Worm: The First Digital World War (11 page)

At the same time as the legitimate computer world was wising up, so was its evil counterpart. Malware in the first decade of the twenty-first century underwent something akin to the Cambrian Explosion, a period in evolutionary history when change seemed to accelerate. The key was the shift from malware as vandalism to malware for profit. Up until that point, those malfactors inept or unlucky enough to get caught were all what today’s security experts call “script kiddies,” amateurs who borrowed software written by others and attempted to employ it for their own ends. They had appropriated malware themselves that could spread, and make some sort of goofy display. But there remained a big stumbling block to actually using these rapid-spreaders to do something useful, specifically, to
make money
.

The next step was foreseeable. Profit is the universal trigger of innovation. At a malware conference in Washington, D.C., in October 2003, Stuart E. Schecter and Michael D. Smith, professors at Harvard’s School of Engineering and Applied Sciences, noted that the opportunity was ripe for a “new class” of malware, one that they called an “access-for-sale worm.”

“An access-for-sale worm . . . [enables] an individual to control a large number of systems and sell access to each one to the highest bidder,” they wrote. “[It] enables the black hat community to work together to pool their skills and distribute risk in order to maximize the loot they extract,”
loot
being money potentially drained from bank accounts, or valuable credit information. They predicted that the new worm would close the door through which it entered a system and repair the vulnerability “to prevent copycat worms from gaining access to the system.” It would open a “back door” to invite privileged access to the botnet controller, and would report back information about the kind, value, and specific vulnerabilities of each system it invaded. Once such a botnet was created, control could be maintained with well-known public encryption methods. So long as the worm’s creator restricted direct communication to an occasional update, he could set himself up as a middleman, providing the actual thief with a mechanism to steal while shielding himself from risk. Clients could select infected networks vulnerable to their specific criminal attempt, and even make test runs before renting the platform. Such an approach would combine the reach of a massive worm infection with the control of a small, targeted hack.

“Few of the worms released today are written for the financial benefit of the author,” they wrote. “If the attacker wants to target a specific system, he will find it more effective to attack it directly or via a Trojan horse than to wait for a virus or a worm to propagate to it. If a worm’s author attempts to trace the propagation of his creation through a network he risks detection through traffic analysis. Even if he can successfully track propagation he may not know the value of the systems he now had access to. These problems do not trouble the creator of an access-for-sale worm as he need not seek out the infected systems or know how to best profit from a targeted attack on them. Instead, he provides others with the ability to covertly detect whether machines are infected and offers to sell them the opportunity of gaining access to those systems. Along with the opportunity, the seller also transfers to the buyer the risks that come from such an intrusion.”

And so it was. The enterprise migrated to organized crime and to nation-states. A new industry sprang up, primarily in Asia and Eastern Europe, a nemesis for the emerging computer security industry. This was not something even on the radar of the techno-utopians. For every antivirus company like Symantec there was now a “dark Symantec,” a Bizarro World equivalent, bent on exploitation, filled with comparable experts and profitable enough to sustain research and development. Today there is big money for those who can stealthily invade computer networks, or construct a secure botnet, and no modern military arsenal is complete without state-of-the-art malware.

The worm credited, or blamed, for pushing the game from pranksterism to profit was Bagle, which appeared in 2004 as an email attachment and is still very much alive. It assembled about two hundred thousand computers into a botnet that still generates an estimated 5.7 billion spam messages daily. Bagle’s innovation was to open a back door to Microsoft’s Transmission Control Protocol, one of the most basic functions of the operating system that governs data exchange. A back door is a way of transferring data that avoids the computer’s firewall by having the infected computer
invite
intrusion; it allows the botnet’s controller to raid any data stored on the host. Bagle also blocked communication with antivirus sites, which prevented infected machines from being cleaned or updated, and it delivered in the text of the code a boastful poem for its enemies: “Greetz to antivirus companies

In a difficult world

In a nameless time

I want to survive

So you will be mine!!

It was even signed

Bagle Author

29.04.04

Germany.

Like a transitional species on the evolutionary tree, Bagle retained a certain hacker panache, but it also created a stable moneymaking platform. It could rapidly distribute advertisements for fake services or merchandise, raiding the contact lists on each of its bots to construct a branching tree of spam. The ads popped up on computer users’ screens or in their mailboxes unsolicited, but from a known sender. While only a small percentage of increasingly wary computer users were fooled enough to send money, even a tiny percentage of 5.7 billion messages adds up to a substantial profit. In 2007, an email Trojan called Storm created a botnet easily three times larger than Bagle, and perhaps much larger than that. The “subject” line on incoming email tempted European users with information about a massive storm descending on the continent, hence the name Storm. Its author or authors have never been caught, have made self-protective adjustments over the years to combat the efforts of the white hats, and have managed to sustain a stable spam-generating monster. In the year after Storm came Torpig, a wickedly sophisticated Trojan that stole bank account and credit card information from an estimated half million computers.

The botnet was now a business model.

Once there was real money in it, new malware strains proliferated. There are scores of species in the digital taxonomy today. In parts of Eastern Europe and Asia, malware kits that enable script kiddies to put together exploits (like the one that presaged Conficker) are sold commercially in the same way that antivirus software is in the West, complete with customer assistance and regular updates to help customers keep up with the white hats’ moves. Today’s digitial viruses borrow from a bag of tricks perfected in the previous decade, and build on that foundation. Each strain that appears has its own specific antecedents. Conficker combined elements from two evolutionary pathways: worms and botnets.

Its worm characteristics stem from two of the most famous early examples: Sircam (2001) and Blaster (2003). Sircam arrived conventionally, attached to a missive with the subhead “Hi, how are you?” But then it did something new. It arrived as a Trojan horse but behaved as a worm once inside an operating system, using the host’s data transfer applications to spread. The most obvious step Sircam took was to borrow a document from the host computer’s files and forward it to another computer on the network. The incoming email would be from a familiar source, and would ask the recipient, “I send you this file in order to have your advice,” or “I hope you like the file I send you,” or use a variety of other awkwardly worded come-ons—English was clearly not its creators’ first language. The files selected for forwarding were taken randomly from the computer’s files, so they occasionally caused embarrassment, as private files were emailed to those who were never intended to see them. This feature caused most of the consternation about Sircam, but its most innovative contribution was something else.

The worm knew its way around Windows well enough to penetrate the core. It took control of the machine’s filesharing applications, and then replicated itself (in addition to activating the email scheme) by reaching directly into other computers on the network. This would be a central characteristic of Conficker.

Blaster was a purer strain of worm. Like Conficker, it was created by reverse-engineering a patch issued by Microsoft, and exploited a buffer overflow. Unlike its more cunning descendant, however, Blaster announced itself. Embedded in its code were two messages. One read, “LOVE YOU SAN!!” The other was a message for Bill Gates, reflecting the widespread resentment in the programming community of Microsoft’s increasing domination of the software market. It read, “billy gates why do you make this possible? Stop making money and fix your software.” It was also programmed to launch a massive DDoS attack on the company, but fizzled in part because it was aimed at the wrong company site and had to be redirected, giving Microsoft an opportunity to shut down the target. Still, Blaster caused an estimated $500 million in damages to computer networks worldwide. The most original feature of this worm was its ability to scan other computers on the host’s network for those that would be vulnerable. This made its spread far more efficient, and would become one of the weapons in Conficker’s arsenal.

Three early botnets likewise contributed innovations that Hassen Saidi found in Conficker. The Sinit Trojan of 2003 was not a particularly effective piece of malware, but it did introduce the use of encrypted communications with its command and control center. The use of encryption was telling. It revealed how competitive cybercrime had become and fulfulled Schecter’s and Smith’s prophecy. The designers of Sinit were trying to protect it not just from the white hats— there weren’t that many security experts hunting them down at that point—but from rival criminals. The malware’s code contained an IP address for the infected computer to call for instructions. Any black hat with that IP address could control the botnet. Any white hat could simply shut it down, or hijack it for further study. Counting the number of infected machines on botnets had become increasingly difficult. But if the white hats could take control, they could audit the network and make sure they shut down every infected machine. Sinit’s encryption was the first effort to, in effect, fit the botnet with a lock. As we have seen, encryption was central to Conficker’s strategy.

A Trojan called StartPage in 2005 posed only a minor threat, but introduced the tactic of checking to see what language was employed on the computer’s keyboard.

The last and most significant innovation borrowed (and improved upon) by Conficker was first introduced in 2004 by a botnet called Bobax. It made a tactical advance on Sinit and other botnets. Bobax tried to hide its command center’s location. By the mid-2000s, security experts could readily shut down botnets that communicated on an IRC channel. These had a single command and control center. If you found it, you could cut off the botnet’s head, something the white hats were getting very good at. So the criminals devised a number of new strategies, among them the use of a domain name on the Internet instead of an IRC channel. Web traffic is very hard to shut down. Command centers became moving targets, shifting rapidly from one domain to another, hiding in the vast flood of Internet traffic. Bobax generated a random list of domain names on a fixed schedule. This, as we will see, would turn out to be the most devilish feature of Conficker.

This tactic, hiding the botnet’s controller behind a continually shifting list of Internet domain names, was also employed in June 2007 by a very successful Trojan horse dubbed Srizbi. Thought to have originated in Estonia, it invaded computers by posing as antivirus software. It spread rapidly throughout 2008, until it became one of the largest botnets ever, responsible at its height for threequarters of the spam messages sent every day around the world. Researchers at a security firm called FireEye, working with others who would be central players in the effort to stop Conficker, were able to seize control of the botnet briefly by using its domain name-generating algorithm to spit out lists of all its future contact points, buying them up, and shutting them down. They had the botnet nearly completely contained in 2008 until they missed one of the domain names, which was all it took for Srizbi’s creator to regain control. Srizbi suffered a deep setback later that year, however, shortly before Conficker appeared, when federal authorities raided a notorious California ISP that had been serving as its host.

So when Conficker debuted on November 20, 2008, it stood on the shoulders of two decades of research and development, trial and error. It was as much a product of evolution as anything in nature. Instead of being assembled by genes, the worm was assembled by “memes,” a word coined by British scientist and polemicist Richard Dawkins in his 1976 book,
The Selfish Gene
. Memes are original ideas. Dawkins argued that they play the same role in cultural evolution as genes play in biology, getting passed along from person to person, surviving and adapting as they move.

But there was a parallel evolution going on. Just as there were villains who used their deeper knowledge to make a living from the ignorance of others, there were heroes, too, geeks who stood up for the Internet’s integrity, and who used their skills to do good, not evil.

The white hats in this struggle were locked in the old and eternal battle of good vs. evil, God vs. Satan.

Game on.

5
The X-Men

HE AND OTHERS LIKE HIM, BORN WITH