Written by the author of Black Hawk Down: A Story of Modern Warfare, Mark Bowden, Worm: The First Digital World War is the story of how the cyber security community came together to do battle with what seemed at the time to be the largest and most significant cyber threat to date: the Conficker worm. It was the time of the Estonian and Georgian distributed denial of service (DDoS) attacks, and the Conficker botnet was growing to be the largest DDoS delivery system ever created. A white hat group of cyber übergeeks formed the Conficker Cabal to stop the worm because most of the world could not even understand it, let alone do something about it. Bowden accurately captures the essence of our cyber security community in times of crisis. He compares us all to cyber security superheroes, like the X-Men of Marvel Comics fame, because of what he sees as our superhuman or mutant ability to work with computers and our desire to help each other. Seasoned security professionals will learn nothing new here in terms of technology and craft, but they will remember that time and how we were all very worried about 1 April 2009: the day that the world thought that Conficker would come to life. Freshmen security practitioners will get a lot out of this book, though. Bowden does a great job of simply and clearly explaining many of the key technical pieces that make the Internet run. If you are new to the community, this book would be a great introduction. It is canon-worthy material, and you should have read it by now. But most importantly, how can you not like a book where the author favorably compares the cyber security community to the X-Men? As Stan Lee likes to say, “'Nuff said.”
Mark Bowden is probably best known for his book Black Hawk Down. In Worm, he chronicles the rise of the Conficker worm and the cooperation of a collection of civilian super geeks that formed to combat this relatively new and unique Internet threat. When Bowden published Black Hawk Down, I was blown away. Bowden puts you right in the streets of Mogadishu, Somalia, with the soldiers, rangers, and bad guys who made up that fight. And then, when the movie came out and was equally as intense, I felt like I had some smidgen of understanding regarding what the U.S. armed forces had to deal with during this specific fight but, more generally, what they have to endure every day when they are deployed to the Middle East. When I heard that Bowden was taking a stab at the story behind the Conficker worm, I was excited. He is a high-caliber author attempting to describe the geeky details of the cyber security community at a key point in our history. I was hoping that he would make what we do in the security community sound as interesting and astonishing as he made the soldiers sound in Black Hawk Down. I think that he accomplishes this task but not in the way that you might think. He succeeds in giving a bird’s-eye view of our community’s collective thinking process. He captures our almost universal and delightful -- if a bit naive – belief that we should all help each other out and contrasts that to the relative size of our egos and how self-destructive that can be to a group effort.
As you may recall, Conficker is a worm that started targeting victims running the Windows operating system in 2008. For the nontechies in the crowd, a worm is a piece of malicious code designed to compromise a computer and then replicate itself automatically through the network to as many computers as it can. Every compromised host belongs to the worm’s collective called, in generic terms, a botnet or a robot network. It is a robot network because the owner of it can direct every machine within the collective to do his or her bidding: deliver spam, decipher encryption, dispatch denial of service attacks, etc.
John Brunner, the author of The Shockwave Rider, first wrote about the idea of a worm in his prescient 1975 novel 10 years before the Internet really existed. Around the same time, Robert Thomas built the first proof-of-concept worm called Creeper, which was designed to be an experimental mobile program in which the program itself would look around the network to find the best computer to use for its task. It was not until 1988 when the Morris worm brought the Internet to its knees that we all began to understand what a malicious application of a worm might accomplish.
Today, botnets are reusable. Authors send new instructions to their botnets when they want to repurpose them through some sort of command-and-control mechanism. The difference between a virus and a worm is that a virus does not try to spread on its own. Good worms spread very fast. Famous worms in our short Internet history include the Morris worm, Code Red, and Slammer. In the Slammer case, the worm infected 90 percent of the vulnerable computers connected to the Internet within ten minutes of the first infection. Let me restate that again so that you understand the magnitude of that incredible statistic: of the 75,000 machines connected to the Internet that were vulnerable to the attack, the worm compromised 90 percent of them in the first ten minutes after it compromised victim zero. The mind boggles.
Security researches first noticed the Conficker worm at the end of 2008. Microsoft immediately patched the vulnerability in its operating system, but because many of the computer owners who run the Windows operating system do not patch their systems regularly, they were vulnerable to the attack. By the end of 2010, infection rates had grown large enough to pass the Slammer worm infections rates of 2003. Strangely, the botnet owners had not done anything with the system yet. Between 2008 and 2010, the botnet sat idle, growing exponentially but never being used, growing around the same time as other real-world cyber events took place:
- 2007: DDoS attack against Estonia
- 2008: DDoS attack against Georgia
The community had DDoS attacks on the mind. Prominent individuals in the security community became alarmed that this new threat, this new weapon, this largest denial of service machine ever created, was continuing to grow unabated. Some decided to do something about it. The “cabal,” as it was affectionately referred to by its members and later changed to the Conficker Working Group, had many security luminaries. According to Bowden, though, the core consisted of the following members:
- TJ Campana: the organizer; program manager for security at Microsoft’s Digital Crimes Unit
- Phil Porras: program director of SRI International’s Computer Science Laboratory
- Rick Wesson: CEO of his own Internet security firm, coauthor of some central Internet protocols, and owner of his own small Internet registrar
- Rodney Joffe: security chief of Neustar, a telecommunications company that operated the .biz top-level domain and several Internet registries
- Andre DiMino: one of the founders of a unique nonprofit botnet-killing service called Shadowserver
- Paul Vixie: Internet architect and member of the board of trustees of the American Registry for Internet Numbers
- Andre “Dre” Ludwig: a self-taught computer security consultant in Alexandria, VA
- John Crain: Internet Corporation for Assigned Names and Numbers (ICANN) negotiator
- Chris Lee: a meticulous graduate student at Georgia Tech who would end up running the bulk of the sinkholing operation
Bowden spools the story out on two threads. The first thread is the description of the punch-counterpunch between the cabal and its adversaries. The Conficker authors released the first version of the worm, called Conficker A, in late 2008.
In order for the newly infected host to receive instructions from the botnet’s command-and-control center in the future, the Conficker malcode generated 250 strings of random-letter domain names each day computed through an algorithm of the author’s design. Each day, the infected host would try to communicate with each domain name in the list. If the authors wanted the Conficker botnet to accomplish a task, they would install the command-and-control center at one of the 250 domains for the scheduled day and deliver the instructions when the infected host tried to communicate with it. When the cabal members reversed engineered the malcode, they learned about the daily domain-name-generation routine. Their first counterpunch was to compute the 250 randomly generated domain names every day before the attackers could use them, purchase those domains, and route all traffic to a sinkhole computer residing on Amazon’s Simple Storage Space (S3). To use a chess analogy, the cabal put the Conficker authors in check.
The authors responded by releasing a serious upgrade to the worm, called Conficker B, that used better encryption and more-efficient infection techniques, which resulted in 1.5 million compromises a day. It took the cabal longer to figure out what the worm was doing, but the group’s strategy of sinkholing the domain names was still intact. Check again. Finally, the Conficker authors released a third upgrade, Conficker C, which they designed with the intent to make it practically impossible for the cabal to orchestrate any kind of defense against it. Instead of generating 250 domain names a day, the new algorithm generated 50,000 domain names a day across multiple top-level domains, requiring the cabal to coordinate across international boundaries with governments and non-governmental organizations that do not traditionally play nicely together. This change significantly upped the work level required to put the worm in check again. The goal was to be ready for a 1 April 2009 deadline where all of the hosts within the Conficker C botnet would reach back to their command-and-control centers to receive new instructions. Nobody knew what those instructions might be, but because the Conficker authors had not used the botnet for anything up to this point, the cabal was worried that 1 April might be the day the Conficker authors unleashed the botnet against the world.
This first thread of punch-counterpunch is fascinating and shows how two groups of übergeeks—the cabal and the Conficker authors —who understand the Internet and its systems in a way that mere mortals could not comprehend did battle over a two-year stretch in a classic white-hat-versus-black-hat confrontation. Rarely does the public get to see this interchange in the public arena. Other books that cover similar battles are Clifford Stoll’s The Cuckoo’s Egg and David E. Sanger’s Confront and Conceal.
The second thread of the story is about the people working in the cabal. This is where Bowden hits the ball out of the park. He compares the group members to the X-Men, Marvel Comics’ super hero team with mutant abilities.
“What were superheroes, after all, but those with special powers? Marvel’s creations were also invariably outsiders, not just special but mutant, a little bit off, defiantly antisocial, prone to sarcasm and cracking wise, suspicious of authority, both governmental and corporate.”
Bowden describes how most of the cabal members had realized at one time or another that compromising computer systems was pretty easy. That ability was their mutant superpower. Most normal people -- like my wife, for example who is the smartest person on the planet on every other subject -- have a hard time simply understanding the computer’s on-off switch. These übergeeks did not. And when they were doing their normal day jobs, they assumed the role of the mild-mannered Clark Kent: not intimidating and practically invisible to the rest of the world.
“They went about their day jobs as unassuming techies, men whose conversation was guaranteed to produce the Glaze, but out here in the cyberworld they were nothing less than the Anointed, the Guardians, the Special Ones: not just the ones capable of seeing the threat that no one else could see, but the only ones who could conceivably stop it.”
“The Glaze.” I love that phrase. I have seen it many times on the faces of my friends and family members when they politely ask me a question about what I do for a living. Sometimes I forget and actually attempt to explain it until I get
“the unmistakable look of profound confusion and uninterest that descends whenever a conversation turns to the inner workings of a computer.”
I think my record for achieving “The Glaze” is less than 10 seconds.
If you are a security geek of any sort, you most likely had your comic book time sometime in your life. For some of us, it was very short. For others, we have never let it go. (Yes, I have been to two—count them, two—different Comic-Con conventions and had a great time at both.) With his superhero analogy, Bowden captures the essence of the cabal but, most importantly, the essence of us all in the security community, and I thank him for it.
“The obscure work these experts do, the work that is so hard for most people to understand, may not be as romantic or physically daring as the work of [Fighter Pilots], or the assault force that killed Osama Bin Laden in Pakistan, but it is every bit as vital and compelling. The threat may be virtual, but the consequences would be all too real.”
To describe the punch-counterpunch of the übergeeks, Bowden has to explain a lot of the technical pieces involved in order to make the story compelling, and he has to describe a bit of Internet history so that the reader can understand why the conditions for the Conficker worm were perfect for when they occurred.
He chronicles the day when technicians deployed the first two Internet routers, called Interface message processors (IMPs), in 1967 between Menlo Park and UCLA. He describes that eureka moment in 1974 when Vint Cerf (Stanford) and Bob Kahn (DARPA) presented their paper detailing the revolutionary way to transmit data across IMPs called Transmission Control Protocol (TCP). He explains the 1998 hand-off from SRI to the ICANN of the responsibility of coupling IP addresses with domain names. He provides a short history of Microsoft’s rise to power, an abbreviated history of the evolution of hacktivism, and a timeline of DDoS attacks, including the sobering attack against the 13 DNS root servers in 2002.
He establishes the early evolution of worm technology:
- Creeper: first proof-of-concept worm
- Morris: first malicious worm to bring the Internet to its knees
- Bagel: first money-making worm
- Storm: first stable spam-worm, an upgrade from Bagel
- Torpig: first credit-card-stealing worm
He also discusses how Conficker was an amalgamation of previous worm technology:
- Sircam: took control of the machine’s file-sharing applications to spread
- Blaster: scans other computers on the local network to look for vulnerabilities
- Sinit Trojan: was the first to use encrypted communications
- StartPage: checked the keyboard language on the computer to determine if it should compromise the machine
- Bobax: generated a random list of domain names on a fixed schedule
Bowden has a knack for taking complex Internet technology and explaining it in a way that even a nontechie can understand. He uses a wonderful analogy comparing a botnet to the Starship Enterprise, explains the Internet by comparing it to human brain function, and describes buffer overflows by demonstrating how a chef reads recipes and cooks food in a kitchen. He does a decent job explaining the function of communications ports, why malcode is packed (compression and stealth), the difference between dynamic and static malcode analysis, why bad guys obfuscate their code, and how public key encryption and the Domain Name System (DNS) work.
Bowden covers the period from the inception of the cabal in late 2009 until June 2010. He describes the cabal’s efforts to thwart the Conficker operators from making the botnet operational so that it didn’t become the largest cyber weapon in the Internet’s short history to date.
Bowden’s critics deflate the importance of this book because the Conficker authors never used the system to any significance. Actually, two weeks after the 1 April 2009 update, the Conficker authors rented the botnet to a well-known spammer named Waladec, and in June 2011, US and Ukraine law enforcement officials arrested 16 Kiev hackers who used Conficker to steal $73 million from international banking accounts. However, nobody used the botnet to take down the Internet like the Morris worm did. After the cabal finally succeeded in getting the security community worried about the potential threat, the 1 April deadline came and went with a whimper. The press compared it to the other great nonevent of our Internet history: Y2K. The cabal did not succeed in eradicating the worm from the Internet either. The group stopped it from receiving instructions—check—but they were unable to kill it—no checkmate. At last count, Conficker continues to infect some twenty-four million computers connected to the Internet. But all of that criticism is short-sighted.
Back then, during the time of the Estonia and Georgia DDoS attacks, we were all still thinking that somebody might try to kill the Internet for some diabolical purpose. That thinking has largely changed since then. Why would bad guys kill the Internet when they need it to accomplish their goals? Back then, we were all concerned about it. Bowden captures the security community coming together to combat a potential worldwide threat, a threat that nobody else on the planet could understand, let alone do something about. He precisely and, I think, accurately captures the essence of our community, these cyber X-Men with the übergeek superpowers who volunteer to combat this threat simply because they can. For that reason alone, the book belongs in the cyber security canon. Seasoned security professionals will learn nothing new here in terms of technology and craft, but they will remember that time and how we were all very worried about 1 April 2009. Freshmen security practitioners will get a lot out of this book though. For a nontechie, Bowden does a great job of explaining many of the key technical pieces that make the Internet run and how evil actors leverage the weaknesses in some of those systems. Especially if you are trying to explain some of this stuff to a nongeek boss, this book might come in very handy. I believe it is canon-worthy material, and you should have read it by now. Most importantly, how can you not like a book in which the author favorably compares the cyber security community to the X-Men? As Stan Lee likes to say, “'Nuff said.”
I worked for iDefense (a VeriSign Inc. business unit) the first time that I wrote about Worm. Actually, iDefense and Verisign both had a small part to play in Bowden’s tale. Jason Greenwood, the current iDefense general manager and an old friend of mine, has graciously allowed me to reuse some of the original content from that essay for this updated blog post. iDefense is still one of the best commercial cyber security intelligence outfits out there. If you have cyber intelligence needs, you should consider calling those guys.
Worm: The First Digital World War is a Cybersecurity Canon Candidate. Please visit the official page sponsored by Palo Alto Networks to read all the books from the Canon project.
Worm: The First Digital World War is a Cybersecurity Canon Candidate. Please visit the official page sponsored by Palo Alto Networks to read all the books from the Canon project.
 "Black Hawk Down: A Story of Modern Warfare," by Mark Bowden, published by Grove Press, 1999, last visited 12 January 2014,
 "Black Hawk Down (2001)," directed by Ridley Scott, Rotten Tomatoes, last visited 12 January 2014,
 "Conficker Working Group," by The Conficker Working Group Wiki, last entry 22 September 2009, last visited, 12 January 2014,
 "The Shockwave Rider by John Brunner," Goodreads, last visited 19 January 2014,
 "First computer virus of Bob Thomas," by Georgi Dalakov, History of Computers, last visited 20 January 2014,
 "How a grad student trying to build the first botnet brought the Internet to its knees," by Timothy Lee, Washington Post, 1 November 2013, last visited 19 January 2014,
 "How Computer Viruses Work," by Marshall Brain and Wesley Fenlon, howstuffworks, last visited 14 January 2014,
 "MS SQL Slammer/Sapphire Worm," by Joanne Pilker, Global Information Assurance Certification Paper, 2003, last visited 14 January 2014,
 "Worm: The First Digital World War," by Mark Bowden, published by Atlantic Monthly Press, 27 September 2011, last visited 19 January 2014,
 “Cyberwar Timeline,” by Mark Clayton, The Christian Science Monitor, 7 March 2011, last visited 19 January 2013,
 “Massive DDoS attacks target Estonia; Russia accused,” by Nate Anderson, Ars Technica, May 2007, last visited 16 March 2013,
 “Establishing a Cyber Warfare Doctrine,” by Adrew Colarik and Lech Janczewski, Journal of Strategic Security, Volume 5, Issue 1, pp. 31-48, 2012, last visited 19 January 2013,
 "Book Review: The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage (1989) by Clifford Stoll," by Rick Howard, Terebrate, 14 July 2013, last visited 21 January 2014,
 "Book Review: ‘Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power’ by David Sanger," by Rick Howard, Terebrate, 26 December 2013, last visited 21 January 2014,
 "Facts and Figures on Conficker Malware – Infographic," by Eduard Kovacs, Softpedia, 22 November 2013, last visited 19 January 2014,
"An Analysis of Conficker's Logic and Rendezvous Points,” by Phillip Porras, Hassen Saidi, and Vinod Yegneswaran, SRI International, 19 March 2009, last visited 17 January 2014,
"An Infection That Produces a Glazed Look," by Janet Maslin, The New York Times: Books, 3 October 2011, last visited 12 January 2014,
"The 'Worm' That Could Bring Down The Internet," by Terry Gross, Fresh Air, NPR, 27 September 2011, last visited 12 January 2014,
"Mark Bowden’s ‘Worm: The First Digital World War,’” by Peter W. Singer, The Washington Post: Books, 21 October 21 2011, last visited 12 January 2014,
"’Worm: The First Digital World War’ by Mark Bowden – review: How the world was saved from Cybarmageddon," by Sam Leith, The Guardian, 29 February 2012, last visited 12 January 2014,