The first surprising thing about the worm that landed in Philip Porras’s digital petri dish 18 months ago was how fast it grew.
He first spotted it on Thursday, November 20, 2008. Computer-security experts around the world who didn’t take notice of it that first day soon did. Porras is part of a loose community of high-level geeks who guard computer systems and monitor the health of the Internet by maintaining “honeypots,” unprotected computers irresistible to “malware,” or malicious software. A honeypot is either a real computer or a virtual one within a larger computer designed to snare malware. There are also “honeynets,” which are networks of honeypots. A worm is a cunningly efficient little packet of data in computer code, designed to slip inside a computer and set up shop without attracting attention, and to do what this one was so good at: replicate itself.
Most of what honeypots snare is routine, the viral annoyances that have bedeviled computer-users everywhere for the past 15 years or so, illustrating the principle that any new tool, no matter how useful to humankind, will eventually be used for harm. Viruses are responsible for such things as the spamming of your inbox with penis-enlargement come-ons or million-dollar investment opportunities in Nigeria. Some malware is designed to damage or destroy your computer, so once you get the infection, you quickly know it. More-sophisticated computer viruses, like the most successful biological viruses, and like this new worm, are designed for stealth. Only the most technically capable and vigilant computer-operators would ever notice that one had checked in.
Porras, who operates a large honeynet for SRI International in Menlo Park, California, noted the initial infection, and then an immediate reinfection. Then another and another and another. The worm, once nestled inside a computer, began automatically scanning for new computers to invade, so it spread exponentially. It exploited a flaw in Microsoft Windows, particularly Windows 2000, Windows XP, and Windows Server 2003—some of the most common operating systems in the world—so it readily found new hosts. As the volume increased, the rate of repeat infections in Porras’s honeynet accelerated. Within hours, duplicates of the worm were crowding in so rapidly that they began to push all the other malware, the ordinary daily fare, out of the way. If the typical inflow is like a stream from a faucet, this new strain seemed shot out of a fire hose. It came from computer addresses all over the world. Soon Porras began to hear from others in his field who were seeing the same thing. Given the instant and omnidirectional nature of the Internet, no one could tell where the worm had originated. Overnight, it was everywhere. And on closer inspection, it became clear that voracity was just the first of its remarkable traits.
Various labs assigned names to the worm. It was dubbed “Downadup” and “Kido,” but the name that stuck was “Conficker,” which it was given after it tried to contact a fake security Web site, trafficconverter.biz. Microsoft security programmers shuffled the letters and came up with Conficker, which stuck partly because ficker is German slang for “motherfucker,” and the worm was certainly that. At the same time that Conficker was spewing into honeypots, it was quietly slipping into personal computers worldwide—an estimated 500,000 in the first month.
Why? What was its purpose? What was it telling all those computers to do?
Imagine your computer to be a big spaceship, like the starship Enterprise on Star Trek. The ship is so complex and sophisticated that even an experienced commander like Captain James T. Kirk has only a general sense of how every facet of it works. From his wide swivel chair on the bridge, he can order it to fly, maneuver, and fight, but he cannot fully comprehend all its inner workings. The ship contains many complex, interrelated systems, each with its own function and history—systems for, say, guidance, maneuvers, power, air and water, communications, temperature control, weapons, defensive measures, etc. Each system has its own operator, performing routine maintenance, exchanging information, making fine adjustments, keeping it running or ready. When idling or cruising, the ship essentially runs itself without a word from Captain Kirk. It obeys when he issues a command, and then returns to its latent mode, busily doing its own thing until the next time it is needed.
Now imagine a clever invader, an enemy infiltrator, who does understand the inner workings of the ship. He knows it well enough to find a portal with a broken lock overlooked by the ship’s otherwise vigilant defenses—like, say, a flaw in Microsoft’s operating platform. So no one notices when he slips in. He trips no alarm, and then, to prevent another clever invader from exploiting the same weakness, he repairs the broken lock and seals the portal shut behind him. He improves the ship’s defenses. Ensconced securely inside, he silently sets himself up as the ship’s alternate commander. He enlists the various operating functions of the ship to do his bidding, careful to avoid tripping any alarms. Captain Kirk is still up on the bridge in his swivel chair with the magnificent instrument arrays, unaware that he now has a rival in the depths of his ship. The Enterprise continues to perform as it always has. Meanwhile, the invader begins surreptitiously communicating with his own distant commander, letting him know that he is in position and ready, waiting for instructions.
And now imagine a vast fleet, in which the Enterprise is only one ship among millions, all of them infiltrated in exactly the same way, each ship with its hidden pilot, ever alert to an outside command. In the real world, this infiltrated fleet is called a “botnet,” a network of infected, “robot” computers. The first job of a worm like Conficker is to infect and link together as many computers as possible—the phenomenon witnessed by Porras and other security geeks in their honeypots. Thousands of botnets exist, most of them relatively small—a few thousand or a few tens of thousands of infected computers. More than a billion computers are in use around the world, and by some estimates, a fourth of them have been surreptitiously linked to a botnet. But few botnets approach the size and menace of the one created by Conficker, which has stealthily linked between 6 million and 7 million computers.
Once created, botnets are valuable tools for criminal enterprise. Among other things, they can be used to efficiently distribute malware, to steal private information from otherwise secure Web sites or computers, to assist in fraudulent schemes, or to launch denial-of-service attacks—overwhelming a target computer with a flood of requests for response. The creator of an effective botnet, one with a wide range and the staying power to defeat security measures, can use it himself for one of the above scams, or he can sell or lease it to people who specialize in exploiting botnets. (Botnets can be bought or leased in underground markets online.)
Beyond criminal enterprise, botnets are also potentially dangerous weapons. If the right order were given, and all these computers worked together in one concerted effort, a botnet with that much computing power could crack many codes, break into and plunder just about any protected database in the world, and potentially hobble or even destroy almost any computer network, including those that make up a country’s vital modern infrastructure: systems that control banking, telephones, energy flow, air traffic, health-care information—even the Internet itself.
The key word there is could, because so far Conficker has done none of those things. It has been activated only once, to perform a relatively mundane spamming operation—enough to demonstrate that it is not benign. No one knows who created it. No one yet fully understands how it works. No one knows how to stop it or kill it. And no one even knows for sure why it exists.
If yours is one of the infected machines, you are like Captain Kirk, seemingly in full command of your ship, unaware that you have a hidden rival, or that you are part of this vast robot fleet. The worm inside your machine is not idle. It is stealthily running, issuing small maintenance commands, working to protect itself from being discovered and removed, biding its time, and periodically checking in with its command-and-control center. Conficker has taken over a large part of our digital world, and so far most people haven’t even noticed.
The struggle against this remarkable worm is a sort of chess match unfolding in the esoteric world of computer security. It pits the cleverest attackers in the world, the bad guys, against the cleverest defenders in the world, the good guys (who have been dubbed the “Conficker Cabal”). It has prompted the first truly concerted global effort to kill a computer virus, extraordinary feats of international cooperation, and the deployment of state-of-the-art decryption techniques—moves and countermoves at the highest level of programming. The good guys have gone to unprecedented lengths, and have had successes beyond anything they would have thought possible when they started. But a year and a half into the battle, here’s the bottom line:
The worm is winning.