The ‘Worm’ That Could Bring Down The Internet

For the past three years, a highly encrypted computer worm called Conficker has been spreading rapidly around the world. As many as 12 million computers have been infected with the self-updating worm, a type of malware that can get inside computers and operate without their permission.

“What Conficker does is penetrate the core of the [operating system] of the computer and essentially turn over control of your computer to a remote controller,” writer Mark Bowden tells Fresh Air‘s Terry Gross. “[That person] could then utilize all of these computers, including yours, that are connected. … And you have effectively the largest, most powerful computer in the world.”

The gigantic networked system created by the Conficker worm is what’s known as a “botnet.” The Conficker botnet is powerful enough to take over computer networks that control banking, telephones, security systems, air traffic control and even the Internet itself, says Bowden. His new book Worm: The First Digital World War details how Conficker was discovered, how it works, and the ongoing programming battle to bring down the Conficker worm, which he says could have widespread consequences if used nefariously.

“If you were to launch with a botnet that has 10 million computers in it — launch a denial of service attack — you could launch a large enough attack that it would not just overwhelm the target of the attack, but the root servers of the Internet itself, and could crash the entire Internet,” he says. “What frightens security folks, and increasingly government and Pentagon officials, is that a botnet of that size could also be used as a weapon.”

When Russia launched its attack on Georgia in 2008, Russian officials also took down communication lines and the Internet within Georgia. Egypt also took down its own country’s Internet service during the uprisings last spring.

“It’s the equivalent of shutting down the train system during the Civil War, where the Union troops and the Confederate troops used trains to shuttle arms and ammunition and supplies all over their area of control,” says Bowden. “And if you could shut their trains down, you cripple their ability to function. Similarly, you could do that today by taking down the Internet.”

The Conficker worm can also be used to steal things like your passwords and codes for any accounts you use online. Officials in the Ukraine recently arrested a group of people who were leasing a portion of the Conficker worm’s computers to drain millions of dollars from bank accounts in the United States.

“It raises the question of whether creating or maintaining a botnet is a criminal activity, because if I break into a safe at the bank using a Black and Decker drill, is Black and Decker culpable for the way I use the tool?” he says. “That’s one of the tools you could use the botnet for. With a botnet of 25,000 computers, you could break the security codes for Amazon.com, you could raid people’s accounts, you could get Social Security numbers and data — there’s almost no commercial security system in place that couldn’t be breached by a supercomputer of tens of thousands.”

After Conficker was discovered in 2008 at Stanford, it prompted computer security experts from around the world to get together to try to stop the bot. The volunteer group of experts, which called itself the Conficker Working Group, also tried to get the government involved with their efforts. But they soon discovered that the government didn’t have a very good understanding of what the worm could do.

“[They] began reaching out to the NSA [National Security Agency] and [the Pentagon] to see if they would be willing to loan their computers [to help them], and what [they] discovered was that no one in the government understood what was happening,” says Bowden. “There was a very low level of cyberintelligence, even at agencies that ought to have been very seriously involved, who were responsible for protecting the country, its electrical grid, its telecommunications. These agencies lacked the sophistication not only to deal with Conficker, but even to understand what Conficker was.”

At some point in early 2009, the Conficker Working Group learned that the Conficker worm could wreak havoc on April 1, 2009 — a date when the computers infected by Conficker would receive instructions from their remote-controlled operator.

“The assumption was that if Conficker was to do anything, that would be the day that it would be destructive to the Internet,” says Bowden. “But on April 1, nothing happened.”

The Conficker Working Group realized that the creator of Conficker had little interest in taking down the Internet or using its bot to create mass destruction.

“The people behind it apparently want to use it for criminal reasons — to make money,” says Bowden.

But that doesn’t mean that Conficker is controlled, says Bowden. No one knows yet who controls the worm or what its intentions might be.

“At any moment, Conficker could do something really threatening,” he says. “[People fighting the bot] are trying to figure it out still. And every new day, as the worm makes its contacts, they generate long lists of computers that are infected — which still include big networks within the FBI, within the Pentagon, within large corporations. So they monitor it and keep track of where it’s spread, and they’re still working with the government to secure vital computer networks from botnets like Conficker.”

Copyright 2011 National Public Radio. To see more, visit http://www.npr.org/.