Book Worm

2011-12-01

Paul Baccas

Sophos, UK
Editor: Helen Martin

Abstract

In 'Worm: The First Digital World War', Mark Bowden writes about the team who worked together to combat the Conficker worm, focusing on some of the principal players in the Conficker Working Group and on their stories over the nine months of Conficker’s activity. Paul Baccas reviews the book.


Table of contents

Title: Worm: The First Digital World War

Author: Mark Bowden

Publisher: Atlantic Monthly Press

ISBN: 978-0-8021-1983-4

The bad guys are on the Conficker Working Group email lists.’ Gunter Ollmann (paraphrased).

I read this book on the flight from London to Barcelona for VB2011, and when I heard the above quote in the final panel discussion at the end of the conference I was left reeling. The book is about the team who worked together to combat the Conficker worm and focuses on some of the main players in the Conficker Working Group.

The author – who has a journalistic background and has written several other journalistic history books, most notably Black Hawk Down – treads lightly over the technical aspects of the worm and concentrates more on the history and the group dynamics of the multidisciplined group, or cabal, that countered Conficker.

According to the author the principal members of the Conficker cabal were: TJ Campana, John Crain, Andre DiMino, Rodney Joffe, Chris Lee, Andre Ludwig, Ramses Martinez, Phil Porras, Hassen Saidi, Paul Twomey, Paul Vixie and Rick Wesson. The book uncovers their stories over the nine months of Conficker’s activity.

The chapters

The 11 chapters are self-contained and can be read separately but really ought to be read in order. The first chapter, ‘Zero’, begins in November 2008 when Conficker first popped up on the radar of malware researchers and no anti-malware solution providers were able to detect it. This chapter introduces one of the main protagonists, Phil Porras, and it is here that the book is most technical, explaining in general ways about bots, IPs and some malware history.

Then we segue into the second chapter, ‘MS08-067’, in which we are introduced to TJ Campana, the PM of security at the MS Digital Crimes Unit. Here, the book details how Microsoft needed to release an out-of-band patch for the RPC vulnerability a month before Conficker appeared.

Next, in ‘Remote Thread Injection’, we encounter Hassen Saidi and the packing and encryption of the Conficker worm. A description is included here of the Domain Generating Algorithm which was used by the worm to connect to 250 pseudorandom websites a day. This chapter also analyses the name ‘Conficker’ – a mixture of the letters from ‘trafficconverter.biz’ (a website Conficker.A tried to contact) and a German expletive.

In ‘An Ocean of Suckers’, we are treated to a potted history of computer worms: from Brunner’s The Shockwave Rider through the Morris or RTM worm to Code Red and Blaster. The author looks at how Conficker combined the techniques used by these worms with some botnet technology.

In ‘The X-Men’ we see the more formal beginnings of the Conficker Working Group, aka the Conficker cabal, where the group starts to coalesce and with the rest of the world waking up to the fact that something was lurking on the Internet in December 2008. The book is riddled with references to the Marvel Comics creation from which this chapter takes its title, with the cabal as the superheroes and the malware authors the agents of evil.

The book follows the threads of the story and the chapters overlap chronologically. In ‘Digital Detectives’ we are introduced to more of the ‘X-Men’ with some history of the evolution of Conficker from Gimmiv, one of its precursors. This chapter also explains how researchers in different locations and from different companies were already sinkholing Conficker domains.

In ‘A Note from the Trenches’ the arrival of the B variant is detailed, with a listing of some of the differences between the two versions. The cabal was sinkholing A variant domains, mainly via the use of Amazon S3 and personal credit cards, but the B variant was a game changer, adding more TLDs. An estimate of the cost of pre-registering the URLs involved in both variants is given as $100,000 per month. The cabal began to contact registrars. All this happened against a backdrop of press awareness and the faltering interest of governmental agencies.

At the beginning of 2009, most of the members of the cabal met at a conference in Atlanta, Georgia. In ‘Another Huge Win’, the conference is discussed with the ‘win’ referring to the fact that ICANN agreed to help sinkhole the Conficker domains. It was in this meeting that contacting China, where a large proportion of the infection existed, was discussed. This rather formal reaching out was trumped by the fact that one of the cabal members was already sharing the data from the mailing lists with the Chinese. This seeming betrayal of the group caused a split that permeates the rest of the book.

The split, which happened when the group was on a high and thought that the worm had been beaten, was compounded by the arrival of the next variant. Whether by chance or design the Conficker authors knew when to ‘put the boot in’. The big difference was that instead of 250 domain names this variant could poll 50,000. Rumours abounded that the Conficker author was actually a member of the cabal:

‘This is starting to stink of an inside job.’

‘The people behind this are us.’

Suggestions were made that tackling this piece of malware was too much for a group of loosely affiliated researchers, and that they should get the government involved. In ‘Mr. Joffe goes to Washington’, the author describes how Rodney Joffe attempted to do just that (and in doing so trod on a few toes within US CERT), but despite presenting the problems to many government agencies he left disillusioned after a week.

The last two chapters, ‘Cybarmageddon’ and ‘April Fools’, work up to and beyond the malware’s 1 April trigger date. This date turned out to be a damp squib thanks to the efforts of the cabal and other parts of the anti-malware industry in successfully combating it.

While we will never know why Conficker was created or what it originally meant to do, the sophistication of the code and the complexity of the effort needed to combat it was staggering. Was this a criminal gang? Or a governmental or quasi-governmental weapons test? Whatever it was, it highlighted the importance of working together and trusting one another.

Verdict

The book is not a technical analysis of Conficker, though it may add to your knowledge. It is an analysis of the personalities and social interactions of some of the movers and shakers behind the Conficker Working Group.

The book is very readable; I was annoyed when my flight arrived 15 minutes earlier than scheduled because I was left with 10 pages to read! The individual chapters are each self-contained stories, which means that you do not have to read the book all in one go. The style is journalistic and the high quality writing is what one would expect from an author with Bowden’s credentials. I would be more than happy to find this book under the Christmas tree this holiday season.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.