By early 2009, Conficker B had infected millions of machines. It had invaded the United Kingdom’s Defense Ministry. As CBS prepared a 60 Minutes segment on the worm, its computers were struck. In both instances, security experts scrambled to uproot the invader, badly disrupting normal functioning of the system. Conficker now had the world’s attention. In February 2009, the cabal became more formal. Headed initially by a Microsoft program manager, and eventually by Joffe, it became the Conficker Working Group. Microsoft offered a $250,000 bounty for the arrest and conviction of the worm’s creators.
The newly named team went to work trying to corral Conficker B. Getting rid of it was out of the question. Even though they could scrub it from an infected computer, there was no way they could scrub it from all infected computers. The millions of machines in the botnet were spread all over the world, and most users of infected ones didn’t even know it. It was theoretically feasible to unleash a counter-worm, something to surreptitiously enter computers and take out Conficker, but in free countries, privacy laws frown on invading people’s home computers. Even if all the governments got together to allow a massive attack on Conficker—an unlikely event—the new version of the worm had new ways of evading the threat.
Conficker C appeared in March 2009, and in addition to being impressed by its very snazzy crypto, the Conficker Working Group noticed that the new worm’s code threatened to up the number of domain names generated every day to 50,000. The new version would begin generating that many domain names daily on April 1. At the same time, all computers infected with the old variants of Conficker that could be reached would be updated with this new strain. The move suggested that the bad guys behind Conficker understood not just cryptology, but also the mostly volunteer nature of the cabal.
“You know you’re dealing with someone who not only knows how botnets work, but who understands how the security community works,” Andre’ DiMino told me. “This is not just a bunch of organized criminals that, say, commission someone to write a botnet for them. They know the challenges that the security community faces internally, politically, and economically, and are exploiting them as well.”
The bad guys knew, for instance, that preregistering even 250 domain names a day at $10 a pop was doable for the good guys. As long as the number remained relatively small, the cabal could stay ahead of them. But how could the good guys cope with a daily flood of 50,000? It would require an unprecedented degree of cooperation among competing security firms, software manufacturers, nonprofit organizations like Shadowserver, academics, and law enforcement.
“You can’t just register all 50,000—you’ve got to go one by one and make sure the domain name doesn’t already exist,” Joffe says. “And if it exists, you’ve got to make sure that it belongs to a good guy, not a bad guy. You’ve got to make a damn phone call for any of the new ones, and have to send someone out there to do it—and these are spread all over the world, including some very remote places, Third World countries. Now the bar had been raised to a level that was almost insurmountable.”
The worm was already running rings around the good guys, and then, just for good measure, it planted a pie in their faces on, of all days, April 1. By playing with the new variant in their sandboxes, the cabal knew that the enhanced domain-name-generating algorithm would click in on that day. If the update succeeded, it would be a game-changer. It was the most dramatic moment since Conficker had surfaced the previous November. Apparently, at long last, this extraordinary tool was going to be put to use. But for what? The potential was scary. Few people outside the upper echelon of computer security even understood what Conficker was, much less what was at stake on April 1, but word of a vague impending digital doomsday spread. The popular press got hold of it. There were headlines and the usual spate of ill-informed reports on cable TV and the Internet. When the day arrived, those who had been warning about the dangers of this new worm were sure to see their fears vindicated.
The cabal mounted a heroic effort to shut down the worm’s potential command centers in advance of the update, coordinating directly with the Internet Corporation for Assigned Names and Numbers, the organization that supervises registries worldwide. “It was our finest hour,” Joffe says.
“I don’t think that the bad guys could have expected the research community to come together as it did, because it was pretty unprecedented,” Ramses Martinez, director of information security for VeriSign, told me. “That was a new thing that happened. I mean, if you would have told me everybody’s going to come together—by everybody, I mean all these guys in this computer-security world that know each other—and they’re going to do this thing, I would have said, ‘You’re crazy.’ I don’t think the bad guys could have expected that.”
Much of the computer world was watching, in considerable suspense, to see what would happen on April 1. It was like the moment in a movie when the bad guy at last has cornered the hero. He pulls out an enormous gun and aims it at the hero’s head, pulls the trigger … and out pops a little flag with the word BANG!
Conficker found one or two domain names that Joffe’s group had missed, which was all it needed. The cabal’s efforts had succeeded in vastly reducing the number of machines that got the update, but the ones that did went to work distributing a very conventional, well-known malware called Waledac, which sends out e-mail spam selling a fake anti-spyware program. The worm was used to distribute Waledac for two weeks, and then stopped.
But something much more important had happened. The updated worm didn’t just up the ante by generating 50,000 domain names daily; it effectively moved the game out of the cabal’s reach.
“April 1 came and went, and in the middle of that night the systems switched over to the new algorithm,” Conficker C, Joffe told me. “That’s all that was supposed to happen, and it happened. But the Internet didn’t get infected; it was just an algorithm change in the software. So of course the press said, ‘Conficker is a bust.’”
Public concern over the worm fizzled, just as the problem grew worse: the new version of Conficker introduced peer-to-peer communications, which was disheartening to the good guys, to say the least. Peer-to-peer operations meant the worm no longer had to sneak in through Windows Port 445 or a USB drive; an infected computer spread the worm directly to every machine it interacted with. It also meant that Conficker no longer needed to call out to a command center for instructions; they could be distributed directly, computer to computer. And since the worm no longer needed to call home, there was no longer any way to tell how many computers were infected.
In the great chess match, the worm had just pronounced “Checkmate.”
As of this writing, 17 months after it appeared and about a year after the April 1 update, Conficker has created a stable botnet. It consists of anywhere from hundreds of thousands of computers to 12 million. No one knows for sure anymore, because with peer-to-peer communications, the worm no longer needs to check in with an outside command center, which is how the good guys kept count. Joffe estimates that with the four distinct strains (yet another one appeared on April 8, 2009), 6.5 million computers are probably infected.
The investigators see no immediate chance or even any effective way to kill it.
“There are a bunch of infected machines that are out there, and they can be taken over, given the right circumstances, by the bad guys,” VeriSign’s Martinez says. “Will they do that? I don’t know. So it’s a potential threat. It’s something that’s out there, sitting there, and it needs to be addressed, but I don’t think, honestly, that we know how. How do we address this? If it was sitting in the U.S., it would be a fairly easy thing to do. The fact is that it’s spread out all around the world.”
Ever since the paltry Waledac scam, the worm has been biding its time.
“They are watching us watch them,” says Andre’ DiMino, the botnet hunter. “I think it’s really either that or somebody let this thing get bigger, and it’s advanced bigger and further than they ever dreamed possible. A lot of people think that. But in looking at the sophistication of this thing and looking at the evolution of this thing, I think they knew exactly what they were doing. I think they were trying something, and I think that they’re too smart to do what everybody figured they were going to do. You have to remember, the world was watching this thing and waiting for the world to end from Conficker on April 1, 2009. The last thing you’d want to do if you’re the bad guy is make something happen on April 1. You’re never going to do that, because everybody’s watching it. You’re going to do something when you’re least suspected. So these guys are sophisticated. They have good code. And just even seeing the evolution from Conficker A to B to C, where there’s the peer-to-peer component, which … strikes fear into the heart of botnet hunters because it’s just so damn difficult to track—these guys know exactly what they’re doing.”
So who are they?
One of the things Martinez’s team does, patrolling the perimeter at VeriSign looking for threats, is dip into the obscure digital forums where cyber criminals converse. Those who are engaged in writing sophisticated malware boast and threaten and compare notes. The good guys venture in to collect intelligence, or just out of curiosity, or for fun. They sometimes pretend to be malware creators themselves, sometimes not. Sometimes they engage in a little cyber trash talk.
“In the past you were just sort of making sure they didn’t steal your proprietary information,” Martinez says. “Now we go in to engage them. You talk to them and you exchange information. You have a guy in Russia selling malware, working with a guy in Mexico doing phishing attacks, who’s talking to a kid in Brazil, who’s doing credit-card fraud, and they’re introducing each other to some guy in China doing something else.”
Martinez said he recently eavesdropped on a dialogue between a security researcher and a man he suspects was at least partly responsible for Conficker. He wouldn’t say how he drew that connection, only that he had good reasons for believing it to be true. The suspect in the conversation was eastern European. The standard image of a malware creator is the Hollywood one: a brilliant 20-something with long hair and a bad attitude, in need of a bath. This is not how Martinez sees his nemesis—or nemeses.
“I see him, or them, as a really well-educated, smart businessman,” he said. “He may be 50 years old. These guys are not chumps. They’re not just out to make a buck.”
The eastern European, backpedaling from further dialogue with the security geek, wrote, “You’re the good guys; we’re the bad guys. Bacillus can’t live with antibodies.”
“Now, I didn’t grow up in a bad neighborhood or anything,” said Martinez, “but the few thugs that I saw would never use a word like bacillus or make an analogy like that.”
One of the early clues in the hunt was the peculiarity in the Conficker code that made computers with active Ukrainian keyboards immune. Much of the world’s aggressive malware comes from eastern Europe, where there are high levels of education and technical expertise, and also thriving organized criminal gangs. Martinez believes Conficker was written by a group of highly skilled programmers. Like Joffe, he sees it as a group of creators, because designing the worm required expertise in so many different disciplines. He suspects that these skilled programmers and technicians either were hired by a criminal gang, or created the worm as their own illicit business venture. If that’s true, then the Waledac maneuver was like flexing Conficker’s pinkie—just a demonstration, a way of showing that despite the best and most concerted effort of the world’s computer-security establishment, the worm was fully operational and under their control.
Will they be caught?
“I have no idea,” Martinez says. “I would say probably not. I’ll be shocked if they’re ever arrested. And arrest them for what? Is breaking into people’s computers even illegal where they’re from? Because in a lot of countries, it isn’t. As a matter of fact, in some countries, unless you’re touching a computer in their jurisdiction, their country, that’s not illegal. So who’s going to arrest them, even if we know who they are?”
Ridding computers of the worm poses another kind of overwhelming problem.
“There are controls, or checks and balances, in place to limit what police can do, because we have civil liberties to protect,” he says. “If you do away with these checks and balances, where the government can come in and reimage your computer overnight, now you’re infringing on people’s civil liberties. So, I mean, we can talk about this all day, but I’ll tell you, it’s going to be a long time, in my opinion, before we really see the government being able to effectively deal with cyber crime, because I think we’re still learning as a culture, as a nation, and as a world how to deal with this stuff. It’s too new.”
Imagining Conficker’s creators as a skilled group of illicit cyber entrepreneurs remains the prevailing theory. Some of the good guys feel that the worm will never be used again. They argue that it has become too notorious, too visible, to be useful. Its creators have learned how to whip computer-security systems worldwide, and will now use that knowledge to craft an even stealthier worm, and perhaps sell it to the highest bidder. Few believe Conficker itself is the work of any one nation, because other than the initial quirk of the Ukrainian-keyboard exemption, it spreads indiscriminately. China is the nation most often suspected in cyber attacks, but there may be more Conficker-infected computers in China than anywhere else. Besides, a nation seeking to create a botnet weapon is unlikely to create one as brazen as Conficker, which from the start has exhibited a thumb-in-your-eye, catch-me-if-you-can personality. It is hard to imagine Conficker’s creators not enjoying the high level of cyber gamesmanship. The good guys certainly have.
“It’s cops and robbers, so to speak, and that was a really interesting aspect of the work for me,” says Martinez. “It’s guys trying to outwit each other and exploit vulnerabilities in this vast network. “
In chess, when your opponent checkmates you, you have no recourse. You concede and shake the victor’s hand. In the real-world chess match over Conficker, the good guys have another recourse. They can, in effect, upend the board and go after the bad guys physically. Which is where things stand. The hunt for the mastermind (or masterminds) behind the worm is ongoing.
“It’s an active investigation,” Joffe says. “That’s all I can say. Law enforcement is fully engaged. We have some leads. This story is not over.”