The Cybersecurity Canon: Worm

Rick Howard

Category: Cybersecurity

cybersec canon red

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Worm: The First Digital World War (2011) by Mark Bowden

Worm: The First Digital World War is the story of how the cybersecurity community came together to do battle with what seemed at the time to be the largest and most significant cyber threat to date: the Conficker worm, which was covered frequently by Palo Alto Networks researchers, among many others.

It was the time of the Estonian and Georgian distributed denial of service (DDoS) attacks, and the Conficker botnet was growing to be the largest DDoS delivery system ever created. A white hat group of cyber übergeeks formed the Conficker Cabal to stop the worm because most of the world could not even understand it, let alone do something about it.

Mark Bowden, who wrote Black Hawk Down: A Story of Modern War among other books, accurately captures the essence of our cybersecurity community in times of crisis. He compares us all to cybersecurity superheroes, like the X-Men of Marvel Comics fame, because of what he sees as our superhuman ability to work with computers and our desire to help each other.

Seasoned security professionals will learn nothing new here in terms of technology and craft, but they will remember that time and how we were all very worried about 1 April 2009: the day that the world thought that Conficker would come to life.

I think freshmen security practitioners will get a lot out of this book, however. Bowden does a great job of simply and clearly explaining many of the key technical pieces that make the Internet run. If you’re new to the community, this book makes a great introduction. It is canon-worthy material, and you should have read it by now. (But more importantly, how can you not like a book where the author favorably compares the cybersecurity community to the X-Men? As Stan Lee likes to say, “’Nuff said.”)

The History

When Bowden published Black Hawk Down, I was blown away. In that book, Bowden puts you right in the streets of Mogadishu, Somalia, with the soldiers, rangers, and bad guys who made up that fight. And then, when the 2001 movie came out and was equally as intense, I felt like I had some smidgen of understanding regarding what the U.S. armed forces had to deal with during this specific fight but, more generally, what they have to endure every day when they are deployed to areas like the Middle East.

When I heard that Bowden was taking a stab at the story behind the Conficker worm, I was excited. He is a high-caliber author attempting to describe the geeky details of the cybersecurity community at a key point in our history. I was hoping that he would make what we do in the security community sound as interesting and astonishing as he made the soldiers sound in Black Hawk Down. I think that he accomplishes this task but not in the way that you might think. He succeeds in giving a bird’s-eye view of our community’s collective thinking process. He captures our almost universal and delightful — if somewhat naive – belief that we should all help each other out and contrasts that to the relative size of our egos and how self-destructive that can be to a group effort.

As you may recall, Conficker is a worm that started targeting victims running the Windows operating system in 2008. For non-techie readers, a worm is a piece of malicious code designed to compromise a computer and then replicate itself automatically through the network to as many computers as it can. Every compromised host belongs to the worm’s collective called, in generic terms, a botnet or a robot network. It is a robot network because the owner of it can direct every machine within the collective to do his or her bidding: deliver spam, decipher encryption, dispatch denial of service attacks, etc.

John Brunner, the author of The Shockwave Rider, first wrote about the idea of a worm in his prescient 1975 novel a full decade before the Internet was more widely talked about. Around the same time, Robert Thomas built the first proof-of-concept worm called Creeper, which was designed to be an experimental mobile program in which the program itself would look around the network to find the best computer to use for its task. It was not until 1988 when the Morris worm brought the Internet to its knees that we all began to understand what a malicious application of a worm might accomplish.

Today, botnets are reusable. Authors send new instructions to their botnets when they want to repurpose them through some sort of command-and-control mechanism. The difference between a virus and a worm is that a virus does not try to spread on its own. Good worms spread very fast. Famous worms in our short Internet history include the Morris worm, Code Red and Slammer.

In the Slammer case, the worm infected 90 percent of the vulnerable computers connected to the Internet within ten minutes of the first infection. Let me restate that again so that you understand the magnitude of that incredible statistic: of the 75,000 machines connected to the Internet that were vulnerable to the attack, the worm compromised 90 percent of them in the first ten minutes after it compromised victim zero. The mind boggles.

Security researches first noticed the Conficker worm at the end of 2008. Microsoft immediately patched the vulnerability in its operating system, but because many of the computer owners who run the Windows operating system do not patch their systems regularly, they were vulnerable to the attack. By the end of 2010, as Bowden explaions, infection rates had grown large enough to pass the Slammer worm infections rates of 2003. Strangely, the botnet owners had not done anything with the system yet. Between 2008 and 2010, the botnet sat idle, growing exponentially but never being used, growing around the same time as other real-world cyber events took place, including the 2007 DDoS attack against Estonia and the 2008 DDoS attack against Georgia.

The community had DDoS attacks on the mind. Prominent individuals in the security community became alarmed that this new threat, this new weapon, this largest denial of service machine ever created, was continuing to grow unabated. Some decided to do something about it. The “cabal,” as it was affectionately referred to by its members and later changed to the Conficker Working Group, had many security luminaries.

The Story

Bowden spools the story out in two threads. The first thread is the description of the punch-counterpunch between the cabal and its adversaries. It’s fascinating and shows how two groups of übergeeks—the cabal and the Conficker authors —who understand the Internet and its systems in a way that mere mortals could not comprehend did battle over a two-year stretch in a classic white-hat-versus-black-hat confrontation. Rarely does the public get to see this interchange in the public arena. Other books that cover similar battles are Clifford Stoll’s The Cuckoo’s Egg and David E. Sanger’s Confront and Conceal, both of which I’ve already reviewed for the Cybersecurity Canon.

The second thread of the story is about the people working in the cabal. This is where Bowden hits the ball out of the park as an author. He compares the group members to the X-Men, the famous Marvel Comics super hero team with mutant abilities:

“What were superheroes, after all, but those with special powers? Marvel’s creations were also invariably outsiders, not just special but mutant, a little bit off, defiantly antisocial, prone to sarcasm and cracking wise, suspicious of authority, both governmental and corporate.”

Bowden describes how most of the cabal members had realized at one time or another that compromising computer systems was pretty easy. That ability was their “mutant superpower.” Most “normal” people have a hard time simply understanding the computer’s on-off switch. These übergeeks did not. And when they were doing their normal day jobs, they assumed the role of the mild-mannered Clark Kent: not intimidating and practically invisible to the rest of the world.

Writes Bowden: “They went about their day jobs as unassuming techies, men whose conversation was guaranteed to produce the Glaze, but out here in the cyberworld they were nothing less than the Anointed, the Guardians, the Special Ones: not just the ones capable of seeing the threat that no one else could see, but the only ones who could conceivably stop it.”

“The Glaze.” I love that phrase. I have seen it many times on the faces of my friends and family members when they politely ask me a question about what I do for a living. Sometimes I forget and actually attempt to explain it until I get, as Bowden says, “the unmistakable look of profound confusion and uninterest that descends whenever a conversation turns to the inner workings of a computer.”

I think my record for achieving “The Glaze” is less than 10 seconds.

The Tech

To describe the punch-counterpunch of the übergeeks, Bowden has to explain a lot of the technical pieces involved in order to make the story compelling, and he has to describe a bit of Internet history so that the reader can understand why the conditions for the Conficker worm were perfect for when they occurred.

Bowden has a knack for taking complex Internet technology and explaining it in a way that even a non-techie can understand. He uses a wonderful analogy comparing a botnet to the Starship Enterprise, explains the Internet by comparing it to human brain function, and describes buffer overflows by demonstrating how a chef reads recipes and cooks food in a kitchen.

He also does a decent job explaining the function of communications ports, why malcode is packed (compression and stealth), the difference between dynamic and static malcode analysis, why bad guys obfuscate their code, and how public key encryption and the Domain Name System (DNS) work.


Bowden’s critics like to deflate the importance of this book because the Conficker authors never used the system to any significance. Well, actually, two weeks after the 1 April 2009 update, the Conficker authors rented the botnet to a well-known spammer named Waladec, and in June 2011, US and Ukraine law enforcement officials arrested 16 Kiev hackers who used Conficker to steal $73 million from international banking accounts.

However, nobody used the botnet to take down the Internet like the Morris worm did. After the cabal finally succeeded in getting the security community worried about the potential threat, the 1 April deadline came and went with a whimper. The press compared it to the other great nonevent of our Internet history: Y2K. The cabal did not succeed in eradicating the worm from the Internet either. The group stopped it from receiving instructions—check—but they were unable to kill it—no checkmate. At last count, Conficker continues to infect some twenty-four million computers connected to the Internet.

But here’s why I think that criticism is shortsighted. Back then, during the time of the Estonia and Georgia DDoS attacks, we were all still thinking that somebody might try to kill the Internet for some diabolical purpose. That thinking has largely changed since then. Why would bad guys kill the Internet when they need it to accomplish their goals?

Back then, we were all concerned about it. Bowden captures the security community coming together to combat a potential worldwide threat, a threat that few people on the planet could fully understand, let alone do something about. He precisely and, I think, accurately captures the essence of our community, these cyber X-Men with the übergeek superpowers who volunteer to combat this threat simply because they can.

For that reason alone, the book belongs in the cybersecurity canon. But if you are trying to explain some of this stuff to, say, a nongeek boss, this book also might come in very handy. I believe it is canon-worthy material, and you should have read it by now.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42