Read Worm: The First Digital World War Online
Authors: Mark Bowden
Making computers easy for everyone to use was the germ of the idea that made Bill Gates and Paul Allen into two of the richest men in the world, but by inviting everybody to the computer revolution, they threw open the doors to the technologically ignorant, which is to say, most of us. This would prove to be enormously frustrating in later years to those who understood most and cared most about the Internet. If everyone would only take simple precautions . . . but that was
never going to happen
. It had been tough enough to get users to pay attention when malware was primitive, when it stomped in with muddy boots and ground its heels into their hard drives. How were you going to get them to pay attention when the malware was so stealthy that only the most alert and well-trained technician could detect it? When the thing to be protected was not so much the individual PC as the Internet itself? People simply would never understand, and even if they did, they lacked discipline. In a free society, you could not reach in and update their software for them—just imagine the howls of indignation, the bad PR, the class-action lawsuits! Big Brother tickling the innards of your very own machine? It was about as clear a violation of the techno-utopian ideal as could be imagined. The implication was that this billion-headed, globally connected marvel would always be vulnerable, and not just to predation. It could be weaponized. It could be crippled or even crashed at the whim of some technically proficient cybergang or perhaps even by some borderline Asperger’s teenager who woke up on the wrong side of the bed. And even when you did everything right, even when you anticipated the exploit and turned out the patch in record time,
it just made things worse!
Sure enough, as soon as MSO8-067 appeared, demand for the Chinese exploit kit grew so fast that its creators began giving it away. There was a new outbreak of Gimmiv in Asia. Security experts were not too worried about Gimmiv, which was amateurish, but they could see the potential.
“If the bad people find out how to use this, we’re in big trouble,” wrote Eric Sites, a researcher for Sunbelt, a security software firm. He warned that a better-designed piece of malware, like a worm, “could be created very easily and wreak havoc.”
Twenty-eight days after MS08-067 appeared, the very thing popped up on Phil Porras’s Infections Log at SRI, and started burrowing its way into unprotected computers everywhere.
And nobody, nobody, was less surprised than T. J. Campana.
3
Remote Thread Injection
“IF HE CAME HERE IT WAS FOR A
REASON
.”
“A
DARKER
REASON THAN YOU CAN IMAGINE, SIR.”
—The Amazing X-Men
Hassen Saidi took it personally when the worm shrugged off SRI’s unpacking software.
The tool to pry open malware, to slice right through the layers of protective and deceptive coding, had been created by Hassen, along with Monirul Sharif, a graduate assistant. They called it Eureka. Any malware that resisted it was a personal challenge, and an opportunity to improve Eureka.
Hassen is the data flow analyst on Phil Porras’s staff. He is a native of Algeria who migrated to Menlo Park after earning his doctorate in computer science in France. He’s firmly in the Internet idealist camp. He sees the web as one of the most revolutionary developments in human history, and regards the efforts of criminals, nihilists, and terrorists to prey on it as reprehensible. More and more, the world as we know it depends on the smooth interaction of computers. The Internet has become the collective mind of humanity, its eyes and ears and memory. As old paper repositories convert to digital storage, and as the new trail of modern civilization increasingly inhabits the digital realm, it has become, in a sense, the new Library of Alexandria. Better than most, security pros like Hassen recognize how easy it would be to burn it down.
At the dawn of the computer age, hackers were mostly a nuisance, motivated by a desire to show off. Today the most serious computer predators are funded by rich criminal syndicates and even nation-states, and their goals are far more ambitious. Cyberattacks were launched at digital networks in Estonia by ethnic Russian protesters in 2007 and in Georgia before Russia attacked that country in 2008; and someone, probably Israel or the United States (or both), successfully loosed a worm called Stuxnet in 2010 to sabotage computer-controlled uranium centrifuges inside Iran’s secretive nuclear program. Botnets have been employed in lucrative global scams and syndicates. In October 2010, the Zeus Trojan, a kit that can be used to create a botnet, has been responsible for infecting nearly four million computers in the United States alone. One Zeus-based scam was discovered to have plundered more than $70 million from the bank accounts of tens of thousands of unwitting victims. Those behind such efforts are often every bit as skilled as those charged with stopping them. The two sides in this war are fellow members of the Geek Tribe engaged in a highly cerebral and esoteric contest at the cutting edge of computer programming.
The stakes are high. Staying one step ahead of the botmaster, the “miscreants,” or “bad guys,” or “black hats,” as the security community dubs them, is a constant challenge. The obscure work these experts do, the work that is so hard for most people to understand, may not be as romantic or physically daring as the work of the pilots who flew those fighters on Phil Porras’s office wall, or the assault force in 2011 that killed Osama Bin Laden in Pakistan, but it is every bit as vital and compelling. The threat may be virtual, but the consequences would be all too real. A successful computer attack could compromise nuclear reactors, electrical grids, transportation networks, pipelines—you name it. Earlier this year, the Pentagon formulated its first-ever formal cyberstrategy, which found that a cyberattack on the United States originating in another country would be considered as much an act of war as dropping bombs on Buffalo, one that would justify a traditional military response. It is, of course, always easier to tear something down than to build it up, easier to break into a computer than to protect it, so the good guys work at a constant disadvantage. The tide of malware is relentless. Battling it without losing heart requires both steadfast resolve and, at some level, faith in man’s essential goodness.
With dark semicircles under his big brown eyes, Hassen has the look of the creature Weizenbaum sketched back in 1976, a man who spends too many hours bathed in the light of a computer screen. He is forty, with thick brown curls that have begun to gray at the temples. His aptitude and learning have been seasoned with decades of experience. He has honed one very specific skill to a fine art. If he is not the best at what he does, he would like to know who is.
Hassen pursued computer studies in part to avoid direct competition within his accomplished family. His father is a professor of literature and his mother an elementary school teacher. Five of his siblings have earned PhDs in various disciplines. Two of his older brothers were mathematicians, so when he graduated from high school he decided to go a different way. The math brothers advised computer science, a growing field with plenty of opportunities for both study and employment, and Hassen heeded them, even though he had no particular love for computers, a circumstance that makes him different from most of those working at his level. After SRI recruited him from the French lab, he spent several years in Menlo Park focusing on programming languages and computer reliability, but realized gradually that the real action was in the malware wars. He talked his way into the job, convincing Phil that his cutting-edge programming skills were ideally suited to dissecting the newest strains of malware. Nowadays when people ask him what he does for a living, he says, “I track criminals.”
If they press for more detail, he’ll confess that his crime fighting is relegated to the virtual space inside SRI’s computer network, “tracking viruses.” Further explanation produces the Glaze.
“At that point,” he says, “they’re not interested.”
But how could anything be more interesting? A malicious program that appears impervious to dissection is the handiwork of someone, or some group, trying to prey on honest citizens in the global community, which is to say that the predator is trying, ultimately, to outsmart
him
. Hassen is that rare program analyst who is comfortable working not just with source code, any of the many programming languages, but with “object code,” the long strings of ones and zeros at the core of machine instruction. At that primary layer, a program’s intent cannot be disguised or obfuscated. Once Hassen sinks his teeth into a piece of malware, the question is not
if
he can unpack and dissect it, but how long it will take him to do so.
What makes it hard, and what makes Hassen’s world so devilishly difficult to understand, is not just the complexity of modern computer operating systems, but the fact that much of what takes place inside them can be grasped and described only conceptually. Software is abstract. It’s also very real, of course, but not real the way an internal combustion engine is real. Inside an operating system there are no visible moving parts. It is a world of electromagnetic charges orchestrated to move along pathways that make decisions and create “memory.” There are many levels of memory, from the kind that sticks around on a hard drive forever to the kind that is so evanescent it exists for only microseconds, for as long as it takes a computer to step through some lightning-fast computation.
Every program is ultimately a list of instructions written in the ones and zeros of object code, which represent slightly different electrical charges. It breaks down complex tasks into a series of steps so basic that they can be expressed in a long series of binary decisions, or logic gates, which are executed by the computer’s central processing unit (CPU). The art of programming is breaking complex tasks into these fundamental steps. It is maddeningly precise work, because computers are maddeningly literal. Bill Gates once said, “Most great programmers have some mathematical background, because it helps to have studied the purity of proving theorems, where you don’t make soft statements, you only make precise statements.” Say, for instance, your body was a machine with a CPU, which, in a sense, it is, and you wished to stand up from a chair, walk across the room, and fix a cup of coffee. You would begin by telling each of the dozens of muscles involved in rising from a seated position to perform their functions, flex or relax, while monitoring balance readings from your inner ear and rerouting orders for muscular adjustments to make sure you don’t fall over sideways. By the time you have walked across the room, reached up to remove a cup from the cupboard, picked up the coffeepot, etc., you have executed a blizzard of binary decisions. The various source codes, or computer languages, are shorthand versions of object code, designed to make a program accessible to human programmers. If standing up and crossing the room and pouring a cup of coffee constitute a routine task, it might be rendered in source code simply as “get coffee,” which automatically refers the CPU to a standard predetermined sequence (we have all experienced the sensation of performing quotidian tasks on autopilot). But in order to perform even the simplest of tasks, the computer, just like the mind of a man crossing the room to pour a cup of coffee, must remember things, sometimes for split seconds, sometimes for longer. To make the cup of coffee we must access core memories, like which ingredients to mix and in what amounts, or how to operate the coffeemaker; and to stand and cross the room, to lift and to pour, we must create transient memories, like those continual readings from the inner ear to maintain balance. Inside the operating system of a modern computer there are similar multilayered memory functions operating simultaneously, along pathways meticulously prescribed by the program.
To understand this new worm, either Hassen had to set it running and carefully observe it step by step, a dynamic analysis; or he had to, in effect, unspool its programming language so that he could read it, step by painstaking step, a static analysis. But first he had to find it. The worm may have been cunningly packed, but if it was to do its thing inside its host, the infected computer itself had to recognize how to open it. If you could watch that happen, step by step, you would learn how to unpack it yourself. But where inside the operating system of a newly infected computer did the worm hatch?
Malware is packed for two reasons. First, for compression, because to disseminate widely around the Internet the data packet needs to be small. Second, for self-protection, to make it harder for antivirus software to recognize it and for someone like Hassen to take it apart and study it. The worm itself consisted of only a few hundred lines of code, no more than thirty-five kilobytes, slightly smaller than a two-thousand-word document. The average home computer today has about two gigabytes of memory, well over 1.5 million times greater. If you were not looking for it, and unless you knew
how
to look for it, you would never see it. The worm drifts in like a mote. In order to prevent the kind of analysis Hassen wished to perform, its designers had made it particularly hard to follow once it entered a new machine. They had, in effect, covered the worm’s tracks, and they had provided a false trail to throw pursuers off the scent. They also applied a dual-layer encryption method, like Russian nesting dolls, capable of defeating most unpacking software and security ninjas.
Most.
Hassen is not easily fooled. He minutely traced the code’s tricky pathway into his virtual computer. The worm used the Chinese Exploit to enter Port 445, taking advantage of the buffer overflow to write itself in as a Dynamic-Link Library (DLL)—the device Microsoft programmers crafted to enable computers to exchange data. Regular users know nothing about program languages or varying exchange protocols. They just want the thing to run. So Microsoft invented a way to bundle executable programs and data, the DLL, that allows them to be smoothly exchanged by computers on different networks. Once inside, the worm (now a DLL) proceeded along a standard path. It was directed to
svchost.exe
(short for “Service Host”), which is a check-in point for incoming files of this type.
Svchost
then ran its “LoadLibrary,” function, which does what it says it does: it uploads the new file.