or owned, and they could be turned to any task the botmaster defined. They could be leased for plunder or marshaled for attack.
The Cabal had pulled off an impressive feat, dissecting the worm, coordinating an unprecedented global response, and setting up a dynamic, smoothly functioning system to monitor the botnet’s data traffic and to sinkhole it. All of that work, the many thousands of hours, the considerable brainpower and experience, had been volunteer. There was no budget for it, beyond Rick Wesson’s credit cards. And what had it earned them, beyond a sense of satisfaction and the admiration of their small group of peers? In the larger world, it had mostly earned ridicule. They were the guys who had (supposedly) claimed the sky was going to fall on April 1, 2009.