January 29, 2003

The worm that turned: A new approach to hacker hunting

By Shane Harris
sharris@govexec.com

Wednesday, June 20, 2001
6:30 a.m.
FBI Headquarters,
Washington

After 23 years as a CIA analyst, having briefed the president and his team on every conceivable threat to national security, Bob Gerber was scared. More scared than he’d been in a long time.

Holed up in his cramped, 11th floor office on a stark, colorless hallway at FBI headquarters in Washington, Gerber’s stomach turned as he took his first look at a new enemy.

Gerber was a hunter, one of the government’s best. These days, he was hunting worms, malicious computer programs let loose into the wild of the Internet by some of computerdom’s most brilliant hackers. Two months earlier Gerber, 56, had left his job at the CIA, where he helped write the president’s daily intelligence briefing, to head the analysis and warning division at the FBI’s National Infrastructure Protection Center. There, he and his crew of more than 60 tracked worms, viruses and other computer evils, as well as the hackers who create them. Both threatened daily to shut down the engines of modern life—electrical power grids, the banking system, water treatment facilities, the World Wide Web.

Worms were the most vicious new beasts to stalk the Internet. But Gerber had never seen a worm quite like the one he confronted that sweltering Wednesday morning in June.

It was named Leaves after “w32.leave. worm,” the poisonous file it implanted in unsuspecting computers. Like all worms, Leaves bored through cyberspace, probing Internet connections for holes in personal computers or Web servers. It slithered inside the machines and spewed venomous strings of data that threw its victims into electronic shock.

Leaves was hardly the first worm to infest the Internet. In fact, the pests became so common in 2001, that security cognoscenti dubbed it the “Year of the Worm.” Worms wrought all sorts of damage. They forced computers to delete critical files or erase entire programs. They also allowed hackers to steal personal information from computers’ memories. Once they infested their victims, worms made clones, then used their hosts as launching pads for more worms, whose numbers grew exponentially.

In 2000, Gerber and his team began battling a new species of even more virulent super worms. Rather than devour computers’ innards, these worms hijacked their victims’ controls, rendering them powerless zombies. With a gang of zombies at his command, the creator of a superworm could mob a Web site or computer system, flooding it with bogus electronic transmissions until it drowned in the data torrent.

In the spring of 2000, Gerber’s colleagues took on a 15-year-old hacker who called himself Mafiaboy. The teen-ager turned his zombies loose on World Wide Web giants Amazon.com, eBay and Yahoo!, launching what is called a distributed denial of service attack that shut down business at the sites for five hours. It cost shareholders and the companies billions and shocked the Web world.

But compared with the Leaves worm, Mafiaboy’s creation was a larva. Gerber’s best analysts had worked late into the night trying to make sense of a sample of Leaves captured by worm watchers at the SANS Institute, a computer research center in Bethesda, Md. They let Leaves infect a computer, and then they watched how it behaved. What Gerber saw fascinated and appalled him.

Leaves was a zombie maker on steroids. It searched out computers already wounded by another Internet scourge called a Trojan, which installs back doors in the machines. Leaves used a Trojan called SubSeven as its entrance. Once transformed, the zombies awaited orders. To communicate with them, Leaves’ creator ordered his zombies to rendezvous online through Internet Relay Chat channels. He also told them to visit certain Web sites and download encrypted information to receive instructions on what to do next. No one knew who was controlling the zombies, from where or why.

Reading the guest registries of chat rooms, Gerber discovered that an army of 1,000 Leaves zombies already was on the march. Mafiaboy, by contrast, had a few hundred conscripts and sometimes used only a dozen to attack a Web site.

What’s more, Leaves contained an electronic gene enabling its creator to control every zombie at once from any Internet connection in the world.

Gerber never had seen a worm so sophisticated or terrifying.

But to exterminate it, Gerber needed more samples to dissect and more time. Pulling out the lines of computer code that told the worm how to behave might help him shut it down. Or, if he could identify the worm maker’s ultimate goal, Gerber might be able to head him off.

The FBI group usually worked alone or with a few select federal officials and private sector consultants. But even Gerber’s top-flight team was daunted by Leaves. It was time to call in help. Only a public-private posse of America’s best hacker trackers could gut this worm.

By pulling such a group together for the first time and then letting it operate largely unsupervised, Gerber created a new model for federal computer crime fighting.

June 29
FBI Strategic Information
and Operations Center,
Washington

Gerber called the most seasoned and cunning code crackers, worm gurus and cyber soldiers from government and industry to meet at FBI headquarters. On a Friday afternoon, 10 days after Leaves was discovered, the posse gathered in the FBI’s crisis headquarters, the Strategic Information Operations Center.

It was the most concentrated arsenal of computer crime-fighting talent the government ever had gathered. They came from leading security companies Symantec and Network Associates, the FBI, the White House and the Defense Department.

But there was a hitch. The private experts were uneasy. Could they trust the G-men? Uncle Sam was a bumbling bureaucrat. His security was notoriously lax. Hackers had been penetrating military and intelligence agency computers for years. What could federal officials possibly know about fighting an enemy as elegant as Leaves?

The two sides eyed each other warily as Gerber laid out what he knew. The evidence seemed to show that Leaves’ creator was preparing a massive denial of service attack. Everyone would have to work together to stop it. Mistrust would keep them apart. It took Marcus Sachs, a cyber soldier from a Pentagon unit trained to attack foreign networks, to bridge the suspicion gap.

Sachs dazzled the room with his observations and theories about Leaves. With casual command of hacker lingo and the history of worms and their attacks, he demonstrated both the expertise of the government corps and the urgency of defeating this unique and dangerous foe.

The ice melted. Slowly, a simple sheet of paper passed around the room. First one, and then the next, wrote down his name, e-mail address and phone number. The Leaves posse came to life and it readied for a fight.

Days later
Los Angeles

Jimmy Kuo left the meeting to conduct an electronic autopsy.

Kuo, a research fellow at the security firm Network Associates, took samples of the worm home to Los Angeles. Many in the Leaves posse returned home to operate on their own turf, not from a single base in Washington. “In this line of work, it doesn’t matter where you are, as long as you have a laptop computer and a phone,” Kuo says.

The Leaves code was a jumbled mess. It was encrypted and compressed—data had been squeezed together to save space. Mr. Leaves, as some in the posse had begun calling the worm’s creator, knew his creation would be captured. He ensured the worm wouldn’t easily give up its secrets. Kuo ripped apart layers of code with powerful programs to reveal the deeper truths Leaves was hiding.

Other members of the posse were ripping Leaves, too, untying its knotted innards. One wrote a program to mimic the Trojan that Leaves used as a back door. The posse laid the trap across the Internet.

Sharing their discoveries by phone and e-mail, the code crackers found eight variants, or mutations, of the worm. Mr. Leaves was tweaking his weapon, finding new ways to deliver it. And he was moving faster than the posse.

While Kuo ripped in Los Angeles, a posse member watched for abnormal Internet traffic from SANS in Bethesda. Still others huddled at the FBI. The group worked smoothly because nobody was in charge, Sachs says. “Egos didn’t get in the way of progress.” They worked fast, but as days passed, their analysis yielded fewer new results. They learned much about the worm’s attributes, but little about its purpose.

Mr. Leaves had directed the zombies to synchronize their clocks with the Naval Observatory clock on the Web. The army was prepared to attack in unison. No doubt, Mr. Leaves soon would begin his onslaught.

Unless someone could find him first.

Early July
FBI headquarters,
National Infrastructure Protection Center
computer investigation unit

FBI Special Agent Michelle Jupina wanted two things: to find Mr. Leaves and to lock him up. The bureau sought Leaves’ creator on criminal charges of unlawfully entering a computer. Jupina was at the first posse meeting in June, but she kept a low profile. Assigned to the infrastructure protection center, Jupina, 36, was well-versed in cyber jargon. She understood how hackers thought and maneuvered.

The posse saw Leaves as a marvel of engineering. But to Jupina, the worm and its maker were just garbage to clean up. Short, quiet and hidden under a mane of frosty blonde hair, Jupina didn’t seem capable of bursting through a hacker’s door and yanking him off his keyboard. She was so unobtrusive that a posse member recalls he didn’t even know she was a cop until she got up from her seat one day and “I saw a cannon strapped to her side.”

But as the posse ripped Leaves apart, Jupina was a constant eavesdropper, digging for evidence in the pile of Leaves’ secrets the posse unearthed. Even as new revelations slowed, Jupina and the agents under her command feverishly followed leads. Steadily, they shut down the Web sites Leaves’ zombies used to receive instructions. They planted tracking devices to pick up the hacker’s footprints.

Second week of July
FBI Strategic
Information
Operations Center

Weeks passed. The zombies remained quiet.

Gerber had issued a public warning about Leaves on June 23. The private sector posse members had warned their customers. News that Leaves was on the loose circulated through the computer security trade press. But still no attack.

Ripping continued. The zombie army grew. By July, at least 20,000 computers were encamped in chat rooms or patiently waiting for their orders. “That scared the hell out of us,” Gerber says.

Mr. Leaves was getting wily. Whenever the team shut down one Leaves chat room the worm automatically created a new one. Mr. Leaves tried new methods, too. On July 9, one of the companies in the posse found an e-mail claiming to be a security bulletin from Microsoft Corp. The bulletin warned of a new virus, and told users to download a file to protect their computers. In the file was Leaves.

The bogus warning was badly written and eerily self-congratulatory:

“Yesterday the Internet has seen one of the first of it’s downfalls. A virus has been released. One with the complexity to destroy data like none seen before.”

Today, hackers often mask their worms as official security warnings, but this was the first use of the tactic. Like many outlaws, Mr. Leaves inspired a certain grudging admiration within the posse chasing him. “I had a feeling I was dealing with an artisan,” Gerber says.

Or possibly a common crook.

Perplexed by the lack of attack, someone in the posse posed a new theory: Perhaps instead of damage, Mr. Leaves sought money.

The posse knew that some companies paid Web surfers to click on advertisements on their sites in order to inflate estimates of the success of the ads. With 20,000 zombies to click for him, Mr. Leaves could make a killing. Some of the sites the zombies visited contained these ads. If the FBI could find an account where Mr. Leaves put the funds, trace it to a physical address and tie it to him, the case might be solved.

Convinced Leaves had to have been created for a denial of service attack, the posse scorned this theory. Pulling off one of the biggest attacks ever was the only glory befitting such a brilliant worm.

But something didn’t make sense. Mr. Leaves was taking an awful risk by not attacking. Every time he logged on to communicate with his zombies, the FBI had another chance to trace him. Why expose himself? Why not just preprogram the zombies to act on their own? The scam began to seem more believable.

But before the posse could prove its theory, an attack began. It wasn’t the work of Leaves.

On July 17, a new worm appeared—Code Red. It was named after Mountain Dew Code Red soda, the only thing that kept two private sector analysts awake as they tracked it day and night.

Leaves propagated like a rare illness, targeting only victims with weakened immunity. But Code Red spread like smallpox. The worm exploited a ubiquitous hole in one of the most popular brands of Microsoft Web servers. In a few hours, Code Red had eaten into more than 100,000 servers worldwide. The swarm of worms leaping from machine to machine caused an electronic traffic jam, slowing all Internet traffic. In the aftermath of the attack, companies would spend billions of dollars plugging the holes that let Code Red enter.

Able as it was, the posse didn’t have the strength to fight both Code Red and Leaves at once. The choice was clear: Code Red took precedence.

The Leaves posse had built a new model for chasing Internet outlaws. They honed it battling Code Red. But fighting the new menace left Leaves on the back burner. All they could do was hope that Leaves was no more than an Internet heist or pray that Jupina and her crew could track down and nab Mr. Leaves before he, too, unleashed his zombie brigades.

For weeks, Jupina and her technicians had laid traps and tracers across the Internet. She wanted the hacker’s Internet protocol address, the digits that identify anyone who sends information online. Hackers cover their tracks by erasing those addresses from the servers they use. But Mr. Leaves had slipped.

In a cache of addresses Jupina had pulled off a server in Oklahoma at the end of June, she found one used by Mr. Leaves. It was a hot lead.

But chasing the address could take Jupina around the world. And she could nab Mr. Leaves only if he lived in a country that considered hacking a crime. If he did, the company that provided his Internet service would have to cough up his home address and Jupina would have her man. Luckily, after some tracking, Jupina hit gold: Mr. Leaves’ address originated in the United Kingdom, home to some of the toughest computer crime statutes in the world.

Jupina rang the Scotland Yard computer crime unit. Within days they traced the Internet address and attached it to a name and a place. The hacker was a 24-year-old man living in one of the seedier sections of London. Scotland Yard set up a stakeout at his digs.

July 23
FBI headquarters and
South London, England

Back at FBI headquarters, Jupina kept watch on a computer monitoring the Oklahoma Web server. When Mr. Leaves logged on again, Jupina would know. Jupina waited with Scotland Yard’s phone number at the ready. Officers in South London sat tight outside the hacker’s residence.

Nothing.

And then, there he was.

Jupina watched as the hacker connected to the Oklahoma server. She gave the word to Scotland Yard: Go. The officers arrested the creator of one of the most ingenious worms ever known.

Epilogue

The Leaves posse proved itself during the Code Red attack. Code Red made headline news. The FBI, the White House and security companies launched a coordinated campaign to track it, warn the public and take steps to protect vulnerable systems. Crippling of the White House Web site was narrowly avoided; Pentagon Internet connections were temporarily shut off. Damage was significant—estimates are in the billions of dollars—but it would have been worse had the response not been as fast and well organized. No perpetrator has been identified.

Mr. Leaves caused no major damage before the posse rounded him up. And the same team remains on guard against new worms or other cyber threats. When one appears, the posse comes alive. E-mails fly, home telephones ring as the members swing into action, sharing what they know, tracking, dissecting, devising traps and passing evidence to the FBI.

In November 2002, shortly before leaving the FBI and returning to the CIA, Bob Gerber sat in a new office at FBI headquarters. Next to a bookcase full of hacker treatises, with a can of Mountain Dew Code Red displayed prominently on a shelf, Gerber pondered Mr. Leaves’ motive. The FBI never found evidence the hacker had stolen money using the worm. Gerber and Jupina had brought the case all the way to a collar, yet they might never know Mr. Leaves’ ultimate goal. “As far as I know, no one ever asked Mr. Leaves why he did what he did,” Gerber says.

And no one ever may get the chance. In November 2001, the man who confessed to British authorities that he’d created the Leaves worm received a “formal caution,” a legal warning usually reserved for juvenile crimes and minor drug offenses.

The lead officer on the case insists the agency has information about the hacker’s motives that the FBI hasn’t heard. But Scotland Yard refuses to divulge what it knows. Citing British law, officials refuse even to reveal the hacker’s name.

Tens of thousands of computers containing now-dormant Leaves worms await instructions from their master. Should they ever again awaken, a posse will be waiting.


Brought to you by GovExec.com