The last word: The ultimate computer worm?
THE FIRST SURPRISING thing about the worm that landed in Philip Porras’ digital petri dish 18 months ago was how fast it grew.
He first spotted it on Thursday, Nov. 20, 2008. Computer-security experts around the world who didn’t take notice of it that first day soon did. Porras is part of a loose community of high-level geeks who guard computer systems and monitor the health of the Internet by maintaining “honeypots,” unprotected computers irresistible to “malware,” or malicious software. There are also “honeynets,” which are networks of honeypots.
Most of what honeypots snare is routine, the viral annoyances that have bedeviled computer users everywhere for the past 15 years or so—things such as the spamming of your inbox with penis-enlargement come-ons. Some malware is designed to damage or destroy your computer, so once you get the infection, you quickly know it. A worm is more sophisticated: It is a cunningly efficient little packet of data that is designed to slip inside a computer and set up shop without attracting attention, and to do what this new one was so good at—replicate itself.
Porras, who operates a large honeynet for SRI International in Menlo Park, Calif., noted the initial infection, and then an immediate reinfection. Then another and another. The worm, once nestled inside a computer, began automatically scanning for new computers to invade, so it spread exponentially. It exploited a flaw in Microsoft Windows, particularly Windows 2000, Windows XP, and Windows Server 2003—some of the most common operating systems in the world—so it readily found new hosts. If the typical inflow of malware is like a stream from a faucet, this new strain seemed shot out of a fire hose. Soon Porras began to hear from others in his field who were seeing the same thing. Overnight, the worm was everywhere. And on closer inspection, it became clear that voracity was just the first of its remarkable traits.
Various labs assigned names to the worm. It was dubbed “Downadup” and “Kido,” but the name that stuck was “Conficker,” which it was given after it tried to contact a fake security website, TrafficConverter.biz. The name stuck in part because ficker is German slang for “motherf---er,” and the worm was certainly that. At the same time that Conficker was spewing into honeypots, it was quietly slipping into personal computers worldwide—an estimated 500,000 in the first month.
Why? What was its purpose? What was it telling all those computers to do?
IMAGINE YOUR COMPUTER to be a big spaceship, like the starship Enterprise on Star Trek. The ship is so complex that even an experienced commander like Capt. James T. Kirk has only a general sense of how every facet works. From his wide swivel chair on the bridge, he can order it to fly, maneuver, and fight, but he cannot fully comprehend all its inner workings. The ship contains many complex systems, each with its own function and history—systems for, say, guidance, maneuvers, and communications. Each system has its own operator, performing routine maintenance, exchanging information, making fine adjustments. When idling or cruising, the ship essentially runs itself without a word from Kirk.
Now imagine a clever invader, an enemy infiltrator, who does understand the inner workings of the ship. He knows it well enough to find a portal with a broken lock overlooked by the ship’s otherwise vigilant defenses—like, say, a flaw in Microsoft’s operating platform. So no one notices when he slips in. He trips no alarm, and then, to prevent another clever invader from exploiting the same weakness, he repairs the broken lock and seals the portal shut behind him. He improves the ship’s defenses, then silently sets himself up as the ship’s alternate commander. Meanwhile, he begins surreptitiously communicating with his own distant commander, letting him know that he is in position and ready, waiting for instructions.
And now imagine a vast fleet, in which the Enterprise is only one ship among millions, each ship with its hidden pilot, ever alert to an outside command. In the real world, this infiltrated fleet is called a “botnet,” a network of infected, “robot” computers. The first job of a worm like Conficker is to infect and link together as many computers as possible—the phenomenon witnessed by Porras in his honeypots. Thousands of botnets exist. By some estimates, a quarter of the more than 1 billion active computers in the world have been surreptitiously linked to a botnet. But few botnets approach the size and menace of the one created by Conficker, which has stealthily linked between 6 million and 7 million computers.
Once created, botnets are valuable tools for criminal enterprise. Among other things, they can be used to efficiently distribute malware, to steal private information, or to launch denial-of-service attacks—overwhelming a target computer with a flood of requests for response. The creator of a botnet can use it himself for one of the above scams, or he can sell or lease it to people who specialize in exploiting botnets.
Beyond criminal enterprise, botnets are also potentially dangerous weapons. If the right order were given, and all these computers worked together, a botnet with that much computing power could potentially hobble or even destroy almost any computer network, including those that make up a country’s vital modern infrastructure: systems that control banking, telephones, energy flow, air traffic, health-care information—even the Internet itself.
The key word there is could, because so far Conficker has done none of those things. It has been activated only once, to perform a relatively mundane spamming operation—enough to demonstrate that it is not benign. No one knows who created it. No one knows how to stop it or kill it. And no one even knows for sure why it exists.
The struggle against this remarkable worm is a sort of chess match pitting the cleverest attackers in the world against the cleverest defenders in the world, many of whom are volunteers. The good guys—who have been dubbed the “Conficker Cabal”—have gone to unprecedented lengths in this battle, and have had successes beyond anything they would have thought possible when they started.
But a year and a half into the battle, here’s the bottom line: The worm is winning.
HERE ARE A few of the things that the geeky good guys discovered about the worm in the first weeks after it appeared: 1) It exploited a specific hole, Port 445, in the Microsoft operating systems. 2) It patched the hole it came through, making sure it would not have to compete with other worms. 3) It tried to prevent its host computers from receiving updated antivirus software.
These features, and others, were clever. They indicated that Conficker’s creator was up on all the latest tricks. But the main feature that intrigued the cabal was the way the worm “called home” to its command center. Botnet hunters regularly wipe out malicious networks by deciphering the domain name of the command center and then getting it blocked. But Conficker did not call home to any fixed address.
Instead, the worm generated a list, seemingly at random, of 250 domain names a day. The worm would then go down the list until it hit upon the one connected to its remote controller’s server. To communicate with the worm, all Conficker’s controller had to do was register one of those 250 addresses—which can be done for a fee of about $10—and await the worm’s calls. It was as if the boss of a crime family told his henchmen to check in daily by turning to the bottom of a certain page in each day’s Racing Form, where there would be a long list of potential numbers. They would then call each number until the boss picked up.
If you were a cop tipped off to the Racing Form trick, you might try to get a step ahead of the bad guys by arranging with the paper’s publisher to see the page before it was printed. Similarly, to defeat Conficker, the geeks had to figure out in advance what the domain names would be, and then hustle to either buy up or contact every one, block it, or cajole whoever owned it to cooperate before the worm “made the call.”
Conficker’s creators apparently believed that they had made the good guys’ task so onerous and expensive that no one would go to the trouble of blocking all possible command centers. But they underestimated their counterparts. By the end of 2008, Conficker had infected an estimated 1.5 million machines worldwide, but it was on its way to full containment.
Then the worm turned.
ONE OF THE early theories about the worm was that it had slipped out of a computer science lab, the product of some fooling around by a sophisticated graduate student or group of students. But new versions of Conficker that appeared in December 2008 and March 2009 exploded the benevolent-accident theory. The upgrades showed that the worm’s creator or creators had been watching every move the good guys made, and were adjusting accordingly.
Conficker C, which appeared in March 2009, was programmed to up the number of domain names it generated every day to 50,000. Preregistering 250 domain names a day at $10 a pop had been doable for the good guys. But 50,000? “The bar had been raised to a level that was almost insurmountable,” says Rodney Joffe, who heads the cabal’s formal Conficker Working Group.
The cabal quickly learned that the enhanced domain name–generating algorithm would click in on April 1. Apparently, and at long last, Conficker was going to be put to use on that date. But for what? The potential was scary. In advance of the doomsday date, the cabal mounted a heroic effort to shut down the worm’s potential command centers. “It was our finest hour,” Joffe says. When April 1 arrived, Conficker was able to find just one or two domain names that Joffe’s group had missed. It used that gap to do something unspectacular: It distributed a very conventional e-mail spam selling a fake anti-spyware program.
But something much more important happened, too. The updated worm didn’t just up the ante by generating 50,000 domain names daily; it effectively moved the game out of the good guys’ reach. The new version of Conficker introduced peer-to-peer communications, which meant the worm no longer relied on sneaking through unpatched holes in Windows; an infected computer spread the worm directly to every machine it interacted with. It also meant that Conficker no longer needed to call out to a command center for instructions; the instructions could be distributed directly, computer to computer. And since the worm no longer needed to call home, there was no longer any way to tell how many computers were infected.
In the great chess match, the worm had just pronounced “Checkmate.”
SO WHO IS behind Conficker? Ramses Martinez, director of information security for VeriSign, a major provider of Internet infrastructure, believes, as does Joffe, that Conficker could not have been written by an individual because its design required expertise in so many different disciplines. Martinez suspects that a group of skilled programmers either were hired by a criminal gang, or created the worm as their own illicit business venture. If that’s true, then the April 1 spam maneuver was like flexing Conficker’s pinkie—just a way of showing that the worm was fully operational and under their control.
As for its provenance, one early clue was a peculiarity in the worm’s code that made computers with active Ukrainian keyboards immune. Much of the world’s aggressive malware comes from Eastern Europe, where there are high levels of technical expertise, and also thriving organized criminal gangs.
Will the bad guys ever be caught? Martinez doesn’t think so. “Arrest them for what?” he says. “Is breaking into people’s computers even illegal where they’re from? Because in a lot of countries, it isn’t. So who’s going to arrest them, even if we know who they are?”
From a longer story that appears in June’s Atlantic Monthly. Used with permission. All rights reserved.