Worm: The First Digital World War (21 page)

BOOK: Worm: The First Digital World War
7.38Mb size Format: txt, pdf, ePub

There was another astonishing new wrinkle. Everyone had been impressed by the unique high-level encryption method utilized by Conficker B. The worm’s creators had adopted—really, they had been the first to ever adopt—the Secure Hash Algorithm proposed by MIT professor Ron Rivest in the international contest to establish a new, higher standard for public encryption—SHA-3. This was to ensure that no one could hijack the botnet; only the worm’s author had the keys to that code. In the months since Rivest had originally crafted and submitted this proposal, however, a minor flaw had been discovered in it. So he had quietly withdrawn the proposal, had reworked it to repair the flaw, and had then resubmitted it. Conficker B had employed the flawed proposal. Conficker C used the
revised
version. It showed once more the rare expertise of this worm’s authors, and also how sedulous they were in tending their creation.

There was one piece of good news in Hassen’s dissection. It was quickly realized that even though the worm generated fifty thousand new domain names every day, each bot attempted to contact only five hundred of those domains. If every one of the millions of infected computers had reached out to fifty thousand new ones every day, the volume of traffic had the potential to crash the Internet’s DNS infrastructure. Initially, members of the Cabal had begun computing, or trying to compute, exactly how much traffic it would take to shut down telecommunications in North America, or to crash Google or Amazon. But much of the immediate alarm eased with this information.

Rick wrote:

So far it’s not as bad as you might assume. It randomly generates a list of 50K domains but then it only tries 500 every 30 to 90 minutes. The authors realize that 50K queries would have caused issues with internal DDoS of DNS infrastructure. I suspect DNS loads will increase worldwide but the local effect should not be as bad as the worst case appears. As we get more information on how the bot works I’m sure we can estimate load more accurately.

Of course, the botnet still had the
potential
to overload the Internet’s critical nodes at any time, but the Cabal had begun to sense something about their adversary. Conficker’s botmaster had no interest in crashing the Internet, anymore than the worm wanted to interfere with the normal functioning of the computers it infected. It was building something to last. It
needed
the Internet.

But if there ever was a time to haul out the big guns, it had arrived. Among the long list of targeted TLDs was
.us
, the country code used by many U.S. government agencies. That ought to warrant federal attention. Rodney was head of security for Neustar, which, among other things, managed
.us
, so the feds were among its major clients. Apart from the broader public interest, Neustar had a professional obligation to inform official Washington. So on the same weekend when Phil and his Menlo Park staff were engrossed in dissecting Conficker C, Rodney flew to Washington.

He was the eldest and arguably the most heavily credentialed member of the Cabal, the one the feds might actually listen to. He was a charming man, full of rowdy energy and puckish humor, with a very understated intellect. If you ran into him in a bar you might think he worked as a trucker—and, indeed, in addition to his other skills, he
was
a trucker, owner of a Class A heavy duty commercial driver’s license. Just as he was a smart man who did not behave like one, he was a rich man who didn’t behave like one—although he did have one rich man’s hobby: he collected and raced classic sports cars. Rodney had built himself into a major figure in the Internet world, from nothing. In South Africa as a young man he had served his mandatory tour in the army, and had then lasted only three months in college. He took a job with an insurance company, and enrolled in a course to become an actuary. The second six-month phase of the course introduced him to computers, and he had fallen in love. He took a job with Radio Shack because it offered an avenue out of South Africa, which was then ruled by an apartheid regime that Rodney found unconscionable. He began volunteering as a teacher of math and English to black adults on weekends, in a program that was not government authorized. When the regime began cracking down and arresting the students, Rodney at age twenty-two had had enough. At that point he was married and a father, and the mandatory annual tours in the army were increasingly burdensome. The brewing race war seemed to draw closer and more inevitable with each passing year, and here he was, trained and conscripted to fight on the wrong side. So he moved his family to London, and from there to Los Angeles, learning more and more with each new position about emerging global computer networks.

In addition to his day job, perhaps partly out of the habit of military service he had acquired in his home country, Rodney volunteered to work as a specialist reserve officer for the Los Angeles Police Department. When a police unit responded to a call in his Sherman Oaks neighborhood in 1983, Rodney chatted them up and discovered that among the officers in the unit were reserves who were ham radio operators—he had owned a ham radio license since 1971. They specialized in electronic snooping, which Rodney found fascinating. So he signed up. He worked two or three nights a month, usually on stakeouts in safe locations, work that freed up regular officers to kick down doors. He saw all kinds of opportunities to apply computer networks to fighting crime, and strong-armed the deputy chief for his region into letting him compile a database for local crimes on his Apple 2E, and eventually on his IBM PC. He produced daily printouts of criminal activity, which were handed to patrol officers at the beginning of each shift. This practice was successful enough to be adopted department-wide. He was then selected to be trained as a drug recognition expert, and eventually became an instructor. Later he obtained that heavy-duty commercial driver’s license and drove one of the department’s eighteen-wheel emergency response tractor/trailers. He was behind the wheel of the Mobile Command Post during the 1992 riots over the Rodney King case.

All the while, Rodney was accumulating a high level of skill with computer networks, just as the Internet began to blossom. When he was ready to start his own company, he and his wife shopped for a place to finally plant roots. Was there a city in the world that wasn’t threatened by race war and riots, and that didn’t live under the constant threat of a giant earthquake? They were ready for some peace and quiet. They wanted a place where there were no wildfires, floods, snow, ice, or tornadoes. Rodney found that the only two spots in the country that met all those requirements were Phoenix and Las Vegas. His wife vetoed the gambling capital, so Phoenix it was. One the companies he started there handled online sales for Robert Redford’s Sundance Catalogue, and another evolved into Genuity, one of the largest ISP data center operators in the world. Rodney had retired from GTE, but in his long and successful climb through the Internet-world, and perhaps harking back to his police work, he had become fascinated by security issues. He supervised security for Neustar now, and knew that a botnet the size of Conficker could, among others things, shut down the company’s networks, effectively dropping telecommunications off the map in North America for a period of time. So his concern about the threat was both broad and immediate.

When he got to Washington, Rodney initially contacted a friend at the Commerce Department who worked on Critical Infrastructure Protection for the National Telecommunications and Information Administration, which advised the president of the United States on Internet issues. Rodney called his friend at home on Sunday evening, March 8, outlined what was happening, and sought his advice on how best to approach the Commerce Department about this new threat.

This was Rodney’s best foot-in-the-door for the massive federal bureaucracy, because he had a legitimate duty to brief the agency. Neustar’s contract for administering
.us
was with the Commerce Department. So Rodney asked for a chance to present the challenge now faced by the directory, and then, for background, told his friend all about the worm, and the new strain in particular. It was the first time the official had heard about Conficker, which was a little alarming to Rodney—but he apparently grasped its significance immediately. He said he would call right back, and less than an hour later, Rodney’s phone rang.

“Can you be at the Department of Commerce tomorrow morning at eight for a briefing in the chief information officer’s (CIO) office?” his friend asked. He wanted Rodney to brief a variety of officials not just about the threat to
.us
, but about Conficker as a whole.

Rodney put together a PowerPoint presentation in his hotel room that night. He had packed one white shirt for the trip, for a meeting on Tuesday at which, to his chagrin, he would feel obliged to wear a suit. He broke out the shirt early Monday morning and reported punctually to the monumental, six-story, Doric-columned, gray stone Herbert C. Hoover Office Building, a structure that has stood on the entire 1400 block of Constitution Avenue for more than seventy years as a massive symbol of prosperity, the granite fortress of American commerce.

Shortly after eight o’clock Rodney was standing before a roomful of Commerce officials. Among those in attendance that morning was an attorney with a background in Internet issues who had been working on a sixty-day review of cyber issues for the newly inaugurated President Barack Obama. As Rodney began to launch into his presentation, firing up his PowerPoint display, one of the officials asked, “Didn’t we already have this briefing?”

There was momentary confusion, and alarm. One does not convene the grandly important and extremely busy pooh-bahs of American prosperity for a briefing
they have already received
. Rodney’s friend had a few bad moments here. It seems that someone from the U.S. Computer Emergency Readi ness Team (U.S. CERT), the agency charged with protecting federal computer systems, had met with most of this very Commerce Department crowd in the previous week for “an urgent briefing.” Material from that session was hastily found and presented to Rodney, who saw, to his surprise, that last week’s
urgent
briefing had concerned Conficker B, which had appeared more than two months earlier. Apparently the alarm sounded by Rick Wesson in early January in his “note from the trenches” was still getting the classic bureaucratic slo-mo treatment, inching its way from department to department. It confirmed Rodney’s already poor opinion of U.S. CERT.

Well, folks, if that briefing last week scared you, and it should have, you might want to tighten your seatbelts . . .

Rodney went ahead with his presentation about Conficker C, pointing out the seemingly insurmountable challenge the Cabal now faced in protecting the Internet. When he had finished, the room was quiet. One of the officials asked Rodney if he was free to give the same presentation at one o’clock that afternoon at FBI headquarters, where U.S. CERT held a meeting about current high-level threats every other Monday. Rodney said he would have to move some things around on his schedule, but that this sounded like the kind of occasion that warranted it. The same official then left the room, and returned moments later to confirm that he had spoken to one of the deputy U.S. CERT directors, and obtained permission for Rodney to attend.

The meeting in question was a classified briefing about cyberthreats, run by U.S. CERT Director Mischel Kwon. Usually the computer security chiefs of various vital government agencies attended. Rodney left the Hoover building and went back to his Neustar offices. He knew Kwon; he had met her on several occasions. He did not want to ambush her, or show her up, given the fact that her agency seemed so far behind on the threat. He had tried to contact her several times in the previous months, but had been ignored. Still, as a courtesy, he tried again. He sent her an email, saying that he would be seeing her at the briefing in a few hours, and quickly summarizing his presentation. He closed by offering to talk to her beforehand if she wished.

Kwon responded six minutes later.

“Rodney, I appreciate your update. I must tell you that the one o’clock meeting is for government only. The only nongovernment allowed are contractors under contract directly supporting the government. Am I to understand that you will be briefing prior to the meeting? Please do know there has been a misunderstanding.”

She copied the email to a number of others, among them the deputy who had authorized Rodney’s attendance.

Rodney wrote back that there had been no misunderstanding, that he had been asked to brief people at the meeting at one o’clock. He was also, in fact, a contractor directly supporting the government, but he did not wish to split hairs.

“Let me know if I should cancel coming over,” he wrote.

Moments later, an email flashed on Rodney’s screen from the deputy who had approved the session, mailed to him and a large number of others, including Kwon. It read, simply: “He can brief at the meeting.”

Rodney was startled. After all, this was supposed to be Kwon’s
deputy
. He surmised that the Commerce Department official who had spoken to the deputy earlier must have complained about hearing of the new Conficker variant from Rodney, a civilian, a naturalized citizen with a foreign accent to boot, instead of from the agency charged with responsibility for such things. Rodney could imagine how that conversation must have gone:
You mean to tell me you jackasses have no bloody idea this is happening?
He sensed serious trouble in Kwon’s kingdom—indeed, she would resign five months later.

Other books

Chemical [se]X by Anthology
The After Party by Anton Disclafani
The Spartacus War by Strauss, Barry
Your Brain on Porn by Gary Wilson