Pyramids, Networks, And The Emergent Weapons Of Cyber War


“Cyber war is like Carl Sandburg’s fog; it comes on little cat feet, and it’s hardly noticed. That’s its greatest potential.” – John Arquilla

The 21st Century’s most important paradigm shift (See: Pyramids & Emergent Networks) is already underway. Though the full impact may not be felt for decades, some industries have already been forced to adapt.

How does one anticipate the impact of a Game Changer in progress?

Start at the tip of the spear

Fighting A Digital War Across The Globe

In late 2008, the Internet’s regulatory agencies and network security communities encountered an enemy they were not prepared to fight. Though disaster was averted, their trial by fire resulted in a host of valuable insights.

On November 20th, Conficker erupted onto the internet from an address in Buenos Aires. It spread at an alarming rate, forming a malicious botnet of millions of machines. Even today, it remains one of the worst Zero-Day Attacks in the Internet’s history.

Who’s In Charge? I Guess We Are…

The worm’s progress was detected, analyzed, and countered independently by researchers and industry professionals. Most did not know each other, and nobody put them in charge. They saw what needed to be done, and acted. As their efforts encountered one another, a coalition of like-minded experts emerged.

This group came to be known informally as The X-Men or The Cabal. Later, they would be formally renamed as The Conficker Working Group.

Let The Games Begin

Cabal members were the first to break down the virus and learn its capabilities.

Conficker A – Characteristics:
•The worm spread itself through use of a buffer overflow vulnerability in the Windows Remote Procedure Call (Port 445). Once inside, it took control of the operating system, and placed the machine under the botnet’s control.
•Each machine downloaded Geocache data to report its location to the controller.
•Each day, an algorithm generated a random list of 250 domain names, and reserved them in one of five Top-Level Domains: .com, .org, .net, .info, and .biz.
•Commands could be issued to the botnet from any of these addresses.
•Its messages were passed using 1024-bit RSA encryption on both ends. This is a form of asymmetric cryptography, which allows dynamic endpoints to use strong security.
•The infection rate was maximized by the targeting of Supernodes (those with the most connections).

Six days from initial infection, the the botnet instructed its victims to download a piece of ransomware from The website, however, had already been shut down by The Cabal. Though the delivery of this payload was a failure, the spread continued.

December 1st, infection count: 500,000 machines

Microsoft was concerned enough by this point to publish a rare out-of-band release, to close the worm’s infection path.

Meanwhile, The Cabal formed a counter-strategy: By cracking the domain registry algorithm, they could pre-emptively register the targeted domains, cutting off its ability to communicate. On this short notice, it required the use of a credit card to reserve them.

December 31st, infection count: 1.5 million machines

The Worm Adapts

The Cabal continued to grow, forming new teams, improving efficiency, and cutting out duplicate efforts.

The worm’s creators had been studying their moves and strategy. On December 28th, it updated to a new version.

Conficker B – New Features:
•The domain registry algorithm had been updated to include 3 additional Top-Level Domains: .ws, .cn (the country code for China), and .cc.
•Machines on the local network were now targeted and attacked through file shares.
•Infection could now spread offline through USB thumb drives. If the drive was later returned to the original machine, it would bring with it all of the data about the offline victims it had infected.
•Connections to computer security websites were now blocked, preventing tool and anti-virus downloads.
•Windows AutoUpdate was disabled, to prevent infected machines from being patched.
•The Crypto Protocols had been updated. It now used an experimental 4096-bit SHA-3 prototype algorithm taken from Ron Rivest’s own website (He was a Cabal member).

January 16th, infection count: 8.9 million machines

We’re From the Government, And We’re Here To Help

The responding government agencies received the first reports in mid-to-late December, but didn’t become actively involved until late January. Most were all but oblivious to the size, scope and impact of the threat.

Cabal members initially met with representatives from:
Office of the Secretary of Defense
NCRCG (National Cyper Response Coordination Group)
US-CERT (U.S. Computer Emergency Readiness Team).

These teams were working off of reports from December, and were shocked to see that civilians were ahead of their own efforts.

Throughout the course of their involvement, many withheld key information from their own management to avoid appearing incompetent (See Celine’s 2nd Law). They would often criticize the Cabal’s briefings, only to be caught later presenting it as their own work (as was the case with Rodney Joffe’s presentation, used to brief the White House).

The government teams were generally prone to dismiss anything that called their own credibility and expertise into question. Their reports back to their supervisors often contained omitted information and half truths, emphasizing their own contributions.

Cabal members began locking down the new Top-Level Domains, which required cooperation from China.

Backtracking on the domain generation algorithm, it was discovered that Conficker B had been tested in Buenos Aires and Ukraine, prior to its deployment. The FBI’s Computer Crimes Unit was informed of this, but did nothing.

January 31st, infection count: estimated 9-25 million

To Defeat The Bug, We Must Understand The Bug

Conficker was a highly decentralized, adaptive threat. The effective strategies against it required a loose coalition of expert interests to converge on the problem and act with a common goal.

It’s all but impossible to fight an Emergent Network unless you can think and act like one.

Though The Cabal had plenty of early problems and stumbling blocks, they were quickly overcoming them to work as an effective team, correcting their own mistakes, and adapting to the situation on the ground in real-time as it unfolded.

The government agencies, on the other hand, were failing to communicate key information within their own organizations. Apparently, it was a larger priority to appear competent, than be competent.

The Dysfunction of Hierarchies

In my own experience, I haven’t found government employees to be inherently any less intelligent or honest than anyone else. The problem lies in the nature of Pyramid Hierarchies, where privileges and promotions are largely based on seniority and playing the game, not on one’s talent or contributions.

Success requires one to be in constant competition with one’s peers, and it’s a long race to the top. Unfortunately, honesty won’t get you far. To be successful, you have to learn to cover up your mistakes, protect your reputation, and absorb credit as much as possible. Believe me, I take no pride in saying that. I wish I could tell you a different story.

Most find the career game strange, irritating and discomforting at first, but soon it just becomes normal to them. Eventually, many forget there was ever a time they didn’t act this way.

Every joke you’ve ever heard about “Your tax dollars hard at work!” has the same punchline: this kind of behavior.

…And It Just Keeps Getting Worse

In the midst of the chaos, on March 6th, a third variant was detected (This was actually the 4th variant, the 3rd having been quietly deployed on Feb 20th.). Like last time, the adaptions were tailored to counter The Cabal’s moves.

Conficker D – New Features:
•The domain registry algorithm now used 50,000 domains per day, instead of 250.
•These were selected from all 116 (at the time) Top-Level Domains in the world.
•An original Peer-To-Peer protocol. Infectees now searched the local subnet, gateway address, and outbound networks until they found another infected machine.
•The botnet could now form an uninterruptible, wide-scale P2P mesh. In reality, this made the domain registry upgrade unnecessary. In fact, it was probably intended as a distraction.
•A flaw in the SHA-3 prototype encryption algorithm had been corrected.

In March, the US-CERT and FBI were now getting up to speed on the events of the past 3 months. For the first time, they began describing the situation in their briefings as “urgent.”

Closing In On Doomsday…

Conficker D was scheduled to go active on April 1st.

John Crain of ICANN, a cabal member since February, had been enlisted to reach out to China as an ambassador to their domain registry. He had secured their cooperation in suspending .cn registrations.

He now found himself tasked with securing cooperation from all 116 Top-Level Domain Registrars to suspend the targeted addresses. This was a daunting task, to say the least. ICANN lacked regulatory powers over private businesses (especially foreign ones), and had no enforcement capabilities whatsoever.

Amazingly, John secured agreements from 100 of the registries, Rick Wesson managed to get the other 16 on board.

By this point, the Cabal was operating at peak efficiency, and a lengthy list of agencies were actively monitoring the situation. Even the media had taken notice, and was reporting the situation as it unfolded.

As the April 1st activation date approached, tensions ran high, and the countdown had become something of a media sensation.

It came and went without incident. Many believed it had been defeated, and some even made a joke out of it.

The One That Got Away

A week later, the botnet woke up and updated itself using the P2P Protocol, even though all the target domains had been blocked.

Conficker E was deployed, and spent the next several weeks spreading Waledac, an infamous spam email trojan. This trojan spawned a botnet of its own which was taken down by Microsoft the following year.

In June 2011, 16 hackers in Ukraine used a section of the botnet to drain $72 million from international bank accounts. As it turns out, they were not the designers. They had merely purchased a section of it on the black market.

The creators of Conficker are still at large, and the botnet still exists. On an average day about half a million machines are cleaned of it and half a million new ones are infected. It lies mainly dormant. To this day, it has never demonstrated its full capabilities.

Why Not?

This question has been debated over the years. Perhaps the creators backed off, deciding that whatever they were after wasn’t worth the attention they were drawing upon themselves.

They may wish to lie in wait for the right opportunity to use it. Sometimes, the real power of a weapon is not in its use but in the threat of its use.

Aftermath And Lessons

Many of the media outlets and government officials took the opportunity to claim victory from the lack of a doomsday moment, but this is short-sighted. This threat is still out there, and better ones continue to arrive. It’s a never ending arms race.

The Cabal released an official Lessons Learned document. It’s a valuable and insightful read.

•The group’s collaboration model was an amazing technical and logistical achievement.
•Some powerful global political strides were made; Technology often unifies people better than governments can.
•Many of the group’s tools, processes, and data have been and will continue to be used on other projects.

•Government collaboration was terrible. It was summed up as “Zero involvement, Zero activity, Zero knowledge.”
•Government communication was mostly one-way. Many government officials did not feel the need to reciprocate shared data and processes.

For an outstanding, detailed narrative of these events, I recommend reading Worm. Mark Bowden does an amazing job telling the story.

Those who stepped up and volunteered their skills to fight this battle are, in many ways, heroes. Across the social landscape, you’ll find the same story: a few talented individuals who carry the mission of an entire organization, and receive far less credit than they deserve.

Perhaps that is the greatest weakness of Pyramid thinking. When you fail to assign credit where it is due, you end up with management that chases accolades, instead of solutions. Today, the world needs one of those far more than the other.

A Continuing Legacy

It could be said that Conficker introduced the template from which future Cyber Weapons would be built. Four simple characteristics provided it with an extremely high amount of potency and resilience.

•Communication with a P2P Protocol.
•Formation of a dynamic mesh between nodes.
•Communication with Asymmetric Cryptography.
•Commands to the Network can be issued from any node, and spread throughout.

Others that have included this feature-set have included:

Stuxnet – which targeted the Iranian Nuclear Centrifuges
•The Flame Virus
Duqu Malware
•Perhaps most notably, Bitcoin, both currency and protocol.

  1. Rodomonte 03/19/2014, 8:50 PM Reply

    very interesting article, thanks a lot!! 😀

  2. blah 11/17/2015, 12:03 AM Reply

    Good post. I’m dealing with many of these issues as well..