Conficker’s rate of replication got everyone’s attention, so a loose-knit gaggle of geeky “good guys,” including Porras, Joffe, and DiMino, began picking the worm apart. The online-security community consists of software manufacturers like Microsoft, companies like Symantec that sell security packages to computer owners, large telecommunication registries like Neustar and VeriSign, nonprofit research centers like SRI International, and botnet hunters like Shadowserver. In addition to maintaining honeypots, these security experts operate “sandboxes”—isolated computers (or, again, virtual computers inside larger ones) where they can place a piece of malware, turn it on, and watch it run. In other words, where they can play with it.
They all started playing with Conficker, comparing notes on what they found, and brainstorming ways to defeat it. That’s when someone dubbed the group the “Conficker Cabal,” and the name stuck, despite discomfort with the darker implications of the word. Here are some of the things the cabal discovered about the worm in those first few weeks:
• It patched the hole it came through at Port 445, making sure it would not have to compete with other worms. This was smart, because surely other hackers had seen security bulletin MS08-067.
•It tried to prevent communication with security providers (many computer-users subscribe to commercial services that regularly update antivirus software).
•When it started, if the IP address of the infected computer was Ukrainian, the worm self-destructed. When in attack mode, searching for other computers to infect, it skipped any with a Ukrainian IP address.
•It disabled the Windows “system restore” points, a useful tool that allows users with little expertise to simply reset an infected machine to a date prior to its infection. (System restore is one of the easiest ways to debug a machine.)
All of these things were clever. They indicated that Conficker’s creator was up on all the latest tricks. But the main feature that intrigued the cabal was the way the worm called home. This is, of course, what worms designed to create botnets do. They settle in and periodically contact a command center to receive instructions. Botnet hunters like DiMino regularly wipe out whole malicious networks by deciphering the domain name of the command center and then getting it blocked. In the old days, this was easier because malware pointed to only a few IP addresses, which could be blocked by hosting providers and Internet service providers. The newer worms like Conficker bumped the game up to a higher level, generating domain names that involve many providers and a wide range of IP addresses, and that security experts can block only by contacting Internet registries—organizations that manage the domain registrations for their realm. But Conficker did not call home to a fixed address.
Shortly after it was discovered, the worm began performing a new operation: generating a list of domain names seemingly at random, 250 a day across five top-level domains (top-level domains are defined by the final letters in a Web address, such as .com or .edu or .uk). The worm would then go down the list until it hit upon the one connected to its remote controller’s server. All Conficker’s controller had to do was register one of the addresses, which can be done for a fee of about $10, and await the worm’s regular calls. If he wished, he could issue instructions. It was as if the boss of a crime family told his henchmen to check in daily by turning to the bottom of a certain page in each day’s Racing Form, where there would be a list of potential numbers. They would then call each number until the boss picked up. So it was not apparent from day to day where the worm would call home.
With the Racing Form trick, if you were a cop and were tipped off where to look, you might arrange with the paper’s publisher to see the page before it was printed, and thus be one step ahead of the henchmen and their boss. To defeat Conficker, the geeks would have to figure out in advance what the numbers (or, in this case, domain names) would be, and then hustle to either buy up or contact every one, block it, or cajole whoever owned it to cooperate before the worm “made the call.”
Michael Ligh, a young Brooklyn researcher employed by the computer-security company iDefense, is one of several people who went to work unraveling Conficker’s methods. Ligh and others had seen algorithms for random-domain-name generation before, and most were keyed to the infected computer’s clock. If new places to call home must be generated every day, or every few hours, then the worm needs to know when to perform the procedure. So the malware simply checks the time on its host computer. This provided the good guys with a tool to defeat it. They turned the clock forward on their sandbox computer, forcing their captured strain of the worm to spit out all the domain names it would generate for as long into the future as they cared to look. It was like stealing the teacher’s edition of a classroom textbook, the one with all the answers to the quizzes and tests printed in the back. Once you knew all the places the malware would be calling, you could cordon off those sites in advance, effectively stranding the worm.
Conficker had an answer for that. Instead of using the infected computer’s clock, the worm set its schedule by the time on popular corporate home pages, like Yahoo, Google, or Microsoft’s own msn.com.
“That was interesting,” Ligh said. “There was no way we could turn the clock forward on Google’s home page.”
So there was no easy way to predict the list of domain names in advance. But there was a way. The first step was to set up a proxy server to, in effect, intercept the time update from the big corporate Web site before it got back to the worm, alter the information, and then send it on. You could then tell the worm it was a date sometime in the future, and the worm would spit out the domain names for that date. This was a tedious way to proceed, since you could generate only one set of new domain names at a time. So Ligh and other researchers reverse-engineered the worm’s algorithm, extracted the time-update function, and wedded it to a piece of code they could control. They instructed their copy to generate the future lists in advance. They could then buy up or block all the sites, and direct all the worm’s communications into a “sinkhole,” a dead-end location where calls go unanswered. Conficker’s creators had deliberately made the task so onerous and expensive that no one would go to the trouble of blocking all possible command centers.
Or so they thought. The cabal, through a determined and unprecedented effort, did manage to cordon off the worm. By the end of 2008, Conficker had infected an estimated 1.5 million machines worldwide, but it was on its way to full containment. In the great chess match, the good guys had called “Check!”
Then the worm turned.
On December 29, 2008, a new version of Conficker showed up, and if the geeks had been intrigued with the original version, they now experienced something more akin to respect … mingled with fear.
One of the early theories about the worm was that it had slipped out of a computer-science lab, the product of some fooling-around by a sophisticated graduate student or group of students. They had loosed it on the world inadvertently, or maybe on purpose as a prank or experiment without realizing how effective it would be. This hypothesis appealed to optimists.
The new version of the worm, Conficker B, exploded the benevolent-accident theory. It was clear that the worm’s creator had been watching every move the good guys made, and was adjusting accordingly. He didn’t care that the good guys could predict its upcoming lists of domain names. He just rejiggered the worm to spread the new lists out over eight top-level domains instead of five, making the job of blocking them far more difficult. The worm had no trouble contacting all of these locations. If it received no command from one, it simply tried the next one on its list. Conficker B could go on like this for months, even years. It had to find its controller only once to receive instructions.
“That’s a high number,” Rodney Joffe, of Neustar, told me. “The cops will get sick and tired of knocking on 250 doors a day and finding there’s no one there. And if I’m the chief bad guy, all I have to do is be behind one of those doors on one of those days.”
There were other improvements to Conficker. Among them: besides shutting down whatever security system was installed on the computer it invaded, and preventing it from communicating with computer-security Web sites, it stopped the computer from connecting with Microsoft to perform Windows updates. So even though Microsoft was providing patches, the infected machines could not get to them. In addition, it modified the computer’s bandwidth settings to increase speed and propagate itself faster; and it began to spread itself in different ways, including via USB drives. This last innovation meant that even “closed” computer networks, those with no connection to the Internet, were vulnerable, since users who cannot readily transmit files from point to point via the Web often store and transport them on small USB drives. If one of those USB drives, or a CD, was plugged into an infected computer, it could deliver the worm to an entire closed network.
All of this was impressive—but something else stopped researchers cold. Analysts with Conficker B isolated in their sandboxes could watch it regularly call home and receive a return message. The exchange was in code, and not just any code.
Breaking codes used to be the province of clever puzzle masters, who during World War II devised encryption and code-breaking methods so difficult that operators needed machines to do the work. Computers today can perform so many calculations so fast that, theoretically at least, no cipher is too difficult to crack. One simply applies what computer scientists call “brute force”: trying every possible combination systematically until the secret is revealed. The game is to make a cipher so difficult that the amount of computing power needed to break it renders the effort pointless—the “thief” would have to spend more to obtain the prize than the prize is worth. In his 1999 history of code-making and -breaking, The Code Book, Simon Singh wrote: “It is now routine to encrypt a message [so securely] that all the computers on the planet would need longer than the age of the universe to break the cipher.”
The basis for the highest-level modern ciphers is a public-key encryption method invented in 1977 by three researchers at MIT: Ron Rivest (the primary author), Adi Shamir, and Leonard Adleman. In the more than 30 years since it was devised, the method has been improved several times. The National Institute of Standards and Technology sets the Federal Information Processing Standard, which defines the cryptography algorithms that government agencies must use to protect communications. Because it is the most sophisticated oversight effort of its kind, the standard is determined by an international competition among the world’s top cryptologists, with the winning entry becoming by default the worldwide standard. The current highest-level standard is labeled SHA-2 (Secure Hash Algorithm–2). Both this and the first SHA standard are versions of Rivest’s method. The international competition to upgrade SHA-2 has been under way for several years and is tentatively scheduled to conclude in 2013, at which point the new standard will become SHA-3.
Rivest’s proposal for the new standard, MD-6 (Message Digest–6), was submitted in the fall of 2008, about a month before Conficker first appeared, and began undergoing rigorous peer review—the very small community of high-level cryptographers worldwide began testing it for flaws.
Needless to say, this is a very arcane game. The entries are comprehensible to very few people. According to Rodney Joffe, “Unless you’re a subject-matter expert actively involved in crypto-algorithms, you didn’t even know that MD-6 existed. It wasn’t like it was put in The New York Times.”
So when the new version of Conficker appeared, and its new method of encrypting its communication employed MD-6, Rivest’s proposal for SHA-3, the cabal’s collective mind was blown.
“It was clear that these guys were not your average high-school kids or hackers or predominantly lazy,” Joffe told me. “They were making use of some very, very sophisticated techniques.
“Not only are we not dealing with amateurs, we are possibly dealing with people who are superior to all of our skills in crypto,” he said. “If there’s a surgeon out there who’s the world’s foremost expert on treating retinitis pigmentosa, he doesn’t do bunions. The guy who is the world expert on bunions—and, let’s say, bunions on the third digit of Anglo-American males between the ages of 35 and 40, that are different than anything else—he doesn’t do surgery for retinitis pigmentosa. The knowledge it took to employ Rivest’s proposal for SHA-3 demonstrated a similarly high level of specialization. We found an equivalent of three or four of those in the code—different parts of it.
“Take Windows,” he explained. “The understanding of Windows’ operating system, and how it worked in the kernel, needed that kind of a domain expert, and they had that kind of ability there. And we realized as a community that we were not dealing with something normal. We’re dealing with one of two things: either we’re dealing with incredibly sophisticated cyber criminals, or we’re dealing with a group that was funded by a nation-state. Because this wasn’t the kind of team that you could just assemble by getting your five buddies who play Xbox 360 and saying, ‘Let’s all work together and see what we can do.’”
The plot thickened—it turned out that Rivest’s proposal, MD-6, had a flaw. Cryptologists in the competition had duly gone to work trying to crack the code, and one had succeeded. In early 2009, Rivest quietly withdrew his proposal, corrected it, and resubmitted it. This gave the cabal an opening. If the original Rivest proposal was flawed, then so was the encryption method for Conficker B. If they were able to eavesdrop on communications between Conficker and its mysterious controller, they might be able to figure out who he was, or who they were. How likely was it that the creator of Conficker would know about the flaw discovered in MD-6?
Once again, the good guys had the bad guys in check.
About six weeks later, another new version of the worm appeared.
It employed Rivest’s revised MD-6 proposal.