by Mark Bowden
In fact, through the month of January, the effort to contain Conficker A and B progressed well. Despite the blow of the B strain at the turn of the year, they had enough success with the strategy of getting out ahead of it, registering all of the potential command domains in advance and sinkholing all the requests from infected bots, that they started to get cocky, and began thinking ahead. With Conficker all but licked, how could they use the experience to develop a broad, coordinated strategy for the long term, something that might serve as a model for defending against future worms?
For most in the Cabal, one of the great successes so far had been the selfless approach taken by the big AV companies, all of which had set aside the profit motive to cobble together a coordinated defense. Conficker was a threat to the Internet itself, and everyone had, so far, risen to the challenge. If the AV companies began competing to market their own remedial software for the worm, the coalition was likely to crumble. So when a security company called OpenDNS unveiled a new product in early February to help clean up Conficker-infected networks, the Cabal was horrified. T.J. was particularly disappointed.
“This seriously undermines our efforts to protect users of the Internet,” he wrote. The problem was not confined to “just users of the OpenDNS service,” he said. He wasn’t alone. Dre Ludwig, the youngest member of the Cabal, wrote:
What I would like to make sure we stay away from is “promoting” any one or multiple commercial products/services as a “golden bullet.” Let’s face it, there is no one solution in fact what we have is a multiple front offensive on a very dynamic chunk of malicious code.
The answer was not going to be some commercial software package aimed at protecting and purging infected networks, which had pretty much defined prior anti-malware efforts. The threat was bigger than that. It could not be attacked piecemeal, and the only hope for a broad, coordinated effort was for every one to suspend pursuit of the almighty dollar.
The answer was going to be . . . the Cabal. Dre was one of the more expansive personalities in the Cabal, a towering man with short brown hair parted carefully on one side, a security consultant in the intel agency-heavy districts around Alexandria. Dre felt it was time to clearly define their approach:
What we need to do is make sure we get the right people involved and arming them with the right information (be it data, coordination info, etc.) and executing a plan. The plan has yet to be formulated to any extent beyond “let’s do something” as far as I have seen. We have plenty of the right people on this list and plenty more parties that are joining this merry band every day. Let us not rush into things by promoting solutions, ideas, thoughts, etc. as the answer. Let us try and effectively share and collaborate on ideas and build out a proper plan of attack.
I think the first thing that we should do is continue to focus on snatching up domains for this thing. This effectively buys us time and wrangles some form of control on the spread of this thing. Our second order should be to sort out exactly who is a part of this group, and follow up with who else needs to be involved. Once we have a handle on that we should then proceed to sort out a plan of attack to utilize all the resources we have mustered (commercial/ press/LE [law enforcement]/etc.). . . . Each individual will have a different perspective on things, as we produce and share these perspectives we can more effectively hash out a solution that encompasses all of our experiences and viewpoints. So again, let’s focus on forward momentum without getting stuck in the trap of brash movements or decisions that could compromise our young coalition.
T.J. agreed.
We need to start taking the Internet back from these bad guys . . . Well, now it is a full-blown reaction force and we are doing great things . . . learning a lot . . . but there is a long way to go. I keep saying this, “We have to be right 500 times a day . . . they just need to be right once.” Oh yeah . . . we want to find these guys and put them in jail . . . more on that later :-)
The Atlanta conference would be the first time some of the Cabal met—in person, that is. In some ways their online personas were more real than the flesh-and-blood versions, since they tended to live in front of their monitors. The Conficker mission was something distinct from the conference itself, of course, which was a mouthful: the First Annual Global DNS Security, Stability, and Resiliency Symposium. It had been set up by ICANN as a way of discussing any and all issues related to the ever-growing malware problem. The nonprofit international agency had only a narrowly defined role to play, assigning and keeping track of “Names and Numbers” on the Internet, and had no power to make or enforce policy, but it was the closest thing there was in the world to an international governing body. The worm was a new and major concern, and was clearly the front line of the larger battle, but it was not on the official agenda. It had not been around long enough for there to be completed studies and reports, but it was the primary buzz in the symposium corridors. Rodney Joffe had already been in touch with ICANN about eliminating the costs associated with registering domains, and invited the organization’s reps to a rump meeting during the conference. It would be Rodney’s first official act for the Cabal. They met after hours in a conference room at a nearby Holiday Inn where some of the conventioneers were staying off the Georgia Tech campus.
They convened in a long, narrow hotel conference room with tables arranged in a horseshoe. The Holiday Inn had to move them to a larger room at the last minute. It seemed everybody wanted in. There was even an FBI agent in attendance, a real coup for the Cabal. The tables were covered with starched white linen, with bowls of hard candy set at intervals. A speakerphone was placed in the center of the room inside the U-shaped table arrangement, so that those who weren’t in Atlanta could participate. The session lasted for almost two hours. Rodney was there, of course, as were Dre Ludwig and Chris Lee, who brought beer. Andre Di Mino and various others participated by phone hookups. The guests of honor in the room were Paul Twomey, the head of ICANN; John Crain, one of his colleagues; and the FBI man, of course. It was clear that long-term global efforts to contain the worm would require more formal involvement from both agencies.
It was late afternoon across the continent on Microsoft’s campus in Redmond, where T.J. participated via telephone from his office high in one of the sprockets. He just listened for a while, and then, when he was introduced, explained how the registry-buying strategy worked.
“I think the overriding issue at this point is, you know, there’s a question about the fee that they have to pay to ICANN in order to get these,” he said. “That could quickly become unsustainable if they’re being asked to register, you know, we’re asking at this point to register two hundred and fifty domains per day, in perpetuity. This is obviously for the common good.”
Twomey didn’t need much convincing. His feeling was that the threat required an “alliance of response.” But something in his words conveyed an opposite impression to T.J., who thought the president of ICANN was waffling, and called him on it loudly.
“This is the future of the Internet,” he declaimed over the speakerphone, his vehemence gaining everyone’s attention. “This is the line in the sand, guys. If we’re not gonna draw the line and we’re gonna let this pass, we’re setting the stage for kind of the next ten years of people abusing DNS—”
“Whoaa, whoa, whoa!” interrupted Twomey. “We’re on board!”
T.J. apologized.
The issues were: How do you register domains en masse? How do you arrange to just taste those domains, instead of purchasing them outright? Twomey dialed his legal staff in Marina Del Ray right from the meeting room, and instructed them to find a way in the rules for ICANN to allow the Cabal to make rapid, unilateral decisions. There would be no charge to register the Conficker domain names. Twomey recognized that Conficker was a turning point. It was a threat that demanded that the worldwide community of Internet providers function for the first time not as a loose confederation of interests, but as a single community.
He delegated the job of w
orking with the Cabal to his subordinate, Crain, who quickly accepted. Back in his Redmond office, listening, T.J. thought, . . . Sure, boss, I’ll save the Internet. Just let me get my cape here out of the locker!
The biggest immediate problem was tying up domain names in China, .cn, one of the new Top Level Domains. China was problematic for a number of reasons. For those who suspected Conficker was the work of a nation-state, or perhaps of contractors at work for a nation-state, China topped the list of suspects.
As we have seen, intelligence experts believed China was regularly hacking into sensitive U.S. government networks, including some used by the Pentagon. The network controlling the electric grid for the United States had also experienced incursions. Just looking at the sophistication of Conficker, some people found it hard to believe that anyone other than a nation—and by “a nation,” they meant China every time—to have created the worm.
So China was a sensitive subject. And now the Cabal was in the position of having to ask China’s help to contain the monster. Most in the Holiday Inn meeting room were stymied. Whom do you call? Whom do you ask? Do you want to ask? How could they collaborate with a government that rejects the very notion of a techno utopia? Rejects the ideal of free information, the founding principle of the Internet? China operated outside the fence, so to speak. It was the largest and most powerful of the wired countries that unapologetically monitored and censored. How do you even talk to these people? How do you ask them for help? But with the majority of Conficker bots in China, how could you pull this thing off without them?
“I know a guy there,” offered Crain, a Brit who had a home in Long Beach but basically lived out of a suitcase. “Let’s see if we can get an email to him. Figure out on the phone what we’ll do.”
They tried calling the Chinese offical right away, but there was no answer. It turned out to be the Chinese New Year. Twomey eventually spoke personally to the head of China’s Network Information Center, which governed the Internet there, and secured his full cooperation. Everyone at the Georgia Tech conference left feeling surprised and impressed by Twomey’s swift response. The Cabal felt they were really getting somewhere. With typical enthusiasm and floridity, soon after the meeting, Dre Ludwig posted to the List:
I cannot stress how important and amazing it is what this group has accomplished (and is still accomplishing). As far as I know this is the first time there has been this level of involvement from so many different groups (from ICANN, to Microsoft, to the FBI, to all the affected registries, to the AV community, even to ISPs! Now what we need to do is cement the message we want the world to hear, and effectively communicate that. This in my eyes is ANOTHER HUGE win for the good guys. . . . I cannot speak for T.J. or his organization, but based on the talks we have had prior to this mess I don’t think there will be any issues moving forward. . . . Everything we are doing and have done is a sum of everyone’s efforts, and the message as I have heard it has always been one of cooperation between the various industries and groups. . . . What we are doing here as a group in my view at least is a CRITICAL process being to build and flush out for the entire health of the Internet. We need to make sure that moving forward this process of sharing information, and capabilities between the various industries we have assembled here grows. WE RUN AND OWN THE INFRASTRUCTURE, and we all need to understand that the only way to defend it against abuse is to cooperate with the various industries that have different insights into the larger problem. . . . I just want to honestly tell everyone who has been a part in this that I personally thank them for their effort, their resources, their patience, and their cooperation. If it wasn’t for every single individual who has been involved in this to this point we would be stuck with distribution of efforts that would at best be short lived, and at worst disruptive to everyone. I think I owe everyone a beer or three the next time I see them.
Soon after the Atlanta meeting, Microsoft offered a $250,000 reward for identifying the person or persons behind Conficker. This is when the group also formally dubbed itself the Conficker Working Group (CWG). It sounded more respectable than the Cabal. Some felt that the word “cabal,” with its sinister connotation, conveyed the wrong impression. In all of its future official communications, the group became CWG. Of course, disavowing a nickname is the surest way to make it stick. Everyone, including those on the List, continued calling it the Cabal.
There was such a clamor to get involved, especially when the press got hold of the story, that subgroups were created for various and sundry aspects of the botnet: these subgroups included a large one to analyze the malware itself, another to study and maintain the sinkholing, another to handle the DNS problem, and so on. The Cabal’s List was reserved for the cream. They were, after all, the X-Men.
Whatever the title, the approach seemed to be working. To Dre, in another email from this week, their mission was “too important to fail.” The FBI agent who had been at the Holiday Inn session remarked, “We need to find a way to do this kind of thing in other cases, this issue around domains, because this is probably not going to be the last time it happens.”
The agent had not come to Atlanta out of national concern for Conficker. Rodney had just cornered him that morning and urged him to attend, as part of the continuing efforts of the Cabal to get the feds to pay attention.
Working together was something new for most of those involved. Most of the X-Men had achieved their current level of expertise on their own, and they came at cybersecurity with interests that occasionally conflicted. Pure researchers like Phil Porras, consultants like Dre Ludwig, and botnet vigilantes like Andre DiMino eyed their entrepreneurial colleagues and those employed by the big security companies with more than a little suspicion. The data being collected about the botnet had serious and growing commercial value. Participation in the Cabal might better position an AV company to cash in down the road. There was also considerable prestige attached now to the effort in the cybersecurity world. The press was growing increasingly interested in the worm, and some members of the Cabal, particularly those who had longstanding relationships with reporters like the New York Times’ John Markoff or Brian Krebs, felt daily pressure to spill details of the group’s efforts, and tended to get their names prominently mentioned. This did not sit well with others in the Cabal, who disdained self-promotion, and who recognized that leaks of any kind would help the botmasters, who were clearly paying attention to the Cabal’s every move.
With few exceptions—like T.J. at Microsoft and Phil at SRI—members of the group were volunteers, ostensibly motivated by a sense of public purpose, by commitment to the idea of the Internet, and by the sheer excitement of the challenge. Most were fitting in work on Conficker around their day jobs, figuring the contacts they made and the things they learned couldn’t hurt them, and buoyed by a sense of doing the right thing. But suspicions started to grow that not everyone was so idealistically motivated.
These doubts came to a head when it was discovered that Rick Wesson had, on his own, decided to reach out to China.
It was typical of him. Rick had a well-known maverick disposition, an aggressive approach to problem solving, and—the propensities were related—a talent for annoying people. He also had a puckish sense of humor, as when, early on, he had started registering all of the Conficker domains in the name of the FBI’s top cybersecurity agent—a none-too-subtle hint that maybe Washington should be paying more attention. The Bureau was not amused.
When .cn showed up as one of the new Top Level Domains generated by Conficker B, Rick had acted swiftly to solve the problem. In a move reminiscent of the one that had earned him an F on his undergrad project at Auburn, he went ahead and reached out directly to the Chinese, handing over access to the data he had been sinkholing for months. It made perfect sense to him. Given that so many of the Conficker bots were in China, it would not have been hard for the country’s Internet snoopers to acquire much of the information themselves, at least going forward. So it never occurred to Rick tha
t sharing what he and Chris Lee at Georgia Tech had collected would cause a problem. As he saw it, it built goodwill between China and the rest of the world, and it would help solve the Conficker problem, both the Internet’s and his own.
China kept its official hands clasped tightly around the Internet’s throat. Authoritarian societies are unquestionably better at some things than democratic ones, so if China decided to help, it could be counted on to do a good job of tracking and rerouting the botnet’s traffic. This would take the largest single portion of the botnet out of play. So Rick reached out directly to Xiaodong Lee of China’s Internet Network Information Center. He had another good reason to act quickly. He could not foresee that ICANN would wave the fees. On the last day of January alone he had charged $5,000 to his American Express card to register .cn domains. His estimates of how much the work and fees had cost his company threatened to top $100,000. Microsoft had balked at reimbursing him. T.J. wrote to him that the numbers were “well outside the ballpark” of what the software giant was prepared to pay. So China’s help would relieve some of the pressure there. A win-win, as far as Rick was concerned.
Unfortunately many in the Cabal did not see it the same way. Most of Rick’s colleagues were appalled. There was plenty about their effort they were not eager to share with China. For one thing, they had discovered a flaw in the programming for Conficker B that made all of the bots it infected vulnerable to hijacking by a third party—either the good guys or a rival miscreant. One of the worm’s tactics was to patch the vulnerability at Port 445, so that no rival exploit could attack it. The newer strain of worm had an error in this part of its code, which meant that anyone who owned a list of infected computers, if he could exploit the mistake, might be able to hijack the entire botnet. The exploiter would have to figure out a way to insert his own code, an effort that would ultimately fail, but at the time there were high hopes for it. It was one of the Cabal’s most closely held secrets. If Rick was out there sharing sinkholed data on his own, what else was he sharing? What if the Chinese government figured it out first? Given that there were scores of sensitive U.S. government networks, not to mention banking and corporate networks, on the list of infections, who would want the Chinese government in possession of a tool to remotely control them? And given that China was high on the list of suspects behind the worm, why would anyone with the public interest at heart just hand over detailed information about the Cabal’s effort against it?