Thing a Week 11: Digital Weaponry

The source from whence the worm came from has been a hot topic ever since the fall of America. Most experts agree that the complexity and technological prowess of the worm points to a state actor or group of state actors working together to overthrow a global superpower, but even fifty years later no one has admitted to being the first to employ this new age of digital weaponry.

The Seed Phase

The worm had humble beginnings, not unlike many of the more successful computer worms of its decade. It kept its symptoms to a bare minimum, spreading silently with a lot of the traditional spreading mechanics viruses and worms use: it copied itself to other computers on the same network and to USB thumb drives to spread from network to network.

Each time it copied itself, it would ever so slightly change its own code. Self-modification meant that any installed antivirus software couldn’t meaningfully be able to store any known signatures of the worm, which significantly lowered its detection rates across the board due to the much lower accuracy in the necessary fallback detection method: using heuristics to guess at whether random software was acting like a virus, rather than a known virus itself.

As the worm spread, each machine kept track of which computer had infected it. This allowed successful infections to feed information back to the worm. It took stock of how well each infection method was performing and adjusted itself to take better advantage of well-performing vectors, while also regularly adjusted the approach it took in other methods that weren’t working as well.

With a negligible impact on infected computers, the worm was able to fly under the radar for years and establish a foothold in the double-digit percentages of all consumer computers in use.

The Learning Phase

After a computer was infected, the worm continued to self-modify itself to avoid antivirus detection. These constant changes also served to enable new functionality in the worm over time. Whether the original virus authors hid these features in the original worm code or just programmed it in such a way that they could deterministically expect them to emerge at a later date is unknown.

The learning phase was marked by the emergence of a keylogger in the worm. Whenever a user of any infected computer pressed any button on the keyboard, the worm secretly stored a copy of that letter and used it to reconstruct everything entered across all applications, from usernames and passwords typed into the browser to doctorate dissertations written in word processors. Login information to banks, games, blogs, email, social media, work accounts, photo albums, and general browsing history were all vacuumed up and stored within the worm.

As the worm spread from computer to computer, it also infected phones, tablets, and smart devices in the home, each with their own array of additional sensor data that fed into the worm. Phones provided much of the same online information that computers contributed, but also included calls, photographs, and GPS data as infected people moved around the physical world. Smart devices around the home vacuumed up audio streams and conversations, while webcams and security cameras granted uninterrupted video feeds across the country. For some people, the worm was able to build a schedule of when they slept, when they worked, and what they were doing when they weren’t using their compromised devices.

At the same time, the worm was unique for the time due to its employment of basic artificial intelligence and machine learning techniques on the data it gathered. While users were unknowingly sharing their login information with it by using their computer as normal, the worm was also building complex models of how the user used their computer as well: what software they used, for how long, when they would commonly get on or off the computer, what kinds of websites they visited most frequently, which friends they talked to, for how long, about what, and so on. Besides high-level usage metrics, the worm also built a language model trained on the user’s writing that tracked how fast they could type, what typos they commonly made, what reading level they usually wrote at, the ticks in their vocabulary that differentiated them from their peers, the topics they were (and weren’t) knowledgeable about, and even low-level information that we, as humans, aren’t consciously aware of when we write — like the ratio of nouns to adjectives, nouns to verbs, prepositions to pronouns, and so on.

Each infection remained in the learning phase for a varying amount of time. Depending on how often a computer was used, by how many different people, and how much variance each person had in their computer use, these models would commonly take anywhere between one and six weeks to fully train and move on. The worm watched normal usage and would constantly predict what it expected a user to do; when it could predict the user’s actions and word choices correctly enough of the time, the virus would transition into a more traditional, highly-infectious worm.

The Infectious Phase

Although the worm used a lot of traditional spreading tactics during its infectious phase, the level of aggression and complexity it used to implement them was state-of-the-art for malware of its time. Most notably, the worm would skillfully entwine itself with legitimate user activity to spread exponentially faster.

If a user shared a link to any website with a friend, the worm would intervene. It would first download a copy of the website being shared and host it from the infected computer with a slew of browser exploits meant to infect the friend when they visit the page. If there were any download links on the page, the worm would also replace them with links to the virus itself, adding yet another avenue for infection. Afterwards, the worm replaces the shared link with the modified page. To their friend, nothing looks different; their friend shares a link to something interesting with them and they click it and see the original share — without knowing they just got infected — and can then seamlessly continue any conversation about the link contents, keeping the worm’s symptoms transparent to everyone except those who knew where to look.

For users who didn’t share links with their friends very often, the worm took an aggressive stance on doing so on their behalf. Based on the models created during the learning phase, the worm would frequently choose a friend and impersonate their friend across various social networks and messaging applications, either starting a new conversation or picking up an existing one. It used the language model it built in the learning phase to mimic the user’s writing style and the language model to steer the conversation toward a way it could innocently share a link to something, subsequently infecting each friend with conversation that looked no different from normal. The worm was even capable of holding a conversation after sending an infectious link, which seemed to reduce suspicion even further, and would even hide these conversations from the user it was impersonating so they wouldn’t even know they were happening — and therefore not have any reason to warn their friends about dangerous links they might involuntarily share with them.

Likewise, the worm would use the same technology to respond to emails in the infected user’s inbox, answering questions while inevitably steering the email’s contents toward some mention of an attached document their friend needed to open. Sometimes this took several back and forths referencing an upcoming document before sending it, but it seems most of the time the worm preferred to get to the point quickly; logically, this decision was probably based on how likely the worm predicted each friend was to open the file.

Each email address was also cataloged and indexed within the worm’s distributed network to determine which would be most useful to “cold email” other potential victims. People who used their computer for work oftentimes had business emails logged in also; the worm used compromised business emails from banks, software companies, hospitals, accountants, insurance companies, and more to send legitimate-looking emails to more potential victims.

If a user attempted to upload a file online or attach a file to an email, the worm would hijack the request and inject itself into the file being uploaded in such a way that the file still looked normal when opened, but would also infect the computer in the background.

With a growing network of infected computers, the worm also started using the information it stored on which computers had infected which to construct its own communication network between computers with the virus. This allowed it to quickly spread messages or commands across the entire network, which it used to spread brute-force attacks on logins across the entire fleet. Logins that would normally take a thousand years to try every password combination to were suddenly within reach by simultaneously throwing hundreds of thousands of computers at the problem. Using this network, the worm cracked more and more logins to essential services across the Internet — and then repurposed each login as yet another avenue to spread to more computers.

The Takeover Phase

The worm used many novel techniques for its time, but the takeover phase is what defined the worm and made it so deadly, leading to the collapse of one of the most powerful countries on earth at the time.

With antivirus companies hot on the trail of how to detect and stop an advanced self-modifying worm, a new feature in its replication emerged: each modification of the worm got closer and closer to the operating systems it had infected. Rather than modifying every piece of its own code, it started repurposing and reusing system libraries and embedding itself deeper and deeper into the computer’s software layers.

Using the login information it had collected from every computer since the first infection, it took less than thirty minutes to drain every single compromised bank account of its funds, suddenly leaving millions of people in the United States without resources or a safety net. Worse, personal accounts weren’t the only ones drained; anyone who had logged into a business or government account from a compromised computer found that they had been a conduit for even more money to travel back to the source of the worm, whoever they were.

Mass pandemonium set in quickly with people starving, businesses going bankrupt, and the government balancing bailout options with relief packages. Nearly a trillion dollars were flushed from the country in the wipeout and subsequent aftermath.

The worm continued to spread and its internal network was used to issue commands to the whole fleet to attack specific, critical services. With so many computers attacking a single server, distributed denial-of-service attacks brought down banking and investment sites, government portals, gaming and networks. Cloud providers were also hit hard, which cascaded into outages for any websites hosted on those providers.

Some computers deemed optimal for the task were assigned to Bitcoin-mining operations, generating large power bills while producing cryptocurrency for the worm to spend on buying or renting servers, services, and other transactions online.

The infected computers dedicated most of their resources, however, to language processing and generation. Every compromised email account, photo album, and cellphone was scanned for compromising material, and those containing it were cataloged and weaponized for ransom or leverage in convincing people to complete real-world tasks on behalf of the worm — a whopping 55% of crimes committed that year were allegedly committed under duress — or else risk their family and friends discovering some dark secrets.

Most infected users were also shocked to find that the virus had used the language models built from their activity to post on their behalf online, often either criticizing the government’s response to the national emergency or posting conspiracy theories sowing discord over whether “the worm” even existed at all. Some accounts blamed other countries; some accounts blamed victims for lax security; some accounts blamed the antivirus companies; and others just lobbed blame at anything that moved — yet more than 99% of the discussion online came from compromised logins generating discourse across the Internet from the worm’s scripts, drowning out the remaining 1% of posts from actual people. Whenever anyone seemed to come to a consensus on anything, new opinions and sentiments flooded out of compromised machines to keep a perpetual argument going on every site online.

A crisis that should have united the country in a time of need instead divided it further, with the worm driving a deadly wedge right down the middle.

Eventually, the United States made a unilateral decision to shut down the Internet in a failed attempt to mitigate the unrest, leading ISPs across the country to pull the plug and plunge the country and its infrastructure into communicative darkness. The country’s final days during this time were lost to history.

Leave a Reply

Your email address will not be published. Required fields are marked *