Spam A Shadow History Of The Internet Excerpt Part 4

TABLE OF CONTENTS

Filtering: Scientists and Hackers [Excerpt Part 1]
Part 1 of the Spam book excerpt series
Poisoning: The Reinvention of Spam [Excerpt Part 2]
Part 2 of the Spam book excerpt series
“New Twist in Affect”: Content Farms and Social Spam [Excerpt Part 3]
Part 3 of the Spam book excerpt series
Inside the Library of Babel: The Storm Worm
Storm becomes the quintessential example of software that commandeers other computers for spam distribution
Surveying Storm: Making Spam Scientific, Part II
Security specialists and hackers study Storm closely to learn its workings
The Overload: Militarizing Spam
Botnets and spam overwhelm an entire country

INSIDE THE LIBRARY OF BABEL: THE STORM WORM

Paul Graham [a well-known programmer] thehad speculated that “the spam of the future,” designed to better beat filters, would take the form of squibs of text and a single link: “Hey there. Thought you should check out the following: http:// www.27meg.com/foo.” It looks innocuous enough, but there was an unforeseen element that could be added to this mix, particularly after September 11, 2001, and similar shocks: news, or the promise of news. Messages in a new spam vernacular began to arrive, promising dreadful events and scandal, from celebrity gossip (“Justin Timberlake Says ‘Britney Shaved Her Head Bald For Me,’” “Will Smith found dead in bathtub”) to the amusingly bizarre (“Bigfoot found, shot down in cold blood”) or the politically startling (“Chinese missile shot down USA aircraft”). The subject line promised much, with brief body text (“A hunter claims he saw the legendary beast known as Bigfoot”) and a link to the story. The link directed to a web page or a download, the point of malware infection, just as the purported file sent by the coworker did in the Mydoom instance. Such a message is classified as a self-propagation spam campaign in the language of the antispam community—spam to add more machines to a network. In early 2007, the self-propagation message that dominated the field was “230 dead as storm batters Europe”: the vehicle for the eponymous Storm Worm.

Storm spread swiftly, but more worrisome and fascinating than its speed was the technical muscle behind the scenes, visible to those antis- pam groups and security companies that watched the bot world. It began simply, albeit at a higher level than the primitive second-person botmaster discussed previously. That storm-warning spam message linked to a worm that installed both a downloader and a peer-to-peer client on each infected computer. The conventional, contemporary network for distributing information online is made of client and server machines—for the basic botmaster example, the infected computers in your botnet are all client machines that download the material you specify from a server, a central machine somewhere. A peer-to-peer system, by contrast, treats all of the computers on the network as peers, which are capable of being clients and servers simultaneously, both requesting and providing information from and to other peers. Any one of the infected computers with a complete message could route it to the others, passing data along one to the next over their diverse connections. Bots communicating among themselves as peers meant that any changes the botmaster sent out—new C&C [command and control] instructions, packages of code for new functionality, spam text and address databases—could propagate out through the network with less work and traceable exposure on the part of the botmasters. The machines circulate it, one to another, on their own. The botmasters could drop new material in a few select places, like ink in a pool or a rumor in a crowd, and watch it diffuse.

Within months, this already fairly sophisticated system was broken into two networks: one managing package distribution and the other C&C, with bots passing along regularly updated directions to keep the programmers in control and the lines of communication open. Storm’s authors had built a dream of decentralized and outsourced production, turning spam into the financial backer and infection vector for a global workhorse made of other people’s capacity. Researchers found that Storm acted as a vast spam factory drawing on the botnet’s resources. It had “a work queue model for distributing load across the botnet, a modular campaign framework, a template language for introducing per-message polymorphism, delivery feedback for target list pruning, per-bot address harvesting for acquiring new targets, and special test campaigns and email accounts used to validate that new spam templates can bypass filters.”

In other words, the work queue kept the workload of sending spam, among other projects, evenly spread across the many thousands of infected computers, ensuring that few were underutilized. Different spam campaigns could be paced in their distribution by the botnet. In the primitive example in the previous section, the botmaster could distribute only one campaign at a time to all of his bots and would have to cancel it to start another one, whereas the Storm system could simultaneously run several different profitable campaigns alongside the all-important malware self- propagation spamming.

Individual bots could produce one unique message after another—that’s the “polymorphism”—to beat filters with a tide of minor combinatorial variations, litspam text, and alternate names and subject headings. The bots could report the failed messages and take the addresses, invalid or dead, off the target list of addresses to be used and add new addresses, fresh from infected machines. Evidence was found of testing systems using common third-party email services such as Hotmail and Yahoo! to fine- tune new spam campaigns and get past the basic filters. The bots on this system, given their instructions and material, each sent an average of 152 messages a minute while the notional owners of the infected computers worked on spreadsheets, answered email, played games, or left them on while out of the office. “One such [spam] campaign—focused on perpetuating the botnet itself—spewed email to around 400 million email addresses during a three-week period.” One campaign, it should be remembered, among many: the Storm botnet’s segmentation into different subgroups of computers, with the control of each accessible by a different security key, strongly suggests that part of the business model lies in renting out capacity, piece by piece, for others to use.

Of those 152 messages a minute, only about one in six is successfully delivered, and that delivery is prior to several stages of potential filtering. The work is so inexpensive that rates of success can be far lower than even those of earlier spam systems. For instance, the address harvesting functionality of the segment of the Storm system under research analysis returned almost a million email addresses. About half of these were duplicates, and a tenth were not valid email addresses at all, with endings like.gbl, .jpg, .msn, .hitbox, and so on—a sign that the pattern-matching soft- ware looking for the characteristic email address shape (foo@bar.bat) was not very good, and many of the harvested computers contained slightly mangled addresses or things resembling addresses. So many mistakes, and so much duplication of effort, with only one in six messages even making it to the jaws of the mail filtering systems through which only some small percentage will pass: this completely unacceptable level of failures simply does not matter if the means of production and distribution are so powerful and so cheap. At 152 messages a minute from every one of many thousands of computers at no cost to you, the failure of the vast majority of messages at every stage means nothing. This is a post-scarcity manufacturing model of fantastic profligacy, recalling “The Library of Babel” as a study in Borgesian publishing economics. Somewhere in those endless hexagonal rooms of books filled with random letters is “the minutely detailed history of the future, the archangels’ autobiographies . . . the true story of your death,” all generated affordably if the cost of production is zero, or close enough.

A new worm, taking over a new machine, will include an antimalware kit to clean its competitors off, stopping the operation of suspect files and then going through their code for likely passwords and other information to take over other computers on the competitor’s botnet. The suspect programs are usually just lists of known malware files, which create a kind of found poetry of filenames with a functional banality meant to evade the interest of the user looking for malware, or to thumb its nose at them:

W32.Blaster.Worm “msblast.exe,” “tftpd.exe,” W32.Blaster.B.Worm “penis32.exe,” W32.Blaster.C.Worm “index.exe,” “root32.exe,” “teekids.exe,” W32.Blaster.D.Worm “mspatch.exe,” W32.Blaster.E.Worm “mslaugh.exe,” W32.Blaster.F.Worm “enbiei.exe,” Backdoor.IRC.Cirebot “worm.exe,” “lolx.exe,” “dcomx.exe,” “rpc.exe,” “rpctest.exe”

From the struggles on individual computers to the control of global spam production, Storm did not want for rivals. It shared the upper reaches of the food chain with systems like Kraken (alias Bobax, Bobic, Cotmonger), Cutwail (which may have been responsible—again, certainty in measure- ment is difficult here—for about 29 percent of all spam between April and November of 2009), Nugache, Ozdok (alias Mega-D), Grum, Lethic, Festi, Bagle, Srizbi (alias Exchanger, Cbeplay), Conficker (alias Kido), Rustock, and Wopla. This strange, small population of hundred-handed titans with evocative names is collectively responsible for the vast majority of email spam, all quickly learning from each other and fighting for market share. Their history is defined by rapidity: rapid innovation, just as rapidly copied by the others, as well as rapid increases and declines in capacity as security patches are released and the botnets steal captured machines from each other.

SURVEYING STORM: MAKING SPAM SCIENTIFIC, PART II

Among these competitors, Storm remains the best researched. As a vein of quartz suggests the possibility of gold nearby, so does spam often imply new areas of exploitation and innovation online, drawing in scientists as well as security professionals and curious hackers of all stripes. As with the problem of email corpora for scientific spam filtering, simply fashioning an epistemic object on which experiments can be performed is the difficult first step for scientists encountering the botnet. With the email corpus, the problem was one of privacy. With the botnet, it is that of the gold rush: too many teams and individuals following the same thread of quartz. The tents and campfires multiply, and every stream fills with silt. Storm is notorious in the computer security community and has some major flaws in its architecture: because every compromised computer on the network is a peer when it comes to circulating information, it can tell a lot of others where to listen for instructions, leading them astray, that is, into the labs of interested parties. These factors make it attractive to researchers who want to measure or manipulate it and to saboteurs who want to harm it.

As a botnet, Storm turned compromised computers into a platform for self-propagation, spam campaigns, and ambitious exploits, and it has in turn become a platform on which scientists, security specialists, hackers, and other interested parties launch project after project. (“It is difficult to strike a balance between being a good citizen in the [Storm] network and potentially damaging it through novel research techniques,” as one group put it.) Filtering out the effects of attacks and research projects being performed on the botnet is one of the hardest parts of doing research on Storm. Like the wonderful scene in G. K. Chesterton’s metaphysical detec- tive novel The Man Who Was Thursday when the anarchist conspirators realize that they are all secret police agents attempting to infiltrate the anarchist conspiracy, Storm researchers keep encountering other research- ers and the results of their work in the botnet itself.

A surprising flaw in the Storm system—a bad pseudorandom number generator that produced a recognizable pattern of IDs that were internal to the Storm network itself, rather than the outsiders exploring and tra- versing it—made it possible for scientists to gradually separate out and define a population of other users. This cohort is a population of buggy and broken bots, “vigilante researchers, rival spam gangs,” and other players, all seeking to slow the system down, test it out, and make it impossible for the Storm bots to communicate with the Storm botmasters or interfere with the other onlookers. Rather than the kind of monolithic artificial intelligence dominating the network as imagined by science fiction, such as Wintermute in William Gibson’s Neuromancer, as a total and enclosed apparatus—“Case laughed. ‘Where’s that get you?’ ‘Nowhere,’” the AI replies, “‘Everywhere. I’m the sum total of the works, the whole show’”— we find instead something more like a gold rush boomtown or an Arctic research base, criss-crossed by natives and scientists, crooks and surveyors looking for a cut, sociologists, cops, and broken machines: a gathering place for interested parties. Sometimes the gold is gone but the town remains: “There was a joke at a recent security conference that eventually the Storm network would shrink to a handful of real bots and there would still be an army of rabid researchers fighting with each other to measure whatever was left!”

Of the population of visitors and immigrants to this outpost, built on flows of spam as other communities were made on flows of railroad tracks or grant money, security groups and the agents of the government and the military have become some of the most prominent. “The more wor- rying thing is bandwidth,” said a security analyst of Storm at its likely peak (its peak and its total size being objects of considerable debate). “Just calculate four million times a standard [high-speed Internet connection]. That’s a lot of bandwidth. It’s quite worrying. Having resources like that at their disposal—distributed around the world with a high presence and in a lot of countries—means they can deliver very effective distributed attacks against hosts.” Storm, or its owners, seemed to periodically identify attempts on the part of serious security firms to investigate it and would retaliate with DDoS attacks, like Mydoom’s swamping of SCO, Inc., with requests from its bot computers. Sometimes they could take an investigator’s servers down for days. “As you try to investigate [Storm],” said Josh Corman, the host-protection architect for IBM’s Internet Security Services, “it knows, and it punishes. It fights back.”

The question of jurisdiction raised by these attacks is a very real one: at their largest scale, at the size of Storm and Wopla and Srizbi and Cutwail, botnets have strange relationships with national boundaries and human populations. Bot computers make the botnet grow by sending out self- propagation spam (as well as using more esoteric means like those files Mydoom seeded in file-sharing applications for others to discover). To spread the botnet infections, by spam or other means, the compromised computers need to be on, and online—an obvious fact with a strange implication: spam can be seen to rise and fall, and botnet propagation spike and diminish, as the earth rotates. The terminator, the line that separates day from night, is part of the circadian clock of large botnets, a diurnal rise and fall in total capacity and rates of potential infection. The infrastructure of the botnet apparatus also changes, more slowly, with shifts in global Internet access. The next great botnet resource, many agree, is the African continent, home to about 100 million PCs, of which an estimated 80 percent are compromised or infected with some kind of malware. Most of the boxes are running pirated operating systems (and therefore may not receive security updates and patches) and their owners can’t afford antivirus software (a standard Windows installation license can be laughably expen- sive relative to local salaries), both of which make them significantly more vulnerable. Most of the Internet access has been telephonic dialup—which is to say, fairly useless for a botmaster—but a great push to connect the continent to the big cables that form the global backbone will bring in a huge population of additional, accidental victims for the cloud.

Finally, the success of spam and self-propagation messages, as well as many particular aspects of the exploits that worms perform, depend on languages. That malware download pitch promising a news story would not get much traction with a user who reads only Mandarin Chinese, Russian, or Hindi, and the installation process by which the worm takes control might rely on code in the language-specific version of an operating system. Different botnets therefore have different demographic dynamics: the perspective of the botnet sees national boundaries as relevant only insofar as different economies and infrastructures affect the number of computers online. Botnets operate in vast regions whose edges are language, software, and time zone rather than borders.The jurisdictional issues are beyond complicated. A botnet apparatus, setting aside the global population of infected computers, might be using many hosting services under many identities in many different countries, all hooked up into an inter- dependent system. It is here, at the farthest perspective and the broadest spatial scale, where the borderlines have almost evaporated and Pitcairn Island is one minute node among many in the botnet’s architecture, that the transition from tool to weapon appears: the boundaries are violently reasserted, and nations and their armies get into the business of spam and its consequences.