Worm: The First Digital World War (28 page)

BOOK: Worm: The First Digital World War
12.66Mb size Format: txt, pdf, ePub

He concluded:

Yo, T.J., nothing personal, man.

T.J. has been busy. In the last two years, he has helped put together a cooperative Microsoft/law enforcement initiative that has taken down, with the help of the U.S. Marshal Service, Waladec and Rustock, two infamous spamming operations, targeting the servers that hosted the criminal enterprise. As a result, he says the company has seen at least a temporary decline in the amount of spam on the Internet.

The Conficker botmaster is still out there. In June of 2011, authorities in Ukraine, in cooperation with the FBI, arrested sixteen hackers in Kiev, who had reportedly used the Conficker botnet to drain $72 million from international banking accounts. The investigation was run out of the Seattle FBI office, the one which has worked closely with T.J., and was assisted by the National Cyber-Forensics Training Alliance. Servers in several countries were raided in a coordinated international police action. Those rounded up were all young men between the ages of twenty-six and thirty-three, who police said had “splendid technical educations.” It remained doubtful, however, that among this group was the Conficker botmaster, the designer. More likely, these hackers were customers of the botnet’s creator, using its stable platform to launch their targeted thievery, in exactly the way Harvard’s Shecter and Smith predicted in their 2003 “Access for Sale” paper. Agents were still questioning the suspects as this book was going to press. There were hopes that this group might lead authorities to the botmaster, the true architect, or architects, of the worm. Rodney is optimistic, even confident on some days, that he, or they, will be caught.

More than a year after the anticlimactic April 1 Waladec stunt, Rodney, John Crain, Phil Porras, and Andre DiMino met with representatives from the White House in Rodney’s Neustar office—it was the first time Phil had ever met Rodney personally. Paul Vixie added his gloomy perspective by phone hookup. Andre had prepared lists of Conficker infections on
.gov
and
.mil
networks. The scope of the worm’s inroads clearly startled the Obama team. Rodney was particularly alarmed that here, more than a year after he had sounded the alarm on Capitol Hill, the Commerce Department, the government’s chief computer network guardian, was still not tracking the infection closely itself.

At a follow-up meeting several months later, Andre says, CERT acquitted itself much better, and the infection rates on
.gov
and
.mil
had gone down significantly.

So who is the botmaster? Who are the bad guys behind the worm?

Ramses Martinez is in charge of security for VeriSign, the Dulles, Virginia, company that operates two of the root servers for the Internet. He was a member of the Cabal. One of the things he does, patrolling the perimeter at VeriSign looking for threats, is occasionally dip into the obscure digital forums where cybercriminals converse, where those who write sophisticated malware boast and threaten and compare notes. After all, theirs is a rarefied community, and those engaged in this game have certainly encountered the Glaze themselves often enough. The chat rooms are a community of the like-minded, a place where they can show off their chops among those who appreciate their skills, where they can compare notes, learn. White hats like Ramses sometimes venture in to collect intelligence, or just out of curiosity, or for fun. Often they pretend to be malware creators themselves, but not always. Sometimes they enter as themselves, and indulge in a little cyber–trash talk.

“In the past you were just sort of making sure they didn’t steal your database of credit cards,” he says. “Now we go in to engage them. You talk to them and you exchange information. You have a guy in Russia selling malware working with a guy in Mexico doing phishing attacks that’s talking to a kid in Brazil who’s doing credit card fraud, and they’re introducing each other to some guy in China doing something else.”

Martinez said he recently eavesdropped on a dialogue between a security researcher and a man he suspects was at least partly responsible for Conficker. He won’t say how he drew that connection; he says only that he had good reasons for believing it to be true. The suspect in the conversation was Russian. The standard image of a malevolent hacker is the Hollywood one, a brilliant twentysomething with long hair and a bad attitude, and in need of a bath.

This is not how Martinez sees him.

“I see him as a really well-educated, smart businessman,” he says. “He may be fifty years old. These guys are not chumps. They’re not just out to make a buck.”

Ramses joined the conversation with this fellow. He made no effort to disguise himself. And when the Russian realized whom he was talking to, he quickly retreated from the conversation.

He wrote apologetically:

You’re the good guys; we’re the bad guys. Bacillus can’t live with antibodies.

. . . And, oh, one last thing: somebody still owes Rick Wesson $30,000.

Sources

 

Interviews

 

All of the principals in this story were generous with me in both sharing their stories and reviewing the manuscript for errors, particularly Phil Porras, Hassen Saidi, Andre DiMino, Rick Wesson, Rodney Joffe, and Dre Ludwig, who went above and beyond. I also interviewed James Bosworth, T. J. Campana, John Crain, Dave Dittrich, Barry Green, Brian Krebs, Chris Lee, Michael Ligh, John Markoff, Ramses Martinez, Richard Perlotto, Mike Reavey, Joe Stewart, Paul Twomey, and Paul Vixie. It would be hard to understate my knowledge of the Internet and of computer operations before I began, so it would be hard to overstate the patience these men demonstrated trying to explain things to me. Rick Wesson and Phil Porras shared their email archives, and the Cabal (the Conficker Working Group) voted me in so that I could access the thousands of emails on their Listserv. I still wish they had official caps and T-shirts so that I could advertise my honorary membership in the X-Men.

The Conficker Working Group archives are referred to below as “CArchives,” and Rick Wesson’s and Phil Porras’s personal email archives as “WArchives” and “PArchives,” respectively. The books and articles cited in the story are itemized in the chapter notes that follow.

Notes

 

Chapter 1: Zero

 

New Mutant Activity Registered
, “The Amazing X-Men, The Age of Apocalypse,” Marvel Comics, April 1995;
The new worm . . . their own tribe
, Porras and Saidi;
They are mutants . . . normal humans
, “The Amazing X-Men,” March 1995; The quote from
Computer Power and Human Reason
is from page 116 of the 1976 paperback W.H. Freeman edition;
Phil himself . . . rested on their work
, Wesson, Porras, and the CWG archives;
The world they inhabit . . . how it transmitted data
, drawn from
Where Wizards Stay Up Late
, by Katie Hafner and Matthew Lyon, Simon & Schuster Paperbacks, 1996, an excellent, highly readable early history of the Internet;
more than two billion users
, according to the U.N. Telecommunications Union, January 26, 2011;
Its growth has been . . . nanosecond to nanosecond
, Porras, Crain; . . .
visual illustration . . . Bar Elan University
, as reported in
Technology Review
, June 19, 2007;
Behind his array . . . worm’s purpose
, Porras;
Phil had no way to stop . . . us to do
, Porras.

Chapter 2: MS08-067

 

The world is no Longer yours
, “The X-Men Chronicles,” Marvel Comics, 1995;
The first reports . . . this one
, Campana;
Gates and Paul Allen . . . and the European Commission
, Most of the summary history of Microsoft is drawn from
Hard Drive: Bill Gates and the Making of the Microsoft Empire
, a good early history of Gates and the organization by James Wallace and Jim Erickson;
unfair and monopolistic
, In the April 3, 2000 judgment in
Microsoft v. the U.S.
, an antitrust case brought by the U.S. Department of Justice, the corporation was called “an abusive monopoly.” Microsoft settled the case with the U.S. Department of Justice in 2004. In March of the same year the European Union brought an antitrust case against Microsoft that resulted in a $613 million judgment against Gates’s corporation;
Many geeks . . . share of the market
, Vixie, Wesson, DiMino, Ludwig, Porras there is evidence for Microsoft’s claim that it is most-targeted because it is large. As Apple’s share of the market has grown in recent years, so has its share of problems with malware, see
http://www.betancws.com/article/Apples-Mac-Detender-patch-is-already-worthless/1306953026
; . . .
the size of the Redmond campus
. . .
of the interface
, Microsoft. I visited the Redmond campus in 2010 to meet with Campana, and my descriptions of the place here and earlier are drawn from that visit;
He does not look like . . . less sophisticated crooks
, Campana, Porras, DiMino, Porras;
In September 2008 . . . the lock had been picked
, Campana, Porras, Saidi, Reavey;
T.J. and his team . . . it just made things worse
, Campana, DiMino, Stewart, Porras; “
If the bad people . . . wreak havoc
,” Sites quoted in
USA Today
’s “Technology Live,” October 23, 2008, “Microsoft Issues Security Patch for Giant Hole,” by Michelle Kessler;
Twenty-eight days . . . Campana
; Campana.

Chapter 3: Remote Thread Injection

 


If he came here . . . imagine, sir
,” “The Amazing X-Men,” Marvel Comics, March 1995;
Hassen Saidi . . . burn it down
, Saidi;
At the down . . . more ambitious
, Stewart, Joffe;
Cyberattacks were launched
, For more on cyberattacks in Estonia see the BBC report from May 17, 2007, “Cyber Raiders Hitting Estonia,”
http://news.bbc.co.uk/2/hi/europe/6665195.stm
; For Georgia attacks see the
Washington Post
’s Brian Krebs, October 16, 2008, “Russian Hacker Forums Fueled Georgia Cyber Attacks,”
http://voices.washingtonpost.com/securityfix/2008/10/report_russian_hacker_forums_f.html
; For more on Stuxnet see the
New York Times
report by William J. Broad, John Markoff, and David Sanger, January 15, 2011, “Israeli Test on Worm Called Crucial in Iran Nuclear Delay,”
http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?_r=1&ref=siemensag
; For more on the Zeus Trojan see the
New York Times
story by John Markoff, February 18, 2010, “Malicious Sostware Infects Computers,”
http://www.nytimes.com/2010/02/19/technology/19cyber.html?scp=8&sq=Zeus%20Trojan&st=Search
;
The stakes are high maddeningly literal
, Porras, Saidi;
Bill Gates . . . precise statements
, “Programmers at work” intr. can be found at
http://programmersatwork.wordpress.com/bill-gates-1976
;
Say, for instance . . . protect its communications
, Porras, Saidi;
Breaking codes . . . not be able to decode it, The Code Book
, by Simon Singh, Anchor Books, 1999, pages 268–79;
This meant . . . botnet to last
, Saidi;
Huge amounts of money
, The report by Brian Krebs, “Massive Profits Fueling Rogue Antivirus Market,” was published March 16, 2009,
http://voices.washingtonpost.com/securityfix/2009/03/obscene_profits_fuel_rogue_ant.html
;
At first glance . . . getting started;
Porras, Saidi. There remain alternative accounts of how Conficker got its name, but this one sounded the most plausible to me. I have also heard that the name was coined by researchers at F-Secure, but it seems clear that its origin is rooted in
TrafficConverter.biz
, the first malware contact made by the worm when it initiated.

Chapter 4: An Ocean of Suckers

 

Having mutant powers . . . others
, “The X-Men Chronicles,” March 1995;
The idea . . . it’s a neat bit of work, The Shockwave Rider
, John Brunner, Harper & Row, 1975, page 222; Reference to
Future Shock
as a source is on the Acknowledgments page of
Shockwave Rider; The Cuckoo’s Egg
, by Cliff Stoll, Pocket Books, 2005;
The idea was called . . . surviving nodes
,
Where the Wizards Stay Up Late
, pages 54–66; My account of the evolution of Conficker comes primarily from interviews with Stewart, DiMino, and Porras, with specifics of the individual viruses and worms from Wikipedia entries for each. Wikipedia, while an unreliable source for many things, is, perhaps unsurprisingly, a comprehensive and reliable source for information about computers, computer history, and malware;
The next step . . . such an intrusion
, “Access for Sale,” Schecter and Smith, 2003.

Other books

Dreamer by Ann Mayburn
Domiel by McClure, Dawn
England's Assassin by Samantha Saxon
Liberty's Last Stand by Stephen Coonts
Wolfie by Emma Barnes
Death Changes Everything by Linda Crowder
Love Me Knot by Shelli Stevens
Riding The Whirlwind by Darrel Bird
Her Only Hero by Marta Perry