Underground by Suelette Dreyfus (top rated books of all time txt) 📕

activity, the computer gives it a unique process name. When the worm burrowed into a computer site, one of the first things it did was check that another copy of itself was not already running on that computer. It did this by checking for its own process names. The worm’s processes were all called NETW_ followed by a random, four-digit number. If the incoming worm found this process name, it assumed another copy of itself was already running on the computer, so it destroyed itself.

The answer seemed to be a decoy duck. Write a program which pretended to be the worm and install it across all of NASA’s vulnerable computers. The first anti-WANK program did just that. It quietly sat on the SPAN computers all day long, posing as a NETW_ process, faking out any real version of the WANK worm which should come along.

Oberman completed an anti-WANK program first and ran it by McMahon. It worked well, but McMahon noticed one large flaw. Oberman’s program checked for the NETW_ process name, but it assumed that the worm was running under the SYSTEM group. In most cases, this was true, but it didn’t have to be. If the worm was running in another group, Oberman’s program would be useless. When McMahon pointed out the flaw, Oberman thought, God, how did I miss that?

McMahon worked up his own version of an anti-WANK program, based on Oberman’s program, in preparation for releasing it to NASA.

At the same time, Oberman revised his anti-WANK program for DOE. By Monday night US Eastern Standard Time, Oberman was able to send out an early copy of a vaccine designed to protect computers which hadn’t been infected yet, along with an electronic warning about the worm. His first electronic warning, distributed by CIAC, said in part:

THE COMPUTER INCIDENT ADVISORY CAPABILITY C I A C

ADVISORY NOTICE

The W.COM Worm affecting VAX VMS Systems

October 16, 1989 18:37 PSTNumber A-2

This is a mean bug to kill and could have done a lot of damage.

Since it notifies (by mail) someone of each successful penetration and leaves a trapdoor (the FIELD account), just killing the bug is not adequate. You must go in and make sure all accounts have passwords and that the passwords are not the same as the account name.

R. Kevin Oberman

Advisory Notice

A worm is attacking NASA’s SPAN network via VAX/VMS systems connected to DECnet. It is unclear if the spread of the worm has been checked. It may spread to other systems such as DOE’s HEPNET within a few days. VMS system managers should prepare now.

The worm targets VMS machines, and can only be propagated via DECnet. The worm exploits two features of DECnet/VMS in order to propagate itself. The first is the default DECnet account, which is a facility for users who don’t have a specific login ID for a machine to have some degree of anonymous access. It uses the default DECnet account to copy itself to a machine, and then uses the `TASK 0′ feature of DECnet to invoke the remote copy. It has several other features including a brute force attack.

Once the worm has successfully penetrated your system it will infect .COM files and create new security vulnerabilities. It then seems to broadcast these vulnerabilities to the outside world. It may also damage files as well, either unintentionally or otherwise.

An analysis of the worm appears below and is provided by R. Kevin Oberman of Lawrence Livermore National Laboratory. Included with the analysis is a DCL program that will block the current version of the worm. At least two versions of this worm exist and more may be created. This program should give you enough time to close up obvious security holes. A more thorough DCL program is being written.

If your site could be affected please call CIAC for more details…

Report on the W.COM worm.

R. Kevin Oberman

Engineering Department

Lawrence Livermore National Laboratory

October 16, 1989

The following describes the action of the W.COM worm (currently based on the examination of the first two incarnations). The replication technique causes the code to be modified slightly which indicates the source of the attack and learned information.

All analysis was done with more haste than I care for, but I believe I have all of the basic facts correct. First a description of the program:

1. The program assures that it is working in a directory to which the owner (itself) has full access (Read, Write, Execute, and Delete).

2. The program checks to see if another copy is still running. It looks for a process with the first 5 characters of `NETW_’. If such is found, it deletes itself (the file) and stops its process.

NOTE

A quick check for infection is to look for a process name starting with `NETW_’. This may be done with a SHOW PROCESS command.

3. The program then changes the default DECNET account password to a random string of at least 12 characters.

4. Information on the password used to access the system is mailed to the user GEMTOP on SPAN node 6.59. Some versions may have a different address.11

5. The process changes its name to `NETW_’ followed by a random number.

6. It then checks to see if it has SYSNAM priv. If so, it defines the system announcement message to be the banner in the program:

Worms Against Nuclear Killers!

Your System Has Been Officically Wanked.

You talk of times of peace for all, and then prepare for war.

7. If it has SYSPRV, it disables mail to the SYSTEM account.

8. If it has SYSPRV, it modifies the system login command procedure to APPEAR to delete all of a user’s file. (It really does nothing.)

9. The program then scans the account’s logical name table for command procedures and tries to modify the FIELD account to a known password with login from any source and all privs. This is a primitive virus, but very effective IF it should get into a privileged account.

10. It proceeds to attempt to access other systems by picking node numbers at random. It then uses PHONE to get a list of active users on the remote system. It proceeds to irritate them by using PHONE to ring them.

11. The program then tries to access the RIGHTSLIST file and attempts to access some remote system using the users found and a list of `standard’ users included within the worm. It looks for passwords which are the same as that of the account or are blank. It records all such accounts.

12. It looks for an account that has access to SYSUAF.DAT.

13. If a priv. account is found, the program is copied to that account and started. If no priv. account was found, it is copied to other accounts found on the random system.

14. As soon as it finishes with a system, it picks another random system and repeats (forever).

Response:

1. The following program will block the worm. Extract the following code and execute it. It will use minimal resources. It creates a process named NETW_BLOCK which will prevent the worm from running.

Editors note: This fix will work only with this version of the worm.

Mutated worms will require modification of this code; however, this program should prevent the worm from running long enough to secure your system from the worms attacks.13

---

McMahon’s version of an anti-WANK program was also ready to go by late Monday, but he would face delays getting it out to NASA. Working inside NASA was a balancing act, a delicate ballet demanding exquisite choreography between getting the job done, following official procedures and avoiding steps which might tread on senior bureaucrats’ toes. It was several days before NASA’s anti-WANK program was officially released.

DOE was not without its share of problems in launching the anti-WANK program and advisory across HEPNET. At 5.04 p.m. Pacific Coast Time on 17 October, as Oberman put the final touches on the last paragraph of his final report on the worm, the floor beneath his feet began to shake. The building was trembling. Kevin Oberman was in the middle of the 1989 San Francisco earthquake.

Measuring 7.1 on the Richter scale, the Loma Prieta earthquake ripped through the greater San Francisco area with savage speed. Inside the computer lab, Oberman braced himself for the worst. Once the shaking stopped and he ascertained the computer centre was still standing, he sat back down at his terminal. With the PA blaring warnings for all non-essential personnel to leave the building immediately, Oberman rushed off the last sentence of the report. He paused and then added a postscript saying that if the paragraph didn’t make sense, it was because he was a little rattled by the large earthquake which had just hit Lawrence Livermore Labs. He pressed the key, sent out his final anti-WANK report and fled the building.

Back on the east coast, the SPAN office continued to help people calling from NASA sites which had been hit. The list of sites which had reported worm-related problems grew steadily during the week. Official estimates on the scope of the WANK worm attack were vague, but trade journals such as Network World and Computerworld quoted the space agency as suffering only a small number of successful worm invasions, perhaps 60 VMS-based computers. SPAN security manager Ron Tencati estimated only 20 successful worm penetrations in the NASA part of SPAN’s network, but another internal estimate put the figure much higher: 250 to 300 machines. Each of those computers might have had 100 or more users. Figures were sketchy, but virtually everyone on the network—all 270000 computer accounts—had been affected by the worm, either because their part of the network had been pulled off-line or because their machines had been harassed by the WANK worm as it tried again and again to login from an infected machine. By the end of the worm attack, the SPAN office had accumulated a list of affected sites which ran over two columns on several computer screens. Each of them had lodged some form of complaint about the worm.

Also by the end of the crisis, NASA and DOE computer network managers had their choice of vaccines, antidotes and blood tests for the WANK worm. McMahon had released ANTIWANK.COM, a program which killed the worm and vaccinated a system against further attacks, and WORM-INFO.TEXT, which provided a list of worm-infestation symptoms. Oberman’s program, called [.SECURITY]CHECK_SYSTEM.COM, checked for all the security flaws used by the worm to sneak into a computer system. DEC also had a patch to cover the security hole in the DECNET account.

Whatever the real number of infected machines, the worm had certainly circumnavigated the globe. It had reach into European sites, such as CERN—formerly known as the European Centre for Nuclear Research—in Switzerland, through to Goddard’s computers in Maryland, on to Fermilab in Chicago and propelled itself across the Pacific into the Riken Accelerator Facility in Japan.14

NASA officials told the media they believed the worm had been launched about 4.30 a.m. on Monday, 16 October.15 They also believed it had originated in Europe, possibly in France.

Wednesday, 18 October 1989 Kennedy Space Center, Florida

The five-member Atlantis had some bad news on Wednesday morning. The weather forecasters gave the launch site a 40 per cent chance of launch guideline-violating rain and cloud. And then there was the earthquake in California.

The Kennedy Space Center wasn’t the only place which had to be in tip-top working order for a launch to go ahead. The launch depended on many sites far away from Florida. These included Edwards Air Force Base in California, where