by Mark Bowden
Andre has a sense of mission, of higher purpose. He hunts bad guys in cyberspace for free. His email arrives with a New Testament admonition, from Saint Paul’s first letter to the Thessalonians: “Make sure that nobody pays back wrong for wrong, but always try to be kind to each other and to everyone else.” He has a very particular code of ethics about his work, which makes him something like a photographic negative of those he combats, and a rarity even among those fighting the good fight. A whole industry has grown up around protecting vulnerable computer networks for profit. Andre is determined not to profit from his work; once he hunts down a compromised computer network he informs the owner of the problem free of charge . . . just because it is the right thing to do. Then he kills the botnet.
Back when he discovered that weekend break-in at his old employer’s offices, Andre assumed it was the work of a hacker, a vandal, or possibly a disgruntled former employee, only to discover, from an analysis of the IP addresses of the incoming data, that the company’s network had been invaded by someone from Turkey or Ukraine. What would someone halfway around the planet want with the computer network of a small business-management firm in a New Jersey office park? Apparently, judging by what he found, his invader was in the business of selling pirated software, movies, and music. Just as T.J. Campana had discovered at FSU, the pirates had gone looking for large amounts of digital storage space in which to hide stolen inventory. They appeared to have conducted an automated search over the Internet, looking worldwide for vulnerable systems with large amounts of unused disc space—Andre compares it to walking around rattling doorknobs, looking for one door left unlocked. His network fit the bill, so the crooks had dumped a huge bloc of data onto his discs. He erased the stash and locked the door that had allowed the pirates in. As far as Andre’s employer was concerned, that solved the problem. No harm done. No need to call the police or investigate further.
But Andre was intrigued. He reviewed the server logs for previous weeks and saw that this successful invasion was one of many such efforts. Other attackers had been rattling the doors of his network, looking for vulnerabilities. If there were bad guys actively exploiting other people’s computers all over the world, designing sophisticated programs to exploit weaknesses . . . how cool was that? And who was trying to stop them?
He set about educating himself on the fine points of this obscure battle. He eventually founded, along with a like-minded botnet hunter named Nicholas Albright, The Shadowserver Foundation, a nonprofit partnership of defense-minded geeks at war against malware, effectively transforming himself into a digital Sam Spade—indeed, the graphic atop Shadowserver’s home page features a Dashiell Hammett–style detective emerging from shadow. Today the organization coordinates the donated labor of like-minded cybervigilantes all over the world, tracking and, whenever possible, killing botnets. With the help of scores of volunteers and automated software like the program that monitors Phil Porras’s net at SRI, they snare and catalog every new strain of malware that appears. Then they dissect it and trace it back to its source, all the while monitoring it to chart its activity and reach. This is time-consuming, sometimes tedious work, and apart from the satisfaction of slaying Internet dragons, there are few rewards.
In the beginning, Andre was rarely even thanked. At first Shadowserver’s discoveries and notices were more likely to be met by disbelief and suspicion. Shadowserver would spot a new botnet taking shape and track the flow of data back to a particular network, and then to a specific IP address on that network, and then notify the service provider of the problem.
“This is not an attack from the outside,” Andre would tell the ISP’s security chief, who may or may not have noticed an uptick in traffic on his network. “This is something from the inside.”
More often than not, the information was received grudgingly. Here was someone unknown—“They probably thought we were just a bunch of garage hackers,” says Andre, “calling to tell the professional that his network had a flaw. They tended to react defensively.” The fact that some amateur ninja had been sniffing around their network didn’t go over too well, either. Most security managers were conditioned to treat such people as the threat, not realizing that the problem had outgrown the hacker stage. Either that or the IT manager just felt Andre was some smart-ass trying to show him up. The idea that there was selfless hacker offering managers useful information about their own network, for free, was hard to believe.
Brian Krebs, then one of just a handful of newspaper reporters (he was working for the Washington Post at the time) covering computer security, was so impressed that he wrote a cover story for the paper’s Sunday magazine about Shadowserver.
Botnets were becoming a big problem, and Krebs thought the work Andre and Nick were doing was very much needed. He was surprised to find that there were these guys doing what he had hoped someone was doing. The industry was full of sellouts; people with a good idea would approach a big company with it and cash in. Here were a group of guys doing this work, which not many people even know how to do, infiltrating and cataloging botnets, and doing it as a public service. Krebs himself found it hard to believe.
In the 2006 article, “Bringing Botnets Out of the Shadows,” Krebs wrote: “Botnets are the workhorses of most online criminal enterprise today, allowing hackers to ply their trade anonymously—sending spam, sowing infected PCs with adware from companies that pay for each installation, or hosting fraudulent e-commerce and banking sites. . . . Constant attack and setbacks can take an emotional toll on volunteers who spend countless hours not only hunting down bot herders but in many cases notifying the individuals or institutions whose networks and systems the hackers have commandeered. This is largely a thankless job, because in most cases the victims never even respond.”
Gratitude started to come once Kreb’s article put Shadowserver on the map. The cause brought like-minded geeks out of the woodwork, and the organization grew. It started getting requests for information from the FBI and Secret Service. Some consideration was given at that point to taking Shadowserver commercial. The data the foundation collected were undeniably valuable: this information clued large servers and networks in to looming threats and cataloged vulnerable systems. Charging would at least enable Shadowserver to pay people for their time, effort, and talent. But the group decided to keep doing the work for free. Andre saw it this way: If you knew someone’s house was in danger of catching on fire, would you simply warn him or offer to sell him the information? By early 2009, the group had a ten-member core, and lots of carefully screened volunteers. Andre wanted to do the work full-time, and fantasized about a large grant or sponsorship that would enable him and the other core members to do so, but they all still needed their day jobs. They were collecting thousands of malware strains, snaring as many as ten thousand samples in their honeypots every day. Shadowserver played a central role in battling botnets, and received thousands of requests daily from network managers for technical reports.
With that many strains to track, Andre didn’t recognize Gimmiv right away when T.J. approached him at the October conference. He checked his records. The Japanese exploit didn’t amount to much, but he could see Microsoft’s concerns. With an exploit kit available for a fee, and with MS08-067 advertising the vulnerability, he could see just as Microsoft did that something worse was probably on its way.
There is no formal relationship between the various computer security companies, labs, or organizations, so Conficker’s arrival in late 2008 was noted and assessed by each in its own way. Eventually Hassen Saidi’s reverse-engineering of the worm out in Menlo Park would prove to be the most definitive, but dozens of other experts were trying. Conficker was too big to ignore. Andre also took notice of it right away, not because he connected it immediately with Gimmiv, but because of its rapid and remarkable success. Within days, Shadowserver’s honeypots all over the world were filling up with it the same way Phil Porras’s was at SRI. Andre was alarmed. He learned from a colleague working for F-Secure in Finland that
the worm was using a domain-name-generating tactic similar to Srizbi’s.
So he had begun tracking it. Andre was accustomed to seeing botnets with a few hundred thousand drones. As this one reached a million, then two million, then three, then four, it felt scary. Its potential to do harm grew with its size. Nobody was more accustomed to dealing with botnets than he was, but the scale of this one was daunting. It was clearly more than your average spambot. What if this was the work of a nation-state? What was it for? How did you begin to stop it?
No one was deeper into those questions than Phil. He and his team had already seen that the initial fraudware scam, the effort to download fake antivirus software from the now defunct TrafficConverter.biz, was not the ultimate purpose of this botnet. They had come to believe that Conficker was unlike anything they had seen before. It was not some quick moneymaking scheme. It was not an effort to show off. The worm itself carried no specifically harmful payload. It had bigger ambitions. It was quietly and effectively building an infrastructure, a sturdy platform for malicious activity. It was a tool, one that could be used to launch whatever its controller wanted, from a simple spam operation to an all-out attack on the world’s digital vitals. And it was hard to believe that anyone with the ability to create such a tool would not have big ambitions for it.
At heart, the Internet is a protocol, a carefully choreographed method of moving data from one computer to another. The specific protocol that defines it, that makes it possible, is Transmission Control Protocol/Internet Protocol (TCP/IP), a suite of programs for sharing data created by the U.S. Defense Department when Richard Nixon was president. In order to move data from one machine to another, you have to know what is being sent, and how it is going to look at the other end of the transaction. Protocol, a word borrowed from diplomacy, defines how to package and send data so that it can be recognized and processed between computers. Home users are usually customers of an ISP, which enables them to connect with the Internet. It assigns each machine on its network an IP address, and usually has a different set of IP addresses with which it identifies those machines to the world. Every packet of data sent from a computer is given a header, which is essentially the same information as that on the outside of an envelope in traditional mail—the home address and the destination address. The ISP ships this packet to a router, a large computer that governs traffic flow.
Conceptually speaking, the Internet has three layers. Layer One consists of the actual Network Interface Cards (NICs), the extensions inside computers that enable it to link with a network, and cables. Layer Two is made up of routers and switches, the subnet of computers that direct traffic, and the software that breaks Internet messages into packets. Governance of this layer was primarily in the hands of the Internet Assigned Numbers Authority. The American Registry for Internet Numbers (ARIN) is responsible for keeping track of IP addresses in the United States, Canada, and parts of the Caribbean. Layer Three consists of “applications,” the domains created by organizations or individuals to be their public face in cyberspace. This was the layer overseen by ICANN, which is primarily responsible for the domain name registries, which authorize the registrars who actually serve customers who purchase domain names. Most malware attacked this upper level, Layer Three. Conficker utilized Layer Two, using the IP address system to set up an ever-shifting command center.
Blocking access to that command center was the immediate challenge. Hassen Saidi had grafted the worm’s domain generating algorithm to his own clock in the lab. When he set the clock forward, the worm would dutifully spit out the list of 250 prospective domain names for that future date. To get out ahead of the worm, the X-Men would have to register all 250 of those domains in advance. If they succeeded, then the worm’s creator would have no way to communicate with the botnet. Checkmate.
The side benefit, once you controlled all of the places contacted by the botnet from day to day, was to own a running tally of infected, vulnerable computers. As that list grew each day, it gained in value. Whoever owned it would possess the most precious feature of the botnet. To actually seize control would require breaking the worm’s code, but the list itself could be sold or leased to web scammers, thieves, or even nation-states. And any botnet the size of Conficker would contain some particularly valuable networks, those owned by corporations, banks, or government agencies.
Phil needed someone more familiar with the whole domain name system than he was, but also someone he could trust. He approached Rick Wesson, who had worked with him before, and who lived right in the San Francisco Bay area. Rick owned, among other things, a small domain name registrar. Indeed, Rick had been among the first people in the world to even know what one was.
He was part of the Internet’s first wave of cocky young entrepreneurs, one of the many young geeks who moved to California twenty years ago to catch the coming digital wave. He dressed informally; a short man with an often messy, close-cropped head of reddish brown hair, he had, despite his forty-some years, the looks and manner of a college student. He favored T-shirts and jeans and despite his accomplishments and success still clung to an undergrad sensibility—for example, telling an audience at a 2007 symposium where he was invited to speak that he was “hungover,” so he planned to keep his presentation “light.” He spoke in a high-pitched, soft, singsong that disguised his natural bluntness and irreverence, and somehow made them more startling. This soothing tone was absent from his written messages, which could be jarring—“I’m not going to stop telling you what I think,” he wrote to one offended colleague, “Get used to it.” Rick was largely self-taught, and since personal computers were still relatively new, there were few elders around who could match his expertise. He had first used his hacking skills in Florida to print fake report cards for himself and his friends, which got him kicked out of high school. So he landed a computer security job while completing the course work to get admitted to Auburn University. It was there, as a freshman in the late 1980s, that he started his first business selling T-shirts decorated with cool fractal images he generated with the university’s engineering school computers.
Rick had hippie leanings, but about two decades too late. He graduated from Auburn in 1992 and took a job teaching at Summit High School in Breckenridge, Colorado, where the principal was planning to float a bond issue to fund a computer network to connect all of the district’s schools and libraries. Rick got excited about the project—he had actually written a book while still a student at Auburn about computer networking. The principal had a friend with IBM, and together they envisioned a closed computer network that the big computer company would install and manage. Rick saw the project as a boondoggle. See, there was this amazing new tool called the Internet that offered to same connectivity . . . for free. Building the network would still have costs, but only a small fraction of IBM’s proposal. It was a no-brainer. Except, of course, that when Rick tried to explain, the principal said no. A little too preemptively, in Rick’s estimation. There was a scene. Rick might have thrown some binders around the principal’s office. It led to his resignation.
So instead of steering the Breckenridge, Colorado, school system into the Internet vanguard, Rick worked for a few months washing dishes at a ski resort, and then he and his girlfriend, Pilar, got a bus, which they called the “Green Tortoise,” and—shades of Ken Kesey and the Merry Pranksters—loaded it with pot and few dozen friends, and pointed it south, touring and smoking and drinking, all the way to Guatemala—Rick was more of a beer man himself, but fitted right in with the potheads. His wanderings next took him to Europe, through Spain, to Paris, and eventually to Turkey, where Rick met a German who was determined to set up the first Internet domain name registry in his country. The Internet was taking off, and it was clear that domain names were going to be the primary sorting mechanism for it. He followed the fellow to Düsseldorf, where they set up the business, and then Rick decided that the United States was ripe for the same kind of project.
Before most people had
ever heard of the Internet, Rick recognized it as an opportunity. The world was going to become a more efficient place, with detailed expert advice on every conceivable subject right at your fingertips! Answers to difficult problems waiting to be downloaded for free! When he was a senior at Auburn, a professor had sent him with a group of other students to a local office supply company, in an exercise to design a computer-based solution to an actual workplace problem. The issue presented to Rick’s team was tracking inventory. The other members consulted with the company about the problem, and wrote a program themselves that ultimately didn’t work. Rick was not wired to play well with others, and, besides, he had a better idea than his teammates. Why write a bad program when you could borrow one that worked well? He tapped into the nascent Internet and found some free inventory-tracking software that worked like a charm. He downloaded it and implemented it successfully at the local company. The company was happy. Problem solved! His professor flunked him, explaining to Rick that the essence of the assignment had been to cooperate to design an original solution. He could see his teacher’s point, but it irked him. Come on! Why waste your time trying to invent something that had already been invented? The real problem, as Rick saw it, was the same one that would lose him the teaching job in Breckenridge. These guys had never heard of the Internet! The failing grade had left him several credits shy of graduation, and set him back a full semester.
He returned from Düsseldorf in the early 1990s with a clear business model in his head. He landed an IT job in Silicon Valley, and the owners helped him set up a consulting business and signed on as his first client. In the ensuing years he started and sold a string of businesses. Pilar joined the organic food boom, and they moved out to a farm. Rick’s work led him to some early work on Internet governance and technology. He was involved in writing some of the early protocols for ICANN, and as a result knew the workings of that system like the back of his hand.