Monday, November 21, 2011

The Worm and the Thing

- or - Why Buy the Cow When You Can Get the Milk For Free?

I'll just call them Victor (as in Frankenstein). Pardon the nationality mashup, since we don't know who they are, but have a pretty good idea that they are a they and that they are either Russian or Ukrainian (I'm betting Russian).

I call them Victor because they created a monster. It's theirs and they pwn it. They created more than just a monster, though. They created a whole new business model, and it is the wave of the future. And it is brilliant, because they borrowed from the best, the strategy of evolution itself.

In 1938 John Campbell wrote a science fiction novella called "Who Goes There?" Later it was adapted into two movies. The first movie by Howard Hawks, "The Thing From Another World", was considered a science fiction horror movie classic. The second movie, John Carpenter's "The Thing", conforms more to the original story. In Hawks' version, the monster is your standard humanoid monster, ala Frankenstein's monster. In Carpenter's version, it is much more alien, more like the Blob - all consuming, but with that imposter twist - and the accompanying paranoia as to whom to trust.

I've read Campbell's novella, and it scared the hell out me. I'll tell you why. One of the more delicious fears one can have is not fear of death, but fear of lack of control. The alien creature doesn't just consume you. It imitates you. It enslaves you. It mutilates your mind and will, and binds you to service it. The other factor is just the right amount of information. In a horror flick, or in a story, you need just enough information to know that something is a threat, perhaps even an existential threat, but not so much information that you are familiar with the threat. This has always been a problem in movies. How much of the monster do you show? Not enough, and it is all just boring. Too much, and the monster is just another character.

There is a defining scene in Campbell's story when the humans realize that even the tiniest piece of monster can take over an organism. And when one character realizes that their cows have not been monitored against "infection", and that they have all been drinking the milk.
"Mac, how long have the... cows been... not cows?"
 It's a great creepy moment, when he realizes, in a fit of revulsion, hysteria, and self-loathing, that he may be a Thing and not even know it.

So it is with Victor's monster. What is Victor's monster? Well, you may have heard of it. It's called the Conficker Worm. It's a computer worm that was unleashed (as far as we know) back in 2008 or so.

Well, hold on. What's a worm? The term can be traced back to John Brunner's amazingly prescient 1975 science fiction novel "The Shockwave Rider". Brunner envisioned a future world connected by a global "data-net". The data-net, in turn, is controlled by a malevolent corporate-state entity. The protagonist of the story, a hacker named Nick Haflinger, creates a computer program he calls a "tapeworm", which infiltrates the net, takes control over computers, issues orders to replicate itself in still more computers, and, ultimately subverts the data-net, and releases all the nasty crony-capitalist secret files to the public.

Brunner chose to call the program a tapeworm because the viral code consisted of a string of segments that could each reproduce itself onto another computer - another "node" in the net.

The Conficker worm does pretty much that, but without the good intentions. Once this worm infiltrated a computer (yours, perhaps) it would look for others, and continue replicating as far as it could. All of these computers would then link themselves into a "botnet". A botnet is capable of good and bad things. The good witch versions of botnets could also be called "clouds", and they are capable of tremendous data-processing feats that allow complex problems to be solved, or vast amounts of data to be shared and stored. The bad witch version of botnets can be used to launch Denial of Service attacks against websites, or unleash a storm of spam, phish for identity theft, rattle cyberlocks for open doors to steal funds, or flood networks with all sorts of scareware and fraudulent bullshit. If you have enough computers and infiltrated the right systems, you could even, conceivably, disrupt a nation's electronic grid, or banks, or telephones, air traffic, financial markets, health-care systems, or even take down the entire Internet itself.

You could do all those awful things, that is, if you are thinking like a small-time hoodlum, a small-minded one-time blackmailer, a hooligan, a vandal, a stupid barbarian. But then again, for someone smart enough to code something that stymies even the hackers that created the Internet, why would you do that? There is so much more money to be had, power to be accrued, if your botnet is big and stable and lasts for a long, long time.

And there's the brilliant business model. Rather than raise havoc, or rent out access to the botnet to two-bit spammers and scammers, crooks, thieves, and blackmailing fraudsters, you could do a number of other neat things with it. Think of Victor as "ковбой", cowboy, or better still, a cattle baron, his botnet his dairy herd, and the Internet as the Great Plains filled with grass, free for the browsing.

Well, wait, wait, wait a minute, how big of a botnet are we talking about? Well, at one point, it's estimated that Conficker enslaved around 9 million computers, creating quite possibly something approaching the biggest platform on the planet. Oh, companies came up with anti-viral software to purge it, and institutions and businesses have wiped it off of their systems, but actually, it's still around. It's estimated by this guy to average at six and a half million PCs, marshaling a formidable eighteen million CPUs, and capable of generating 28 trillion bytes per second of bandwidth.

That's quite a cloud. The next biggest cloud is Google, with a measly 8% of capacity and processing power. Conficker is not a worm. Not anymore. Conficker is a Thing. A very, very big Thing, and this Thing is never, ever going to go away.

If you wanted to get rid of this Thing, what could you do? Well, create a bigger Thing to smush it, I guess. That's about it. And some people would like to do that, because they feel that this Thing out there represents a threat to freedom of information, and free access, and all that other technocrat-utopian  crystal rainbows and marshmallow unicorns stuff that we all wish would happen.

But it won't happen. That Thing out there? It's not going away. And it's doing stuff. It's processing stuff. It's active. We don't what it's doing, but it's doing something.

Should you be scared? Nah.

If you spent all your time worrying about every existential threat that could befall you, why, you'd be paralyzed into inaction. This is just another annoyance. Or maybe not. Maybe it's just the way the future is. All I know is, unlike the movie "The Thing", this monster chose the respectable route. It lives net door, and, like the Munsters, might not be a good neighbor, but really hasn't done anything to call the cops out.

Victor may let us all know one of these days what kind of Thing he pwns. But I don't think he wants to wreck anything, not while he's making a good living off of it.


  1. Conficker is a very elegant, but also a very specific and bottom-feeding thing with regard to its ecological dependencies and parasitic exploitation mechanics.

    First, it depends on unpatched and misconfigured instances of Windows on a network. The missing patch is over 2 years old and should have been applied as a matter of course a very long time ago, and, the miconfiguration is group policy allowing for default shares on PC's belonging to a domain (a huge security 101 no-no and Windows network security vulnerability numero uno).

    So the network ecologies that conficker exploits are by default incompetently and inattentively managed, and thus, richly deserving of ruthless exploitation. Truly, the only way an end-user knows or experiences a conficker infection is through the seemingly arbitrary blocking of selected websites, which conficker does as part of its self-defense mechanism.

    To me, one of the most interesting traits of conficker is its acquisition of the network access privileges of the user of the machine that it infects, IOW, if a network admin's machine gets infected, it's fit'na be hell up in Harlem, because the worm will begin scanning and attacking the network with the privileges of a network admin.

    Finally, and I think this a nifty little trick, aside from scanning and attacking via default shares, the other kind of last ditch vector for conficker is thumb drives, in essence meaning that it has a "spore" like incarnation allowing it to proliferate from one network to another without directly doing the worm thing and spanning networks.

    I have learned a tremendous amount about Windows network administrative minutiae through the process of wrestling with and defeating conficker.

    Oh, as far as being scared, Conficker has evolved considerably since its initial detection a couple of years ago, and, there are conficker forks, meaning, that not all instance of the conficker "platform" are being controlled by the same people to do the same things. There are some very malicious conficker forks that do some very nasty larcenous things.

  2. Ah, the forks. What you forks, I'd call sellin' off part of the herd. Ol' cowboy Victor must have needed some walkin' around money - or - mebbe he just want to say "boo" every now and agin' jes to let folks know he could make those cows grow all sorts of scary appendages stolen from any of a thousand distant worlds.

  3. John, you should call your metal, multi-appendaged virus art-thingy "conficker."

    Hipsters and technocrats have money and like art.

    Shit, name the whole series after malicious internet worms.

  4. Double D,
    Pretty good idea.

    I think, though, that these bronze objects are a bit too cute to represent worms and viruses. But I'll keep it in the bin.

  5. They were cute when they were red and black and evoked Fergir channeling Irvin Klaw. once they were cast into Mesopotamian cudgels, however...,

  6. Cudgels can be cute. Uh, in the right hands.