by Mark Bowden
The level of sophistication on the B strain wasn’t just dazzling; it was scary. Out in Menlo Park, Phil and Hassen thought at first that someone else had stepped in. The worm had upped its game so expertly that it was as though the firststring team had taken over.
But there were also signs that this was the work of the same adversary. There were distinct structural similarities with Conficker A. There was also a new feature that Hassen read as a direct challenge. The B strain blocked any infected computer from accessing SRI’s websites. It was as if the worm’s creator had sent him a message: We know you are after us. We’ll do this to let you know that we know. In the beginning, for Hassen, it had seemed that the botmaster lived in some parallel universe. He had no idea who he was or where he was . . . he was just out there somewhere, like a malevolent spirit. But with the B strain he was coming into better focus.
First of all, the botmaster was almost certainly more than one person. The worm’s authors had become people, personal adversaries. They were very clever, and they were competitive, as competitive as he was. As his appreciation for their talent grew, the personal nature of their challenge really grabbed him. He found himself thinking day and night about it. The B strain showed that, so far, the botmasters had anticipated all of the Cabal’s moves. They were showing off a little. Hassen knew for sure now that he was not dealing with “script kiddies,” his way of thinking about pimply hackers. These guys were pros.
In Phoenix, Rodney Joffe, the Cabal’s elder, also felt certain now that the worm could have been created only by a team of experts. There were simply too many levels of expertise involved; no single villain could be that profficient in so many obscure disciplines. It demonstrated deep knowledge of Windows, as if the programmer had helped write Microsoft’s code, and much of the programming and packaging (as Hassen had discovered at the start) showed a fine and original hand. It showed an insider’s understanding of the computer security industry worldwide, as well as a high-level understanding of Internet traffic—Rodney’s own specialty. He was particularly impressed by upping from five to eight the number of TLDs tapped by its domain-name algorithm. Only people who knew exactly what they were doing would recognize how much harder that would make things for Rick Wesson and other web gurus in the group. The cryptography stuff was mind-blowing. How many people in the world were clued in to the international competition for SHA-3? It was like being a back surgeon with a rare specialty dealing with one particular vertebra, who was also a high-level astrophysicist, an astronaut, and the starting third baseman for the Philadelphia Phillies! And it was very clear that the botmasters were watching the Cabal. Conficker B could be understood only as a countermove, and a good one.
Phil agreed. After conferring with some federal agents in Washington about the nature of the threat, he wrote a note to Rick expressing a new level of concern:
Conficker may indeed represent a multimillion-dollar business infrastructure. If they are indeed producing the kinds of revenue that we think they are, then there is a good chance they may have connections to [a] Russian or Ukranian mob. You never know, this could even have nation-state ties. If so, you realize that these folks are capable of extreme violence to those that threaten to disrupt their business. Some of the things that you’ve been thinking about do represent severe disruption. With that in mind, I would recommend significant discretion and anonymity. I know you’re not naive about this stuff, but some of the conversations I had this week were quite eye opening for me.
T.J. began that night to address the worsened domain name problem. Rick estimated that it would now take about $100,000 per month to register all of the domain names generated by variants A and B in advance. T.J. called Ramses Martinez, the director of information security for VeriSign, Inc., a firm in Dulles, Virginia, that operated two of the thirteen root servers. It is also the registrar for some of the largest TLDs: .com, .net, and some of the country codes. He had worked with Ramses on the unsuccessful effort to contain Srizbi, which was seen as the big fish that got away. (Rick felt Ramses had, in fact, blown it on that one.) T.J. still believed the strategy against Srizbi had been correct, getting out ahead of the worm’s Internet connections, but everyone involved realized that a higher level of diligence would be required if it was going to be made to work against Conficker.
“Hey, guy,” he told Ramses. “Dot-com, dot-net, a lot of Conficker domains there.”
“I knew you were going to be calling,” said Ramses. Together they spoke to Pat Kane, the head of VeriSign’s naming division, and agreed that they had to join the effort.
“Listen, this is the right thing to do for the Internet,” said T.J.. “Let’s figure out a way that we can either register or block these domains.”
Given the open-ended nature of the threat, this was likely to rack up some major fees. But the three agreed to sort that problem out later. In the meantime, they set to work nailing down the next few weeks’ worth of domain names that Conficker B was going to generate. T.J. was steered by Andre DiMina to Dre Ludwig, who in turn recommended that he contact Neustar, Rodney Joffe’s Washington base, a clearinghouse and directory service for mobile telephone and Internet services that manages the directories for the top-level Internet domains .us and .biz, and acts as the worldwide “registry gateway” for China’s .cn and DNS for the United Kingdom (.uk), Australia (.au), Japan (.jp), and other countries.
Rodney had already been approached by Rick about getting ICANN to waive the cost of registering the worm’s daily list of domains. He assured T.J., “We’ll do the right thing.”
Just as the Cabal felt it was getting a handle on the worm, news about the expanding botnet finally broke out of the exclusive chat rooms and websites of the computer security industry. Joel Hruska, the Ars Technica reporter who had somewhat complacently noted the appearance of the worm in early December, returned with a post on January 16 that noted its accelerating spread, offering the figure of 5.5 infected computers as a “conservative estimate.” John Markoff picked up the story a week later in the New York Times, calling Conficker “a new digital plague.”
“[It] seems to be the first step of a multistage attack,” he wrote. “Experts say it is the worst infection since the Slammer worm exploded through the Internet in January 2003, and it may have infected as many as nine million personal computers around the world.”
Markoff quoted Rick: “If you’re looking for a digital Pearl Harbor, we now have the Japanese ships steering toward us on the horizon.”
Rick was not exaggerating to pump up the reporter’s story. He was increasingly alarmed by Conficker’s potential. On a flight back to San Francisco from Dallas on January 31, he wrote a detailed email to friends in the military and intelligence community, including John Rendon, a well-known Washington political operative who ran an information consulting firm with connections to the CIA, and who had played a critical role in lobbying for the overthrow of Iraqi dictator Saddam Hussein. The email was also sent to a top official in the DOD’s Defense Intelligence Office with whom Rick had worked in the past. Rick was not alone in worrying about the seeming lack of government awareness or interest. He entitled his email “A note from the trenches,” added that he hoped “this is not new news,” and teased the recipients by promising, “a twisting plot of cyber warfare” and “international intrigue.”
There is a botnet that has blossomed into one of the most significant threats we have faced. The methods employed are most devious. Whether developed by children or professionals they are propagating with amazing effectiveness. . . . I need your help in this defining moment in cyber security policy. . . . Today the botnet size is bounded at a low of 8 million hosts and a high of 25 million. Using the low census (note this is not an estimate, it is a measurement) of 8 million hosts: If each host were to generate a single 512 byte packet at the same time destined for a single end point, it would be a 32Gbps DDoS [a 32 gigabytes per second Directed Denial of Service attack]. A DDoS of this size would strain critical infrastruc
ture and cause general chaos. No network attached to the Internet could mitigate a DDoS that this botnet could generate at its lowest estimate.
He sketched various disaster scenarios. The botnet could “take out Google or all the e-commerce on the network.” A coordinated attack on Internet media outlets and websites for CNN and Fox News would shut them down for half an hour and attract worldwide attention. “Add a kinetic event [a real-world terror attack], and chaos,” he said, and left to their imaginations what kind of panic such a sequence of events might arouse. He warned that the Conficker botnet could “cripple” international telephone communications, and that it was still growing. “[It] is attempting to download its second stage. . . . The second stage could do anything. . . . 8 to 25 million drones is an army even our nation-state should be worried about.”
He described his scramble over the previous two months to register domains ahead of the worm daily in order to keep it from communicating with its controller.
The criminals need to register one domain out of 100,000 in the next year. They need to keep it alive for three hours to win. This is the battle. We have to be 100%; they need one out of 100,000 in the next 360 days for three hours—they win. They win a weapons-grade botnet that has penetrated many of the Fortune 500 in the USA. . . . The military is mostly clean. I’m not worried about them—everyone else is owned or getting owned. We found thousands inside companies like HP [Hewlett-Packard], Cisco, CBS. The botnet has penetrated all industries—Financial, Media, Health Care, and all levels of Federal, State, and Local government. . . . It is growing more successfully than anything we have seen since Code Red. [It] is the most hardened [protected] we have ever seen. . . . To take out this botnet we need China’s cooperation. Do I have your attention?
Rick requested help in reaching out to China, and also requested help from military computers powerful enough to crack the worm’s high-level encryption. He envisioned this as a potential trump card. It was theoretically possible to decipher Conficker’s private key from the public key, which Phil had extracted from both strains of the worm. The NSA and DOD were most likely the only entities in the world with computers powerful enough to accomplish it. If they agreed to crack Conficker’s code, the Cabal could send orders to the botnet from any of the domains it contacted. They would own it.
We are working to have all the domains registered by early next week, but Microsoft is worried that something will happen during the Super Bowl. Lots of attacks happen on holidays; more home users leave their computers on holiday weekends. . . . I will keep you informed as this situation develops. I beg your assistance with a diplomatic effort with the Chinese. I look with gleeful excitement for two private keys that will allow us to defuse a most serious situation.
Rick was stoked about this email, and felt confident enough that it would spur the feds into action that he emailed T.J. privately:
There are going to be real resources brought to bear on this bot and they are going to be looking for someone inside of MSFT [Microsoft] to decide what to do if the private keys were available. . . . How does this affect your game? policy implications?
T.J. appreciated Rick’s aggressive efforts, but did not share his confidence that the feds would turn their most powerful, top-secret supercomputers to such a task. He was impressed with the level of cooperation and knowledge he saw at lower levels of law enforcement, particularly in his work with the Seattle FBI office, but he sensed that those at the highest levels of government did not fully grasp the nature of the threat.
The Defense Intelligence official who received Rick’s email knew him well enough to respect his judgment. He had helped the Pentagon deconstruct Russia’s cyberattacks on Estonia in 2007, and on Georgia in 2008. But how seriously should this warning be taken? Rick was seen as something of a character, brilliant but unpredictable. For a more sober assessment, Rick’s email “from the trenches” was forewarded to Bill Woodcock, an internationally known Internet guru and founder of the Packet Clearing House, a web research institute based in San Francisco. Woodcock wrote back, “Yes. Conficker is serious,” and then turned down the volume of Rick’s alarm . . . but only a little.
Rick’s a very bright guy, smarter than me, but also perhaps a little more prone to getting in fights in bars than I am.
Woodcock estimated that the size of the potential DDoS attack projected by Rick was, in fact, probably too small, since by the time the botmaster was able to issue encrypted commands—he had not done so yet—the botnet would probably be much larger. The impact of such an attack on commercial websites would probably be less than Rick predicted, Woodcock said, but the wider impact would be far greater. Whereas Rick had specifically cited the potential for shutting down Google and the websites for news organizations, Woodcock thought that wasn’t likely to happen, but not for the reason you might expect. The botnet was capable of generating such an enormous DDoS attack that the routing machinery of the Internet itself would probably crash before the specific websites could feel the brunt (harking back to the problem TrafficConverter. biz would have had handling the botnet’s initial blitz).
You’d get cascading failures in the core . . . impeding further attacks, if the full attention of a botnet of this size were really focused on any one target inside the U.S. That’s small consolation for our buddies in Europe and Asia, though.
As for cracking the encryption, it was possible to decipher the private key to Conficker’s code, Woodcock wrote, but inadvisable. He listed four scenarios, from best case to worst case. The best case scenario would be for “no one” to have the private key; that way the botnet could not be issued any commands. Next best would be for a single “white hat” to own the key, so that the good guys would step in and take control. Next best would be for a single “black hat” to own the key (which was apparently the present case); this was clearly not desirable but had a silver lining—because if the botmaster used it, sent instructions to the botnet, he might tip off law enforcement as to who and where he was. The worst case scenario?
If multiple people have keys. So, although clearly things could be a lot better, they could also be a heck of a lot worse. Right now, we just have to prevent the intersection of the one party with the key, with any one of the many C&C [command and control] domains. We have to keep one unknown guy away from the many places where he could enter the launch code. In this analogy, that’s a relatively simple matter of placing security around the places where the launch code could be entered.
But if the code was cracked and private keys were obtained, and then the private keys were handed over to the Cabal, then “multiple parties” would have the key, a situation “which is simply inherently much more difficult to control,” Woodcock wrote. As bad as Conficker was, he argued, the present situation was more desirable. For the same reason that nuclear states strove to limit the number of countries with such arsenals, the Defense Department should worry more about the prospect of profilerating knowledge of the botnet’s private keys. It was better to simply accept that one miscreant had the keys than to risk handing them over inadvertently to many.
So the U.S. government was not going to ride to the rescue. Rick received polite responses. His plea “from the trenches” was being circulated to all the appropriate agencies, the Office of the Secretary of Defense, the National Cyber Response Coordination Group (NCRCG), the U.S. Computer Emergency Readiness Team (U.S.-CERT), and a flurry of other cybersecurity-related agencies. But the upshot of it was: Good to hear from you, thanks for calling it to the government’s attention, we’re fighting two wars right now . . .
In other words, Don’t call us . . .
Out in Menlo Park, Phil Porras decided to do more of the sleuthing he had done with Conficker A, looking to see if the author of the B variant had taken it out for a test drive before releasing it. The two strains had distinct signatures, so it was easy to tell one from the other. The very first Conficker B domain lookup would have happened on January 1, 2009. That’s how the worm was programme
d. Anything earlier would have to be a test run, and would have been sent by the botmaster.
When he had tried this trick with Conficker A, he had found nothing except the tinkering of another white hat researcher doing the same thing he was. But this time he found a legitimate lead. Two Conficker B–infected bots had tried to contact one of the A strain’s domains on December 26, six days before the new variant showed up. The domains were kyivstar.net, in Kiev, and alternativagratis.com, which was in Buenos Aires. Kiev was the home of Baka software, and Buenos Aires was the location of Patient Zero.
No researcher even knew of the B strain until days later, so this was not another case of the X-Men stumbling into each other. This had been the botmaster playing with the new strain, checking out its communication function. It was the best lead yet on those behind the worm.
The Cabal turned over the information to the FBI, which thanked them politely . . . and then nothing happened.
8
Another Huge Win
REMEMBER—ABOVE ALL ELSE YOU MUST
REMEMBER TEAMWORK! YOU MUST FUNCTION
AS A ONE . . . ALWAYS!
—The X-Men Chronicles
So far the effort to curb Conficker had been pieced together on the run. The Cabal targeted a conference of Internet and security experts in early February to better organize themselves. The conference was scheduled to take place at Georgia Tech in Atlanta. The Cabal would do whatever they had to in the interim, and cook up a more formal plan of attack there.