Worm: The First Digital World War (24 page)

BOOK: Worm: The First Digital World War
10.5Mb size Format: txt, pdf, ePub

I believe that this email is not from you, nor is it in your general character, to send out such an email. But if somebody is sending out this email, with the “From” address spoofed to your name, thought you might like to know. Also, perhaps, you can help me solve the riddle of what the “real” intent or endgame of this email is. Technically speaking . . . it is clear that this is a hoax . . . [I cannot imagine you] sitting at home psycho-obsessively finding/predicting secret lists of likely Conflicker victim domains, researching all their whois records, and writing to every one of these 500 people in need of YOUR rescue, per day . . . hmm.

This was, of course, very nearly what the Cabal was doing, except that relatively few of the domain names generated by the worm actually belonged to anyone. Chris forwarded the note to Rodney, who promptly boomed a warning shot across the contractor’s bow that opened with a weighty recitation of his credentials—senior vice president and senior technologist of Neustar, member of the ICANN Security and Stability Advisory Committee—and then explained that, improbable as it might seem, “The Conflicker binary does, as Dr. Lee noted, generate 500 random domain names each day that it then uses to contact the Conflicker C&C [command and control]. The algorithm has been decoded, and so we know in advance what domain names will be used by the C&C and bots every day from now on, subject to the malware being updated.” Rodney continued:

Dr. Lee, and others in this core group, have compared the domain names that are due to be used by the C&C with domains that are already registered. Obviously the randomness of the malware algorithm results in some collisions with domains that have already been registered. Your client’s domain name is one of those very few. The unregistered domains have been dealt [with] . . . but the concerns are for those few domains like your client’s that will now receive millions of connections from compromised Conflicker systems on their “magical” day—in your client’s case, March 18th. And in order for the Conflicker authors to successfully operate, their best bet is to compromise the machines behind your client’s domain name by March 18th. Hence Dr. Lee’s concern, and his email to you. Please be assured, unfortunately, that the people behind Conflicker are highly sophisticated in their ability to compromise web servers, even those that are especially hardened. So I would urge you to heed Dr. Lee’s offer of help. Despite what you may believe based on looking at his public pages at GT [Georgia Tech], he is an expert in this field, and one of our best.

That got the bastid in line.

Stephane Bortzmayer, who worked for Association Française pour le Nommage Internet en Coopération (AFNIC), a targeted French registry, was irritated by John’s request:

I am a simple employee and have zero authority to decide what AFNIC will or will not do. The letter . . . reads as if the decision has already been taken. It even seems to contain threats to non-compliers. . . . Same thing when you ask people, not to discuss the actions to take, but to simply report what stage they are in, in the implementation of an already-decided plan. I suggest that we first discuss the solution (is blocking thousands of domains a scalable solution, when Conficker can always extend its list?). It does not seem that there is, for Conficker C, a published implementation of the algorithm. Therefore, we have to blindly trust the list of domain names. That’s annoying.

John wrote back to apologize for any confusion, and pointed out that the letter he had sent was, in fact, just a request. Rick Wesson also responded:

Please understand that that there is some urgency and the task to even attempt a global response coordination within 18 days is difficult. As far as decision making, each TLD has made their own decision. The effort only works if we
all
decide it is in the global interest to participate. This is the decision most organizations are taking.

Rick sent him the link and a password to the List, so he could verify the nature of the effort for himself. Stephane came on board, but only after asking for and receiving a cover-your-ass document with a certified signature, which was a little strange, there being no real authority in a position to give an order or make a demand.

The strain of getting this done with the clock ticking relentlessly showed within the Cabal. The List, previously calm and professional in tone for the most part, usually deep into the technical issues of sinkholing and tracking a multimillion-node botnet, but also eloquent on occasion, degenerated in some predictable quarters, and also in some less predictable ones.

The sheer volume of data being accumulated by all the domains Conficker C was programmed to generate required that the sinkholing operation be expanded. This was just one of the complications the botmaster apparently hoped would unravel the Cabal. It did not, but it definitely added stress.

Rick kicked up a row inadvertently when he breezily volunteered his company to do some of the work:

I expect to play a role with sinkholing C just cuz I got a /16 [a very large Internet interface] to play with and it sounds fun.

His tone rubbed Paul Vixie the wrong way.

That’s not a good reason, especially for a key man who is already carrying a large coordination burden for the overall project. . . . I am aggravated by your use of the words “play” and “fun.” This is a deeply serious activity on which we have collectively and individually screwed every possible pooch there was to screw in the A/B effort [Conficker A and B].”

Rick wasn’t giving up.

It’s all in how you look at your job. I heard a One Star [General] refer to tanks as toys and Browning M2s as popguns. I guess it comes from scale and your individual reference. I still enjoy my job =) so yes, even really serious stuff to you still seems like fun and a good time to me. I’d rather have an interesting day job than, well, deal with drama like this.

He went on to complain about various technical issues relating to the sharing of sinkholed data, and suggested that Paul was being held to a different, less stringent standard. Paul wrote back to defend himself, telling Rick to stop comparing their operations, and reminding him that while he, Paul, had never accused Rick of sharing data inappropriately, he still wasn’t ruling out the possibility that he had (and had lied about it):

If you’ve been sharing data with people who the rest of us don’t know about, then that’s a problem, and if you haven’t, then it’s not a problem.

Rick responded:

I hated high school for the same reasons this thread exists. If there is anything that makes me never want to do this again, it’s working on projects until they digress into he said/she said. It’s happened more than once with you, Paul. I’ll not be participating in this thread any longer. If you have an issue you need to discuss with me, pick up the phone.

The matter would have ended there, except that Rick’s accusation, that Paul had also allowed unauthorized access to sinkholed Conficker data, inadvertently implicated another key member of the Cabal, Chris Lee, who was now managing the bulk of the sinkhole operation. Ordinarily a very mild, detail-oriented, unemotional technician, Chris finally unloaded on the most feisty and (some felt) fishy member of the group, bringing up his still-simmering indignation over Rick’s rogue approach to China:

When I operate the sinkhole, I wear my GT [Georgia Tech] hat. In this case, there existed a clandestine exfiltration of that data to another country—one that is well-known to leverage cyber-capabilities, which created a direct conflict of interest with my activities and my employer. You knew this and did not tell me or anyone else. I collected data in a very open fashion, . . . and with the impression that the data was only being shared within the Cabal. When I addressed my concern to you, you treated me as if I were trying to undermine the entire effort and gave veiled threats. There were plenty of opportunities for you to clearly state your motives to me and work out a nice compromise, but that’s not the route you chose at the time.

Now I cannot trust you. This undermines our entire effort. You don’t trust me and everything I do or say (or even silence), you view as an attack or “a game.” This will not work. We either work out our differences, or at least one of us will have to leave. I hope that I’m humble enough to continue to listen, understand, and find good solutions, but that window is closing fast as I am starting to feel attacked and am losing my objectivity. Your other activities of talking with various government organizations, NYT [the
New York Times
], and to the cc TLD without coordination and oversight also expands my suspicion of your activities. You seem to want to avoid any checks on your actions and try to hide what you’re doing. This cannot scale. We are a team. We have the same goals (roughly). We can work this out.

I have been silent recently, in hopes that my objections would not stand in the way of all of us working together and to avoid everything I say from sounding like an attack or being attacked by someone who is suspicious of me. We are at the cusp of doing great things together, let’s stop the games (as Joffe has yelled clearly in email) and work together. I am not attacking you and I do not think you are evil. We do have a difference in approach and opinion—one that could easily be solved. I think you are avoiding oversight because you think some of us will be hostile toward you and attack. This is likely not the case. Hiding what you do will cause animosity.

We were friends once, Rick. I want to be friends again.

The three eventually retreated to hammering out their differences on the telephone, but not until after Rick once more posted a reference to their contretemps as a “high school drama.” Chris complained about the analogy, prompting Dre Ludwig to weigh in and address Rick directly:

It is my humble estimation that you are out of line with not only your response, but multiple actions you have taken over the last month and a half. I agree with all of Chris’s previous points and there are serious trust issues that you have caused yourself. I think every individual [who] is a part of this effort has a legitimate right to ask questions of you based on what you have already told this group. You may not understand it but the circles you are trying to swim in are rather small but very deep. Any ripple that is made has a tendency to reflect off of multiple individuals in this group.

Dre complained that Rick had still never supplied a list of everyone with whom he had shared the sinkhole data.

Let me also restate one thing. Rick, this is not a personal attack. If it was such there would be NO ROOM for misinterpretation on my part. We need cold hard facts not personal attacks, misdirection, or lack of results. I had asked for this on previous phone calls and I have yet to see anything come of it. So please let us avoid the “high school drama” as you put it, and deal with cold hard data.

Their dispute then vanished from the List, as they worked the dispute out on the phone, but animosity and suspicion remained. On March 24, just a week before C-Day, Rick posted an angry note to Paul, who had complained that the effort was flagging and that some sinkhole operators might need to be replaced:

I am growing tired of you stating that “it is not working.” It is but you are just unsatisfied in how it is working. Be clear, post some statistics, or shut up. You don’t get to remove any A/B [Conficker A and B] sinkhole operators, but I can remove you. So pipe down.

Paul responded . . . .

Finally, T. J. Campana, up in his office in the Redmond sprocket, had had enough. He wrote:

STOP . . . What hurts the efforts the MOST is the bullshit that is being tossed around here. Either we learn to play nice or we (meaning I) will make arrangements for both of you to go home. We need to do better, but this will not happen overnight. For some of us, this is our first stab at sinkholing a threat and we are having some growing pains.

Rodney wasn’t far behind, once more stepping up as the “adult in the room”:

CUT THE BULLSHIT INFIGHTING OUT!

Don’t you realize that from the outside (and maybe in reality) the cohesive group that has worked so well to get is this far is about to fall apart.

NONE of you will win. The only winner[s] will be the people we’re fighting to defeat. I guarantee that if we don’t get our shit together, the next NYT [
New York Times
] or WP [
Washington Post
] headline will be “Conficker Cabal Collapses.” And I don’t want to be part of that.

So please recognize that every time one of you pisses on another’s shoes, hundreds of people are seeing it, one way or the other.

When I organized the group meeting in Atlanta, my objective was to help find a solution to one part of the problem, with the hope that it would help to find a way to survive against the bad guys. That is still my prime objective. Unlike some of you, I don’t have a business model that is part of the Conficker battle. I don’t sell software that deals with Conficker. I don’t sell services that deal with Conficker. I don’t sell hardware that deals with Conficker. I don’t have a consulting business that deals with Conficker. I am just an Internet user, with a little bit of history and a few thousand customers. And I want the Internet to survive.

If there are any of you on this list that feel differently, then say so and let those of us with a different primary objective go somewhere else to continue the fight.

Otherwise, please get together, and make some decisions that work for all of us, and ultimately for the Internet.

I still suggest a group call to work things out and reestablish a united front. I don’t want to get any more calls from people on one of the lists asking me wtf is going on with the “leaders.”

And even if you continue to ignore my “public” requests for answers, please at least acknowledge that you got this email, and have an interest in solving the problem.

Other books

Headscarves and Hymens by Mona Eltahawy
First Command by J.S. Hawn
Into the Dark by Peter Abrahams
The World is a Stage by Tamara Morgan
Totentanz by Al Sarrantonio
Triple Threat by Alice Frost
The Lostkind by Stephens, Matt