4 HORSEMEN OF CYBER APOCALYPSE

Thirsty adversaries are constantly looming over horizon. There will be a day when cyber reality as we know it falls apart.

Unthinkable disaster will firstly emerge in a body of a messenger. Then this messenger will set a Doomsday. Finally, we will understand potential consequences. And we will panic.

Actually, such a scenario had already happened before. Several times. Would you like to take a closer look?

THE FIRST HORSEMAN, A CONQUEROR…

… with a bow and crown appeared out of nowhere in April 1991. Bearing the name of Michelangelo. This boot sector virus was arriving most frequently through infected floppy disks with software. Its malicious payload was capable of overwriting all data on a hard disk, which basically made any recovery almost impossible. With no back-ups this could be pretty disturbing. However, it was not about to happen immediately. The particular day had to arrive.

The cataclysm date was not a coincidence. Set on 6th of March 1992 was about to bring utter destruction to celebrate great Michelangelo’s birthday.

Mass panic started to gain field in January 1992. One of the computer manufacturers accidentally shipped 500 computers infected with the virus. Then, another one would ship computers with antivirus software preinstalled. Finally, John McAffe told the press that hundreds of thousands of computers may be destroyed by the virus. Another prediction went into millions. Brace yourself!

6th of March arrived peacefully. Although much anticipated, catastrophe did not materialize itself. There was a spike in detections, however, mostly to other than Michelangelo malware. The virus failed to destroy thousands of machines. Cyber reality survived – all in all – untouched.

Apparently, it was not yet the time for the Doomsday.

THE SECOND HORSEMAN WAS GIVEN A GREAT SWORD…

… and rode a red horse of inflated ego. Known by the name of CIH appeared at the cyber surface in June 1998. It came as a punishment. And as a warning. The warning to the antivirus software developers. Do-not-claim-you-are-so-damn-efficient-or-I-will-prove-you-wrong message.

CIH started its journey at the Tatung University in Taiwan. Then it went into wild. Spreading joyfully was about to bring a calamity on 26th of April 1999. Just enough time to expand satisfyingly.

The virus spread mostly through pirated software. However, couple of legitimate players got caught as well. Naming only 3 European PC gaming magazines shipping infected CD-ROMs, Yamaha delivering an infected version of a firmware update software or IBM releasing their new Aptiva personal computers with the virus preinstalled.

CIH virus went after executable files. After the execution, the virus stayed in memory and infected other programs as they were accessed. When the milk was spilled, CIH overwrote most of the data on the computer. Moreover, it attacked the Flash BIOS chip of the machine. If succeeded, a machine was unable to boot.

Oh, there was a publicity. From conspiracy theory to we-are-doomed statements. On top of that the date itself. 26th of April. The anniversary of the Chernobyl disaster. There could have not been the better date to bring cyber apocalypse.

Well… although we can not underestimate the impact of the virus, its epicenter wound up in Asia. Millions of infections? Sure. Disruptions in productivity? Correct. Pissed off office workers? No doubt.

Unfortunately – with all due respect my friends – this is not enough to qualify for the pledged Armageddon.

Apparently, not yet the time again.

THE THIRD HORSEMAN CARRIED A BALANCE SCALE…

… and rode a black horse. Emerged in January 2003 with an intention to bring absolute catastrophe with the .F variant on 26th of August the same year. Will be remembered by the name of Sobig. Another 26th! Already feeling chills.

Sobig was spreading through email and network shares. Based on its own SMTP engine, was not only spamming itself ferociously, but also downloading a Lala trojan. The trojan which turned infected machines into spamming zombies. For the very first time in history computers were turned into relays so easily.

The third horseman partially learned his lesson. Although payload – which was downloaded on 26th of August – did not make any great entrance, Sobig worm made an everlasting impact on the cyber reality.

Our black character became the fastest spreading worm of its time. Even today still holds the second position, after Mydoom only. At its peak responsible for 2/3 of world’s spam in general! (See also: BRIEF STORY ON HOW TO FINALLY GET PEOPLE NERVOUS ABOUT THIS WHOLE CYBER SECURITY and BATTLE OF WORMS IN 5 ACTS.)

More significantly, Sobig was the very first creator of a spam botnet. As the concept was successfully tried and tested, it opened immense opportunities for the future.

The worm was hugely prosperous. Even though the trigger date did not bring the worst – cyber space survived in a pretty good shape – it opened a whole new chapter. Obviously, the intent was to take advantage, not to kill the milk cow.

Not yet the time.

THE FOURTH HORSEMAN RODE A PALE HORSE…

…and was supposed to force unconditional cyber surrender on 1st of April 2009. The death rider was carrying the name of Conficker.

Rumors around the globe announced an inevitable Doomsday and hostile takeover of millions of machines. The New York Times mentioned an unthinkable disaster. The Guardian called it a deadly threat. Furthermore, this deadly threat was one great enigma. From the very beginning no one knew where did it come from and where was it heading.

Since its appearance in November 2008, it was simply an unsolvable mystery. This extremely prolific network worm was made a great use of MS08-067 vulnerability, which forced servers around the globe to incorrectly handle RPC requests. Several methods of infections and applied stealth techniques put Conficker always couple of steps ahead of the good guys (see also: THE GREATEST MYSTERY IN THE HISTORY OF CYBER SECURITY?).

Although the greatest minds of cyber security industry for months worked in a special force called Conficker Working Group – intending to track, annihilate and indict authors of the worm – no one really came to any practical conclusion about neither the adversary, nor the intentions. The world was pretty much kept in the dark.

There was one thing known for certain though. Conficker.C, one of the first major rewrites, was spotted in February 2009. The Doomsday was about to arrive two months later.

On April Fools’ Day 2009, the worm was to connect to its headquarters and download deadly payload. By the time, the worm was practically everywhere.
F-Secure estimated number of infections at around 2.9 million. And raising! The global botnet was to be activated and allegedly there was no person on Earth who could fully fend off the threat.

The publicity was massive. Wall to wall coverage. Newspapers, tv news stations, internet portals, blogs and cyber industry announcements. You could basically follow this upcoming cyber Armageddon from the front row seat. The world held its breath. Are we doomed? Is it finally the time?

Well, we are still here, right? 1st of April arrived and nothing spectacular happened. To be more specific, not only nothing spectacular happened. Actually, nothing happened. Sure, the Conficker Working Group did its job and significantly crippled created botnet, however, millions of infections were still there. The hype did not live up to reality. Again.

NO MORE HORSEMEN OF CYBER APOCALYPSE?

Surely, no one can provide definitive answer. However, both cyber security industry and malicious tools & techniques have evolved significantly in recent years. One could assume such evolution would impede any massive cyber Armageddon in the future. No doubt there is a logic in such a statement.

Firstly, if you wish to cash out your infections you can not bring so much attention. People are to be kept in the dark. For as long as possible.

Secondly, if you wish to bring absolute havoc and utter destruction, then again, silence is the key. You should not give time to raise defenses. People should be caught off-guard.

Finally… is it not already a theme of the past? Massive, common destruction of a big chunk of cyber reality? Didn’t former Horsemen of Cyber Apocalypse taught us enough to make it impossible?

We shall see.   

Maciej Szulejewski

When creating this article I used threat descriptions from F-Secure Threat Description, Virus Encyclopedia and Wikipedia. I also used blog posts available at archive.f-secure.com/.
Furthermore I used my own research materials.

THE GREATEST MYSTERY IN THE HISTORY OF CYBER SECURITY?

Cyber Armageddon was supposed to emerge on 1st of April 2009. Rumors around the globe announced an inevitable Doomsday and hostile takeover of millions of machines. The New York Times mentioned an unthinkable disaster. The Guardian called it a deadly threat. CBS network predicted disruption to the internet as a whole. The finest security experts from around the globe joined forces and went on a month’s long battle to seize control.

The situation looked extraordinary.

Especially that no one had a clue who is the enemy.

DOES ANYONE KNOW ANYTHING?

Well… at least the basics. The threat was quickly classified as a net-worm. Net-worm which exploits MS08-067 vulnerability allowing remote code execution with a specially crafted Remote Procedure Call (RPC). Security hole inviting adversaries to attack through a good old stack overflow technique. The worm spreads via internet, local area network and removable media. When multiplying over a network it uses three different methods: exploitation of the vulnerability, file sharing or exploitation of the Windows Autorun.

Moreover, it makes number of changes to the Windows Registry and hides its actions through numerous stealth techniques. It opens a HTTP server and waits quietly for instructions. It goes with the name of Conficker. Or Downadup. Or Kido. And it started spreading on 20th of November 2008.

That was the easy part. Apart from the technicalities, no one has the slightest idea who is behind creation of Conficker (the most popular of the names). Months of investigation brought nothing reliable. No one can imply what is the goal of Conficker. Was it supposed to create a massive botnet of zombie computers? Or was it about infecting users with scareware and extort money? Or was it a state-funded field test before the famous Stuxnet?

$250 000 reward for any useful information from Microsoft has never been collected. Number of infections ranges from 9 to 15 million of machines worldwide. All the notable infections, such as French Navy, UK’s Ministry of Defense or Bundeswehr, faded away without consequences. Instructions were never sent. All the infections went for nothing. What the hell?

DID WHITE HATS STEAL THE SHOW?

Extraordinary situation requires extraordinary activities.

Never before had there been such an endeavor. Non-profit, public sector and business parties joined their forces to fend off Conficker activity. Basically, every single significant party was there. Just name it. Microsoft, Facebook, Cisco, Trend Micro, IBM, F-Secure or AOL. Everyone was there.

Conficker Working Group operated through 3 streams. The first one focused on analysis and research. Delivering samples, coordination of the information flow, exploring emerging variants. The second stream was about communication. Remember, the whole world is watching, right? Press releases, joint messaging.

Finally, the third stream was about to set up the biggest domain blocking project in history. The challenge was quite compelling – to shut down over
1 million domains across 110 countries.

Why to block insane number of domains? To thwart Conficker mode of operation.

Conficker worm tried to call its headquarters once a day. Intending to get instructions. It did it by trying to connect to various web addresses. If the worm found an active web server, it would download and execute a payload. This basically meant bad guys could do whatever they wanted with infected machines.

Web addresses were generated through a complicated algorithm. At the beginning providing 250 pseudorandom domains. Later, trying to download orders from 500 out of 50 000 pseudorandom domains. Predicting, registering and shutting down all those domains would do the trick. Would prevent infected machines from getting any commands. And this was the challenge.

This unprecedented effort was actually successful. The Conficker Working Group managed to almost completely stem the botnet. Without the connection to headquarters it was simply useless. That means full success, correct?

You never know with Conficker

OR WAS THE WORM TOO SUCCESSFUL TO BE USED?

This is probably the theory most experts incline to. Exploited vulnerability was commonly known as of 23rd of October 2008. This was the date when a security update was published. The very first variant of Conficker did not infect systems with Ukrainian IPs or Ukrainian keyboard layout. This could point out its origin.

As Ukraine is not publicly known for any state-funded cyber attacks, it leads to a conclusion that it were some hoodies trying to infect and then monetize the potential botnet. However, as it went far beyond their expectations and brought immense portion of publicity, their impunity was severely threatened. So, they stepped back. Conficker left in the wild, living on its own. Seems logic, right?

Something cracks here though. If they were scared enough to leave a potential profit aside, what was with the months-long cat-and-mouse game with the cyber industry? Conficker Working Group mentioned 5 main variants of the worm.

Rewrite in the .B variant introduced a backdoor with auto-update functionality.

The .C variant selected its rendezvous points from a pool of over 50,000 randomly generated domain name candidates each day. It increased defenses and added peer-to-peer capabilities.

The .E variant went even further – piggybacking on Conficker.C attempted to install ‘Waldec’, scareware imitating an anti-virus software.

If you are scared and trying to hide, usually you do not come back to the crime scene. Unless you are not really scared.

PERHAPS IT WAS JUST A FOREPLAY BEFORE MATURE CYBERESPIONAGE ERA?

That is obviously just a speculation. However, educated one.

Some security experts are of the opinion that Conficker was simply a smoke screen to hide a real objective of the operation. While eyes of the world were focused on the mysterious worm, important doors were opened. The doors to the Iranian nuclear program.

Could it has been about executing one of the most successful cyberespionage operation in history? Delivering Stuxnet to the underground facility at Natanz?

The speculation goes as follows. Firstly, both Conficker and Stuxnet were written with extraordinary sophistication. Secondly, infection rates for both malware were far higher in Iran than in the United States. Thirdly, there is a date correlation in development and deployment of their different variants.

Finally, both Stuxnet and Conficker used the very same Windows vulnerability and had similar way of spreading and infecting new machines. How do you feel? Is it enough to consider this theory legit?

Both the White House and Israeli’s Prime Minister refused to comment.

TO BE CONTINUED?

Conficker Working Group concluded it is impossible to indicate who initiated Conficker spreading. Months long investigation of the greatest minds of cyber security industry came to no conclusion.

Although the botnet itself got crippled, majority of the infections remained untouched. If it really was a field test of a state-funded hacking group, it was pretty damn successful.

Whereas if it was supposed to be a profit-oriented botnet launched by Ukrainian hoodies, then it really went south.

To be continued? In February 2021 – based on F-Secure Enpoint Clients data – Conficker was the 4th most often detected malware…

Maciej Szulejewski

When creating this article I used threat descriptions from F-Secure Threat Description, Virus Encyclopedia and Wikipedia. I also used What we’ve learned from 10 years of the Conficker mystery from blog.f-secure.com, Conficker Working Group: Efforts To Fight Botnet A Mixed Bag from threatpost.com, Conficker Working Group says worm is stopped, but not gone from csoonline.com. On top of that I used my own research and interviews.